The attack didn’t target grid operations but could have
Experts say the apparent financial motivation leads them to believe the attackers were not targeting grid operations. “Those bad guys were looking for compute devices that they could use to do computer internet-related types of extortion,” Thomas Tansy, CEO of DER Security, tells CSO. “From that standpoint, the fact that they hijacked a contact would be no different than bad guys hijacking industrial cameras, home routers, or other devices that are connected to the internet. The intent of the attack was not to compromise the power grid. It was to extort money.”
But, if the hackers were motivated to disrupt the power grid, they could have exploited these unpatched devices for more malevolent purposes, Tansy says. “Could an adversary pivot and say, ‘We’re no longer interested in extorting people today, we’re interested in interrupting power on the grid?’ Sure. If they had the expertise to do that, the fact that they’re inside the system gives them the opportunity. Of course, they’d have to have the skills and the know-how to pull off, but at that point, the barbarians are inside the gates.”
Access to monitoring systems will grant some level of access to the actual photovoltaic installation, Willem Westerhof, team manager at Secura, tells CSO. “You effectively have local network access. You could try, instead of doing what they did, you could try to leverage that access to attack anything that is in the same network.”
Attackers could gain access to a central control system
Such networks typically have a central control system, which, if infiltrated could allow attackers to take over more than a single solar park. “Based on what I’ve seen, this specific monitoring equipment also has the option to, for example, shut down the photovoltaic installation,” Westerhof says. “So, you could shut down and start up a solar park this way. I don’t think the grid will get completely shut down, given the scale of the attack and available countermeasures, but it’ll probably make some people in charge of grid balancing very nervous if you start shutting those down or repeatedly cycling them off and on.”
However, grid-scale solar installations, such as those that utilities increasingly use to fuel their power supply, likely have sufficient protections built into their networks to thwart this kind of attack.
Mandatory security safeguards such as “NERC-CIP starts to apply depending on how big it is and how impactful the installation is,” Andrew Ginter, VP of industrial security at Waterfall Security Systems, tells CSO. “And you tend to see more rigorous cybersecurity being applied just because it makes good business sense. If you have a dozen solar farms, each of which is producing 300 megawatts of power, a utility is monitoring those things.”