 Right next to me. I've got an intern who did a thesis He started looking into the security model of solar panel solar panel converters and He found some astounding Problems he went public just last Friday and since then his life is completely Fool He's been called from all over the world. So he's got something to show us. So let's let's hear it Here is Willem Westerhoff So welcome everyone. It's nice to see. Yeah, pretty decent crowd since well the announcement was five days ago I think you knew it the same day I did which was quite weird actually Today we're gonna talk about how an intern being me hacked the power grid. I call it the horror scenario So who the hell am I? My name is Willem Westerhoff. You probably never heard of me before because I just got out of school in 2016 This was my final assignment Coming out of the school banks. I studied system and network engineering Yeah, graduated with honors and I'm currently working as a whitehead at IT security services It's pretty nice place to build keep you keeps you out of jail. So if you're a good hacker, please let us know We still need some nice pen testers What I do for a living is basically pen testing when we don't have any projects I focus on password cracking and every once in a while I do some consultancy for companies and in the past I did some network monitoring, but that rarely ever happens anymore So tonight's content. I'll first show you some context how I did this why I did this What's the deal then we'll talk about the concept? What's the yeah the bottom line? of this attack Then we'll look into the theoretical approach and try to see from a theoretical perspective how to prove this We'll then look at a practical approach actually hacking some stuff Then we analyze the results of both Make a conclusion and some expectations based on that and then we'll continue with the ongoing discussion in politics right now So some context when did I do this? I started summer 2016 and I finished January 2016 I've responsibly discos to defender somewhere in December prior to Christmas So yeah, that's pretty interesting Why did I do this? Well my boss had a hunch and he said I think if you hack so we're installations You should be able to have some kind of influence on the power grid Could you try and see if that's actually true and whether you can do that? Now I called it the horror scenario. That's not without a reason Horrors is some thought of a childhood fond memory of my mind ironically. I lost a necklace with a horse who signed on it in Egypt So yeah sad parts, but it also stands for the God of the heavens Where his right eye is the Sun and the left eye is the moon and when the moon moves in front of the Sun We call the solar eclipse and what we're trying to prove in this scenario is that if we using software create a solar eclipse or in other sense shut down PV installations at a large scale We could kill the power grid So the hypothesis I'm trying to test is that photovoltaic Installations connected to the power grid and the accessories they come with Contain security vulnerabilities that allow hackers to influence the power grid in such a way that you can have power outages occurring So the basic concept I have PV installations Sun shines and solar panels this goes to the inverter that converts it to electricity and That's supplied to your household appliances or directly to the power grid So it creates energy basically But the thing with the power grid is it has to remain in a constant balance at all times Supply has to exactly meet the demand and and so we have many Countermeasures in place so that if an energy central fails or a cloud moves in front of the Sun the grid stays up but yeah with that constant balance if you Change the balance enough you create a large enough this balance in it Shits going down Stuff's happening. We've seen it in the past We had a five gigawatt outage in Germany and we had a cascading blackouts all across Europe. That was 2006 So really the scale is key here if I unplug my own inverter at home nothing's happening But if I unplug a thousand inverters or maybe even a hundred thousand that's when stuff gets rolling and With more and more of these devices being connected to the internet and also the rise of the internet of things So we have a ton of vulnerable equipment standing right next to these inverters This is becoming a very real threat because yeah, we have so much PV power right now that it's It's almost more a realistic scenario to attack PV than to attack large-scale power plants Well, then look let's look at some theory Do the math first some statistics I Didn't have exact numbers So I used some information from the Central Bureau of Statistics in Holland and combine those with the distribution of sunlight across periods of time Weather reports over 30 years. Yeah, yeah, yeah, and out of that came Using some assumptions and using a lot of formulas We could calculate that about four point three percent of the Dutch power grid during those peak Sometimes is running on solar energy Now that number doesn't say that much, but that's equivalent to 1.33 million households Running on solar energy and that's every household in the seven largest city in Holland So that's quite a lot when you look at it that way But The Dutch power grid doesn't have that much PV installed the thing is We don't have that much. We mainly use windmills. So if you look at another grid the German power grid And we do the same and we also compare it to official sources We can see that 35 up to 50 percent of the German power grid is Covered by PV power at those peak sunshine and As you can imagine if you take out a third or up to half of a nation's power supply That's gonna be a very real threat to the power grid But with Europe as a whole We can't see those nations as being individual we are constantly Importing and exporting power towards each other German is pumping PV power to us Francis pumping nuclear power to Germany We're constantly moving energy around and there are also agreements that should Shortage occur somewhere other nations will help fill that shortage So an attack on a single nation or even across Europe will affect other countries as well If one goes down they all have a very serious problem and with Europe having most PV power as a continent as a whole We're most likely going to see an attack here but China for example with their current solar energy goals and the United States will also have a lot of PV could see similar attacks Now then when we look at the power grid regulators, we don't have an official number Where yeah, the grid fails. There are different experts who say three gigawatt possibly five Those are the ranges you should be looking at but yeah, we don't have absolute Security in that but let's face it if a nation loses 50% of their power Near instantly there's no recovering from that you can't have that much power on standby You can't make gas turbines coal turbines go that fast. It's just not happening So another way of looking at this because we don't have the definitive proof from statistics is by comparing it to a solar eclipse Now the 2015 solar eclipse happened across Europe in the morning. This was an event They were fully prepared for that extra regulations extra manpower guidelines on how Exactly to yeah manipulate the power in the in the grid in order to survive this and this event took Two to three hours and follow the perfect pattern. It does affect all PV installations So yeah a hacker probably won't be able to do that But this attack happened in the morning So this is as the Sun was rising and various sources stated if they hadn't prepared accordingly There's no way that the energy sector would have survived There's also big solar fields which were Afgekoppelt I'm not sure about the the English words disconnected from the power grid at the time in order to not cost that much of a disbalance So when we compare that to a cyber attack, this is not something they are prepared for They don't have that amount of counter measures They don't have extra manpower. They don't have a plan on how to deal with it. It's just completely unexpected and Instead of taking two to three hours to cost these dips and rises We're looking at maybe a minute to shut all those devices down so this peak is going to be very very steep and Instead of following a perfect expected pattern as long as I control the on off switch That's a pretty random pattern. I could just Yeah, configure their devices any way I want to keep switching on and off Now based on what we've seen I expect that about 50% of the PV installations can actually be hacked which is quite a large number and This attack will likely take place during peak Sun time not in the morning So you can have maximum effect of those that PV loss Now if you look at that graphically The top one is the solar eclipse the bottom one is yeah a theoretical case But the top one you see the steep decrease Yeah, it's Goes like this and then back up again They barely made it through that the bottom one shows a dip now That's where I basically shut the power off. It fails When it then moves back up or I turn them back on it comes back up I turn them back off and now I leave them off So the other energy suppliers they start stabilizing the grid Entering extra grid power gas power coal power and they stabilized again Now when everything stabilized I turn all switches back on So you get a nice over peak and now normally these devices would Yeah, automatically shut down from the grid if there's too much voltage on the line They just they cut out they say no I won't do this But those parameters in some cases can be set by the hacker. I can just tell the device Don't stop doing anything until there's 900 full on that line So they'll stay connected and you can actually cause that peak and after that you can go back to your dip again And yeah, that's the game we're playing But the thing is I can shut those devices down and back up faster than that they can regulate with gas and coal So if we look at this comparison, yeah, the easy conclusion the cybertech is worse and Any power grid that has a lot of PV power is gonna be affected very heavily. This this will be bad But due to the intertwinedness of those power grids any Power grid that fails with a lot of PV in it is also gonna have a significant effect on its neighbors if Germany fails There's a good chance Dutch French and Belgian will also fail So really you're looking at the shotgun approach hit everything you can in Europe and see if all Europe goes down So to conclude on the theoretical part statistically, yeah, there's a very serious impact and Yeah, realistically, we can expect to see power failures And when we then look at the comparison the cyber attacks is way worse So we can expect very large-scale power fails and then I'm talking nationwide or even up to continental power outage Large cities going down instantly. So theoretically this yeah, it's pretty possible Now that's all fun and games, but without vulnerabilities. We have nothing here. This is just math So for the practical approach, I first started by looking into some open source information What kind of test set up would I need which devices are? Yeah, most present and which devices are the most secure. I also looked into laws and certifications What kind of laws do exist? What can I expect from these devices? Will we see? Yeah, very heavy Certifications implied which means they need to be pen test says they need to have security measures or not I also looked at some technical documents of the test setup. Yeah, what can I expect from these devices? Then the normal behavior Based on those open source info and some observations in the field. So we determine right how does this thing normally work? And then we do some start doing black box testing We just dive in and start hacking the ever-living daylights out of it and we'll see where it takes us So the test setup selection I did it based on some criteria market weaning and best secure device But there was a very simple reason for that If I can hack the best secure device or at least what's Renowned to on the internet as the best secure device and also the market leading device I immediately have a relevant amount of devices and I can state well if the best secure one is Very hackable then the rest is probably worse off Now to select the test setup any PV module it didn't really matter what's lying on top of you But the inverter below really matters You need to have an SMI inverter for this test Because yeah, that's the market leading. He has they have been that for various years They've openly talked about security and be that being a top issue for them So that's the one to go to now. We had a real life test setup 161 PV modules on the roof two different types of SMI inverters and this was a 75 K installation and If I broke it I had to pay for it Well, I was a broke student at a time So as you can imagine, I didn't try burning the thing down the fuzzing it aggressively Hitting it really hard with aggressive scans. It's mainly passively found vulnerabilities So if you happen to have a house where we can hook one of these up, please let me know because I'd love to try some cybersecurity measures during laws Standards for PV installations. There are different standards that you could use but none of them are actually obliged You can use whatever you want or don't use anything at all It's up to you. So the expected cybersecurity measures is yeah little to none No one's enforcing anything. So Then the test setup specific SMI is founded in Germany, it's a German company Most of those devices are actually made in Germany. So they have to uphold the German cybersecurity law Which is in effect, I think start 2017. So they have to have a minimum security So another reason why we should hit SMR instead of other devices And there's also an interview with an SMR spokesperson in this interview. They say yeah, security is becoming a top priority for us And now some other stuff, but the key word here is becoming a top priority So when you read between the lines, I'm thinking they have some security measures But they're probably not where they should be and as I'm reading the technical documentation I've come across the password policy and I see default password 000 installer password default password 111 Okay, interesting Now if we then go to the normal behavior of the device It uses SIP to communicate outwards and that's a notoriously Hard to implement protocol, but for some reason they chose it. I don't know why but that's what they use to communicate with their servers They also use SMR data 2 plus, which is a custom protocol made for local communication As well as a modbus interface, which is optional. You have to actively turn that one on so you won't see it that much in a while It also has a specific operating system probably some Linux kernel variant Which responds to DNS, ICMP, ARP and IGMP v2 Now if you look at that from a graphic perspective, this is a lot of information to take into but don't worry We'll start at the top Let me just take a drink first So if I have my device my laptop or my phone I have this nice monitoring app, which is cool And this thing communicates with Sunni portal and Sunni portal sends a SIP message to my local inverter This local inverter deals with this message. This comes back to Sunni portal and Sunni portal shows it to me So that's the normal way of doing things if you use your phone or your app to check on your PV system Now another way is using Sunni Explorer That's a management console mainly used by installers and that one works on the local network So that one works either over Bluetooth or over the SMA data 2 plus ethernet link And there are also other tools API's that sort of thing those mainly run over Modbus Some of them run over Bluetooth, but mainly Modbus And then on the local inverter you have a specific SMA operating system and also something called a grid guard Which is yeah an extra security layer for the most sensitive settings out there And what I mainly tested are these three parts the SIP communications for external communication the Sunni Explorer application itself and the SMA data 2 plus protocol Now why because these are used by all these devices Sunni Explorer is specifically made to work with all SMA devices So yeah, anything I can find in this will be the most interesting for doing this at a large scale And what I would have liked to do but didn't do is the Modbus port Testing the other tools and API's and testing the underlying operating system Why didn't I do it? Well one I ran out of time. I had so much and Yeah, there was no stopping me anymore and second I Didn't need anything else. I had everything I wanted So why butter attacking the Modbus when I could do anything I need to from the SMA port for example And what I didn't test was Bluetooth Simple reason. I don't want to be physically close to every location in Europe and I can't be I Wish I could but yeah, sorry And then you have the Sunni portal Sunni places servers. Those were formerly out of scope Of course, I did sometimes read a little bit check some passive scanning look at it that way But I couldn't actively target those systems, but they could very well be vulnerable So for the field test intros, it's it's just too much to discuss right now I can discuss everything I did, but I won't what I'll show you today is an old but very relevant finding I'll show you one with full technical disclosure about finding information about these devices I'll show you how to exploit them with passwords, but not in the technical sense I'll just name the findings and I'll show something about how to exploit them via the firmware Please note. I'm not giving full on technical details today. I agree to that. Yeah under some pressure of various government parties Likely I'll be disclosing those full on technical details on black at London if they'll have me So we'll have to see So the old but relevant finding a CVE 2015. This is a pretty old one SM a sewer sunny web box has hard-coded passwords they have an interface which you can sign in and it has a hard-coded password and Actually since we released the information about SMI inverters. There are six thousand less of these on the internet We had 16 17k almost of these devices still on the internet openly now We only have ten thousand and please note that behind every web box are in most cases several inverters so you can just gain access using this old vulnerability and Yeah, here. You have your first ten thousand at least inverters probably 30 40,000 Now finding information. This is one of the findings that I'll give full technical disclosure on Nice overview again. We start by monitoring with the apps So I sign in to sunny portal and I have my burp intercept here in between. I sign in This comes back. It's all nice. It's all good. I see my interface Now I send a request to get my event log Look somewhat like this This is pushed to sunny portal sunny portal changes this to SIP communication this goes to my local inverter and At the end of the line. I get back my event log and this stays on nice errors because I was testing That's what happens but If we then go to these intercept proxy and we change This part that's some weird ID and Yeah, this moves again, but instead of going to my inverter it goes to another inverter. Well, that's mighty interesting and Instead of getting my own event log I get an event log that so shows some email addresses a serial number a firmware version Whether they will sign in with grid guard or not So I have an exact clue on where I want to and what kind of device they have what kind of firmware version they're running What their email address says so I'm a happy man now that idea looked pretty hard and it should be by all means But here's the thing We have public pages and in that URL you can find this nice planned ID So you can just make a little scraper get all so the get everyone's email address serial number firmware and you're in Now this vulnerability was fixed well days after I reported it and they actually crashed their system with it So that's pretty good of them by all means. I think SMS pretty pissed at me personally because I'm disclosing this But they did pretty good. They invited me to come there talk about their vulnerabilities If you want to hack solar panels do it with SMA They're pretty friendly in how they deal with you until you call the media that is then they don't like you anymore So another way of doing this exploiting via passwords Passwords. Yeah, as I said the policy was interesting What I didn't tell you yet. There's a maximum of 12 characters a maximum not a minimum a maximum we can also only use up to three special characters and I mean you can only use an exclamation mark an ad sign or a question mark for example and everything else is out of the question and Yeah, there's no Yeah, I can set the word a just the letter a and that's it. That's fine As they have it's all good. You don't need any requirements whatsoever Now you can sniff these passwords as they move across the line, which is interesting You can sniff them on local hosts. You'll find them plain text. You could sniff them as they move across the network Then they'll be encrypted Yeah encrypted, but a very simple algorithm. I won't get into the details of that, but You could also brute force them they don't have any lockout So you can just guess away and see where it takes you and the thing is that most Installers use a single password for all their installations So if you find the one belonging to your installer, you automatically you have the password for all devices Set up by that installer And another fun thing is that if you're a user you can just call your installer and say hey Can I please have my installer password because there are obliged to give it to you? And you automatically have the same password for all those other devices Now say as a ref was also an option C is a rough Cross-site request forgery. You can also We're a user into using a program and then clicking on your link to reset the password Both for the user and the installer account. You could also Call make any other function calls that way depending on what you do Then the master passwords SMR formally denies the existence of these things User enumeration is also in there. You can find about a dozen more users than exist in the GUI and Yeah, that's this is not a password you can set So that has to be the same across almost all inverters and I actually cracked one of them which works in every inverter I've encountered so far So the rest of them I deliberately didn't crack Because I kind of don't want that information But it's a very real problem Now in order to exploit these to actually shut down the inverter You just have to change the right settings with the rights you have you can do it as a user as a installer or as a grid card Now the exploits via firmware you don't need any user credentials for this and it actually uses one of those non-existent secret passwords But it flashes the firmware successfully. You just need to pass the checks to win So if you look at it, we have a local device We just go to the SMR site. We download some firmware As easy as that Do make sure you have to write for your kind of inverter, of course And this moves back to your local device you downloaded it and now on this local device Yeah reverse engineer it create your own firmware Make sure you pass those checks and yeah, then you can have your own firmware Now from that device, I did it via the GUI here. I won't show you how to do it in other ways I'm just signing in with a SDF a SDF a SDF because that's a wrong password So you see these locks. That means I'm not signed into those devices. I don't have any rights But nice of them to have this device update button at the top, which I can still click so I Have this version here. I'm opening that it passes the check I'm hitting the next button and Yeah Following that we get this nice thing that says the following update file has been voted to your system Now and there's many more where that came from We have other discovered vulnerabilities, which I am not talking about today because they're not interesting enough or This talk isn't long enough. There are other expected vulnerabilities in the attack scenarios I didn't test or because of the limitations I had in my test setup and my Yeah, constraints in general and there are also several untested the tech scenarios the mod bus interface the server There are various ways of doing this So to conclude yeah, SMR devices contain vulnerabilities and they're everywhere and You that way you can allow you have control of stopping and starting power output Either with access rights because you've gained them or without them doesn't really matter. You can have that power Well, then we analyze that information we now have We can generalize in a way. We've actively tried to target the market leading and The most secure device out there So if that one's already vulnerable the rest probably isn't any better and that's a bold statement to make but Based on yeah, what I can see in the news possible hundred thousand solar meters vulnerable citizens of MR victim of a data breach due to solar panels Not a nice little showdown search, which is over 9,000 on vulnerable as amount of web boxes and and Then don't even get me started on the tweakers.net comments because I don't know how many of you are hobbyist But I think you've done more research on those things than I have Because the comments are just filled with other vulnerabilities in different types of inverters I actually had some emails coming in of people saying I couldn't get them to listen to me Could you please try and get them to listen to me? Here's the information I have So if it's theoretical put a possibility and if it's practically a possibility Then every indicator I have shows that yeah, I can do this There's no indication that I can't So, yeah, what should we expect from when this happens? on the best-case scenario someone's gonna look like that at the power grid controllers and I won't have enough devices the power stays on and following this attacks Vendors see the problem and start patching as soon as possible because they now see oh shit We have a very real threat here On the worst-case scenario, I do have enough devices and that means power outages are gonna occur and due to the import and expert They're not gonna occur locally. You're gonna see power outages happening across Europe. Germany will probably take the largest hit But Spain Italy Holland France everything is gonna have a very serious problem. We'll likely see cities like Madrid, Berlin completely in the dark and Also, if you have enough power lost this way the frequency drops to a point where other devices like windmills like unaffected solar panels also stop working and They automatically shut down from the grid so we actually amplify your attack even further Now the financial impact of that I used a tool called blackout calculator. It's sponsored by the EU. So it's reasonably reliable If a three-hour outage occurred on the 16th of June in the Netherlands We're talking about roughly 150 million euros lost if it happens in Germany were over 800 million And if it happens across Europe, we're looking at four and a half billion euros lost So we're talking hundreds of millions if not billions in damage here And that's before we stop talking about indirect effects because looting is like you're going to play take place It's happened before Hospitals whose emergency generators suddenly fail that sort of thing happening Yeah, we have seen loss in life loss of life even in Amsterdam when just the transformer house stopped and That sort of thing will also happen So to conclude under the assumption that SMA is in fact representative for the sector and we're facing a technically skilled and resourceful attacker and yeah, the people who actually want to do this are Probably pretty capable of doing it. Let's put it that way Under that circumstances my hypothesis hypothesis, sorry is confirmed so, yeah, that's a very very real scenario and My recommendations would be that first off PV companies start securing their devices because yeah, that's the main problem here a Government officials should start demanding that these devices are secured not just PV installations Also windmills any device that somehow supplies to the grid and actually in my personal opinion any device That's attached in any way to a network should have some kind of security implementation And for consumers if you don't actually use your interface to the network, please just plug it out There's no point. You're not using it. But yeah guys like me are For further research, there are probably a lot of guys in the room and girls I can see a few not that much but a few If you want to do some further research on these devices, please do there are many brands who haven't been thoroughly studied yet Because yeah, I have a limitation in time and money. So that's where my research stopped But there's probably far more vulnerabilities that still need to come to light here Now the discussion the open discussion What's currently happening is that they're having a discussion in political in the politics Can an attacker actually compromise that many devices? Will it actually work is he capable of doing that and That seems very odd to me because the question we should be having is why are we allowing insecure devices on the power grid? if a power plant has insecure devices will never take it and Yeah, can an attacker compromise that many devices. Well, I think enough of you know what a botnet is I Think enough of you have a clue how to get into an access point into some network environments So it's it's really a matter of time and dedication and I might not be able to get it on my own but for example I'm not sure about the name but the hacker group in Russia. I Think they have a pretty good shot at doing this That's it You have any questions Okay Very good talk. Thank you. Okay questions. We have quite a lot of time for questions. So Let's hear it first microphone here or were you first sir? I'll take the last microphone first you Me yeah Regarding these SMA devices specifically isn't a really sure here that they are phoning home to some central server Like what's the security of that server? I don't know because it's out of scope for me. I didn't have permission of SMA to test it Yeah, that's all I can say I mean I'm a 100,000 devices, maybe it wouldn't like cause widespread grid failure or something, but it would sure easily get quite messy Yeah, especially if you say reflash them with a firmware that constantly cycles the power on and off Yeah, so like why do they even design it this way? I have absolutely no idea. I Wasn't in the design team back then, but it's a pretty bad choice Like I mean it does it does it really matter the security of the devices where you can just compromise the central server like you The design is just wrong from the beginning Yeah, I agree But there isn't a much better way of doing it because they have to update firmware as well If they want to have that internet connectivity in my opinion they either shouldn't offer the internet connectivity or Have a very safe way of doing it and that means just following the best practices and not implementing some Yeah, I have a protocol Okay, the microphone here in front More questions. Sorry Like if you compromise the central service, would you be able to access all panels or does it? It does does it Require you to enter actually authenticate to the panel from the client to be able to access it I can't say trust the server. I can trust the client that's talking to the server It has trust in the server based on what I've seen in network communications, but I can answer that question fully Okay, the front microphone. Okay, you you you've shown that you can own the box And you can access to it, but can you actually turn it off? Yes It has you've tested that you turn off you can turn off the power. Yes Now I haven't tested turning off the power across Europe. I've tested shutting down an installation I'll be very clear on that one. I guess we would have noticed Okay The end microphone What I have is not really a question. It's more based of You talked about that four point three percent of the power in the Netherlands is solar What a nice idea is that I think it was 2009 when an Apache helicopter flew through some power lines near Salbommel Those power lines at that point supplied five percent of the power to that region and all power failed Yeah, no, that would be good example Okay The microphone here in front. Hi there. Thanks for the talk. I was wondering if the entire Communication and controls are actually going through the cloud platform of SMA. Is that correct? Is there no other communication to what the grid? The inverters respond on The power on the grid so the frequency and the voltage that's on the grid at that point They respond to it any other communication has to be either locally initiated by Yeah, the communication protocols or maybe externally using the SIP communication But that again, that's the server. I couldn't test Okay, so they are also talking SIP towards a server of as a male operator. Yes Okay, so could you actually say I mean using like a Cloud platform for managing your devices. I mean it sounds like you know the old city IOT devices You've got it home which talk which are being controlled by a cloud platform Is the provider at the the SMA provider actually Sending controls towards the devices using that channel Like power grid controls That would mean I don't think so. I think under normal circumstances they only Read out the devices That's it. It doesn't mean you couldn't do that Because there is also it's actually one in the I think this one is not in the CV's But it because it's already been discovered by someone, but they also use an old OSIP library So you could have remote code execution that way on the device So the providers didn't outsource their controls of the they have it in house Thank you. Okay the microphone in the back Hey, thanks for the cool talk Thank you. I was wondering what was the support from the university on this closing this kind of stuff because it's Actually, I think critical. Yeah, the university was Basically held their mouth shut during the time, which was nice They were under the same responsible disclosure period as I was and even following that they were silent Mainly the role in yeah, putting everything out there is played by IT sec and myself and The Fox count of course who made the original article and from there it took on its own life I've seen my name and Arabian websites on Japanese websites. It's everywhere right now so Probably an NSA flag somewhere by now Yeah, yeah, probably but I'm surprised actually because you have a lot of sport. I think it's OS3, right? It's OS3 the education system network engineering No, it's I'm from the Hoog Schaal Hoog school from Amsterdam. All right, the HVA and Yeah, I don't really have that much with the education program. It was alright for the time being but I'm glad to be out of there Jenny, okay We'll question Europe from first of all, thanks for a great presentation and Clearly you can exploit these vulnerabilities if you wanted to and you've captured some of the nuance of power grids and focusing on the Netherlands since we're here and Do you have a sense of how many days a year that proportion of PV power would be vulnerable to Not to exploit but that would cause a cascading failure Because you've done a lot of fantastic research into the volume that you're capable of and captured some of the engineering as well as the Exploitation so it's actually in the model. I created I Take specific days an average day in a month. So during that month. It should be possible main months are May June July August But in February for example, we had a pretty day in February in the German grid I was there at that point. I was at the vendor which was surprising But we still had even on a sunny day in February. There's over 20 gigawatts of PV energy in the German grid So given that you've really captured a nuance there that most people don't want to appreciate Have the grid operators started to appreciate that there are some days They're more vulnerable to this type of attack than others. Yes The authorities are taking it. Yeah, pretty seriously They've spread my report including the technical details and the full calculations to different agencies and also the energy sector Some of them currently state, but that's probably for political reasons as I can understand Yeah, we're capable of dealing with a little swing. That's not a problem But they also state this will be very challenging if it actually happens But the main discussion they're having right now, which is you know sad for me is Can an hacker actually do this will he get that much presence instead of having the discussion? Shouldn't we be securing these devices? Thanks for being another example and how a hacker could if they chose to thank you Okay We have some more questions the microphone in the back so I Think the discussion you see happening Is also a legal issue because in the Netherlands at least the grid operator does not have the authority to Influence what a customer puts on the grid. So I agree with your solution. We need regulation but Realistically wouldn't you agree that the best that the grid operators right now can do Is discuss is this realistic? When can we expect it rather than? How can we do something? We're not even legally allowed to do I? Honestly disagree with you. I think it's important to weigh the risk as well But we're currently shifting responsibilities the government says we can only advise the sector You know you just said that the sector cannot legally Do anything about what the users do to their devices? Vendors saying well the user should be the one securing their devices It's not my problem and the user is saying well, I'm not a security expert How am I supposed to do this and that is a very real problem? We're facing so have you thought about the potential of E so so I'm doing research in a slightly related sector on Electric vehicle charging which has similar issues and when I talk to vendors there their main Problem when you mention regulation is oh, we can't do that because then our Chinese competitors will push us out of the market so and and the effect that's regulation would have is well PV vendors just won't sell in the Netherlands anymore So and any regulation should go through the EU any ideas on how to get them to listen Well, this is part of that Putting it in newspaper was also part of that We're trying to make the problem known and get some political pressure on it as well It's not for nothing that my Final thesis actually went across Europe and not just didn't just stay in the Netherlands because of it Okay, thanks Next question Are you aware of the 31c free talk scale strange love to smart further grid? No, I haven't seen it. I've just arrived tonight. I'm very sorry. I'm really busy right now It back then in 2013 and 2014 they were estimating that they could turn off inverters accumulating to around eight megawatt Okay, that's okay. Thanks And one last question Hi, my name is Maric Seger and I am from SM a Hi, Maric. Hi So Thanks for coming You're welcome First of all, thank you for your work, but there are some issues. I have to Clarify some things the one thing is Willam tested one particular type of an inverter Which stands not for the whole German or worldwide power input so It seems that he is making the assumption that His vulnerabilities Effects the complete PV market For example in Germany, it's not true Okay, I'll get back to you on that what we have one fact very important How much inverters are internet connected from as a man? What do you think? However, how how much how many percent have an internet connection? 60 70 percent my estimate. It's 30 percent worldwide So do you do you actually have question? Maybe One moment, please and From this part from this 30 percent of all ours inverters and we we don't cover a hundred percent of the market Only a little part Was tested the inverter which is affected here Is only one little part of this 30 percent, so I Am not sure if this conclusions are correct Is it okay if I talk now? Yes, of course, okay, so I agree for parts of what he's saying I tested on two types of inverter not one I actually read the SMA statement today that four Different ranges of products are vulnerable to these attacks. They've technically verified that. I'm not sure Whether that is correct or not. It could be a political statement. I don't know there are also some other inconsistencies in that report That said I tested SMA because I thought it was the best secured one This is not a personal statement or a stab to SMA in any way What you're saying is correct. I'm assuming that if you're the best secured ones out there, the rest is probably worse probably Thank you Sorry, no discussion here. The question is that you test this type of Your inverters your tested inverters in show then yes, how many did you find? 10,000 10,000 actually during the thesis 17,000 but since the article 6,000 were removed of the web boxes. It's nothing for the grid nothing It's it's worldwide worldwide The company create a small representative test bed and let people like him Test a small regional or small village test bed where you have several products installed in actual operation Let them hack it and guaranteed or they will be no legal repercussions if they take it down This is the way to ensure security There's another talk coming after this one I have to close down this discussion. Sorry. Okay. Thank you Okay, I want a big round For both SMA and for William. Thank you all