Risk Criticality – High
While researching the vulnerabilities and upcoming threats on Industrial Control Sectors (ICS), Cyble Research Labs discovered several public-facing web interfaces of Solar-Log for small, medium, and large photovoltaic plants affected by security misconfigurations and are still running on vulnerable firmware. Using outdated firmware carries several risks: information disclosure, cross-site request forgery, unauthenticated arbitrary file upload, unauthenticated change of network configurations, complete system compromise, and denial of service attacks.
Solar-Log is a product of Solar-Log GmbH, which is a Germany-based company. Solar-Log is one of the leading companies in the field of smart energy, feed-in management, and photovoltaic (PV) monitoring and provides global services for operators and installers.
Solar-Log monitors the photovoltaic plant and triggers an alarm immediately when a malfunction occurs, and with the solar log web interface, the operator can keep everything in sight. Using scanners and Google Dorking, researchers found more than 900 instances globally, out of which over 20 instances, when investigated, are vulnerable. The following image showcases the global distribution of solar logs web interfaces that are public-facing.
The majority of instances found were from European countries like Germany, France, Belgium, and United States. As governments are rushing towards using solar energy, the threat to the energy sector has drastically increased. Recent attacks on Industrial Control Systems (ICS) are proving the same. Solar energy, also known as “green energy,” is now being used to meet the demand for power supply for homes, industries, and agriculture. This has not gone unnoticed by Advanced Persistent Threats (APT) groups and malicious Threat Actors (TAs). Every successful attack in this sector can potentially halt multiple operations and processes in other industries.
Solar-Log Web Interface supports the following functions.
- Operators can monitor entire commercial and residential Photovoltaic plants online.
- Accurate plant data and reliable reporting to meet the needs of installers, portal operators, and plant owners can be generated from the web interface.
- Datasheet with the essential information and plant image can be viewed on the portal.
- Monitoring and analyzing event logs.
- Yields per kWp (specific yields).
- Performance comparison of the individual inverters and tracker.
- Fault messages via E-Mail can be sent to the operator or the plant owner.
- The total accumulated carbon dioxide emissions that the PV plant has prevented are displayed.
- The ratio of self-consumption of solar power to the total amount of consumption.
- The Solar-Log runs a forecasting statistics function that specifies a particular target value for each month. The monthly target is then converted to a daily target and displayed here. The forecasted output has been produced if the target value or higher has been achieved.
- The solar log web dashboard can generate reports for plant yields, energy consumption, power management, etc.
- Configuration of network settings.
- Security Misconfigurations – Allows hackers to access assets using default or unchanged passwords.
- Unauthenticated Download of Configuration including Device-Password – Malicious attackers can download the device’s configuration file, after which they can expose the passwords. Through this, attackers can gain administrative rights to the device.
- Cross-Site Request Forgery (CSRF) – With this vulnerability, attackers can force users to execute unwanted actions on whatever web application is currently in use.
- Unauthenticated Arbitrary File Upload – This vulnerability allows hackers to upload malicious files to the site and perform illegal activities.
- Information Disclosure (CVE-2001-1341) – Sensitive information can be viewed, stolen, or analyzed to understand the network infrastructure.
- Unauthenticated Denial of Service – Attackers can use this vulnerability to make resources unavailable and severely impact business operations.
VISUALIZING THE RISKS:
AN ATTACK SCENARIO to Solar-Logs Web Instances
Several instances found by the researchers were not secured by password protection and were using default passwords for authentication. Suppose a malicious threat group or actor gets hold of an exposed solar log web interface that is not secured with passwords or uses default passwords; hackers can then analyze the production power of the plant and understand its operations.
The critical system information such as model number, serial number, firmware version, plant size, etc., can be retrieved from the dashboard by malicious actors. Gaining knowledge of the firmware can further help attackers to launch specific exploits.
As shown in the screenshot above, Cyble Research Labs could also retrieve the network details like internal gateway and MAC address. The exposure of this data puts the complete network at risk. The Beck IPC UDP configuration server on the Solar-Log device can be breached using arbitrary UDP packets to permanently disable the Solar-Log until a manual reboot is triggered.
As the attacker has administrator rights for the web console, they can also manipulate the tariff settings, electricity, factory production details, CO2 avoidance factor, and other plant information.
The operations mentioned above are to be controlled only by authorized parties. Corruption in these settings can also result in monetary loss and brand reputation loss to the organization using the device.
Researchers also noticed that the unprotected instances of the solar log web console are flashing an error message notifying the end-user about the security risk on the affected device.
As observed in Figure 9, the error message points out the risk of Cross-Site Request Forgery attacks (CSRF). CSRF vulnerabilities enable attackers to remove/modify a device’s password by luring an authenticated user to click on a crafted link.
An attacker can take over the device by exploiting these vulnerabilities. We found that malicious files can be uploaded on Solar-Log using a crafted POST request in some vulnerable instances.
This illustrates the dangers to the energy sector of various countries and how broad the scope is for various APT groups to launch cyber-attacks.
After getting access to the web interface, attackers can also upload malicious firmware files. The user will then be at risk of a complete network takeover or ransomware attacks.
Impact of Solar logs Vulnerabilities:
- Hackers and APT groups getting access and persistence to photovoltaic plants could lead to large-scale supply chain attacks affecting downstream companies. Companies and residential homes rely on solar power for their heating and energy needs. This could lead to a severe impact on quality of life, particularly during winter.
- Modifying CO2 avoidance parameters from the public-facing solar log web console to cause data misrepresentation leading to regulatory actions etc.
- State-sponsored cyber-attacks that are systematically planned on the energy sector of a country can weaken the security and operations of military and law enforcement departments as well.
- Working in ICS sectors can be risky, depending on the nature of the industry. A malicious hacker operating PV plant operations through web consoles increases the chances of security incidents on-site.
- Sensitive data of the multiple systems, such as network details, e-mail addresses, plant production details, passwords, firmware details, etc., of industrial control systems are being extensively collected and sold in dark web marketplaces and forums. Various ICS sites globally are facing a high risk of cyber-attacks.
- If hackers gain access to web instances, they can also upload a firmware file to the device. This specifically crafted malicious firmware file can compromise all the devices on the same network.
- Conduct cybersecurity awareness and training programs for PV plant operators and employees.
- Use strong passwords and multi-factor authentication.
- Update firmware for solar log to the latest version.
- Establish and enforce a password policy. Protect passwords via encryption. This policy should require the periodic change of passwords.
- Keep a list of the highest cybersecurity risks and how they will be addressed.
- Setup logging and monitoring services to watch for potential attacks.
- Auditing components inside the OT and IT infrastructure.
- Proper network segmentation for IT & OT components.
- Photovoltaic plant owners and operators should have visibility into the devices in the network.
- Checking and giving access rights to the concerned party only.
- Keeping critical assets of ICS behind firewalls.
- Remote access communications should be logged and monitored.
- Develop and review incident response plans.
- Plant owners, operators, employees, and security personnel should work together to understand and monitor critical assets of the ICS sector.
All the instances found in the investigation have been reported to the authorities concerned.
Cyber-attacks on ICS sectors are not new and will continue to increase. The energy sector especially is at high risk of power disruptions by APT groups. Attacks on critical infrastructure may be due to political motivations and can result in chaos in the affected country. Research indicates that there can be severe economic damage to the country due to cyber-attacks on the energy sector.
Public-facing assets and lack of cybersecurity awareness in the operation technology sector are the primary reasons for the spike in attacks in the ICS sector. These should immediately be focused on safeguarding critical ICS assets, aka “crown jewels.”
Cyble Research Labs emphasizes the need to implement regular security audits in the sectors and organization’s solar log devices installed globally. Malicious entities such as ransomware groups and threat groups are actively collecting data. This is to establish persistence over ICS sectors all over the globe and use this to gain an advantage in various politically motivated campaigns.
Hackers using multiple scanners and OSINT techniques can easily find a greater number of instances of solar logs and similar products that, when attacked, can stop or damage a critical process in the city.