Welcome

Welcome to Horusscenario.com. This website was created to inform the public of the “Horus” cyber attack scenario that could impact everyone’s lives.

The existence of this scenario was discovered and proven to exist by Willem Westerhof during his internship at ITsec in late 2016. Following the responsible disclosure period, details are now made available to the public. As an addition to reading this website, you could also check out the presentation at SHA2017.

What is the Horus scenario

What is it?

The Horus scenario, is a scenario describing a large scale cyber attack targeting the vital electrical infrastructure. This scenario was both theoretically and practically proven to exist during the thesis of Willem Westerhof.

Why is it called Horus scenario?

Horus is an ancient Egyptian god, refered to in many different ways, which is in most cases related to the heavens or the sun. In mythology, one of his eyes stands for the sun, the other one of his eyes stands for the moon. The Horus scenario focuses on a cyber attack on PhotoVoltaic-installations (solar energy systems) and “recreates” the impact that a Solar eclipse has on the stability of the power grid, hence the reference to the old god.

What does this mean?

In essence, this means that a scenario was created and proven where a malicious hacker targets the electrical grid by focusing on PV-installations and succeeds in causing large scale (Nation-wide or even continental) power outages. If this attack is ever truly executed in the wild, it is expected to cost billions of euros and have a direct and severe impact on everybody’s lives.

 

Theoretical Concept

Balance in the power grid

The power grid needs to maintain a constant balance, between supply of power, and demand of power. If supply exceeds demand, or demand exceeds supply, outages can occur. In order to maintain stability all sorts of countermeasures exist to prevent outages due to peaks or dips in demand or supply. Under normal circumstances, these countermeasures ensure grid stability. There is however a limit to these countermeasures. A maximum peak or dip value in a specific period of time. If an attacker is capable to go beyond this maximum peak or dip value, outages will occur.

Intertwined grids

The thing with power grids, at least in Europe, is that they are very intertwined. Nations are constantly exporting and importing power to each other, and power grid regulators have made agreements to help each other during crisis times. Because of this intertwinedness an attack or failure of any part of the power grid, automatically has effects in other intertwined power grids as well.

PV Installations

PV installations influence the balance of the power grid in two ways. They supply power directly to local appliances (lessening the demand) and any excess power is supplied to the grid (increasing the supply). An attacker capable of controlling the flow of power from these devices can therefore have a direct effect on the balance of the Power grid.

Scale is key

A hacker controlling a single device of course isn’t much of a problem. The available countermeasures for grid stability will easily protect us from such an attack. Hacking these devices becomes a problem when done at a large scale. Since more and more of these PV installations are being connected to the internet or the local network,  to provide the user with certain functionalities, they can be targeted easily, and remotely, by hackers.

In Europe there is over 90 GW of PV power installed, an attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of several GigaWatts causing massive balancing issues which may lead to large scale power outages.

 

Theoretical proof

Showing evidence

In order to proof that this scenario is possible, two methods were used. A statistical method, and a comparison to the 2015 solar eclipse.

Statistical method

Using a mathematical model it is possible to estimate the amount of PV energy in a power grid at a given time.  Based on this model as well as official sources it was determined that an attack like this is statistically possible. For example, the German power grid can (at peak sunshine times) cover 35% up to 50% of its power demand using only PV installations. A cyberattack in this grid at the right time could take out up to 50% of the nation’s power supply. Almost instantly causing a very large (nation-wide, up to continental due to the intertwined power grids) power outage.

Sadly, it is impossible to determine exact numbers on the threshold values (though hearsay shows a range of 3-5 GW). That said,  it cannot realistically be expected of a nation like Germany to lose 35 up to 50% (+/- 20-30GW) of its power supply instantly and not see a power outage. It is simply too costly for power regulators to have that amount of power balancing on standby at all times. It may even be impossible, to have that kind of reserves trigger instantly as power plants take quite some time to increase and decrease their overall power output.

Comparison to solar eclipse

Another way of estimating the impact of such a cyber attack, is by comparing it to the 2015 solar eclipse. This solar eclipse happened in the morning when the sun was shining and affected almost all PV-installations in Europe (some more than others). Effectively, the solar eclipse controlled the flow of power from these devices (less sun equals less power from those devices, more sun equals more power from those devices).

The Solar eclipse event was a 2-3 hour long event the power grid regulators were well prepared for. Large solar fields had been temporarily shut off, additional reserves and regulation materials were available, an exact plan of when to regulate in what amounts was calculated based on the expected solar eclipse pattern, extra manpower was available, etc. The power grid stayed balanced that day, due to the effort of all these regulation parties. Had they done nothing, the power grid would have failed without a doubt.

When we compare this to the potential cyber attack it looks very grim. This cyber attack will not take 2-3 hours but +/- a minute. The speed of the peaks and dips will be very hard, if not impossible, to deal with. Besides that, the cyber attack is not something they are prepared for, the additional reserves and regulations are not in place, no extra manpower is present, and no exact plan exists. Another critical point, is that the solar eclipse happened in the morning as the sun was rising. The cyber attack will likely take place in the middle of the day when the sun shines brightest, increasing the impact of controlling the flow of these devices. Then finally, the solar eclipse follows a perfect logical pattern. A cyber attack can follow any pattern the attacker creates. This may in fact be random, or shifting between on and off very fast. For example causing several GW swings per minute. It becomes nearly impossible for power grid regulators to deal with this as it follows no expected pattern and the attacker is capable of controlling the flow faster than the grid regulators. The below shown graph is an example, but the pattern may very well be much more random, with far more peaks and dips than shown below.

Based on this comparison it can be concluded that the cyber attack is far worse. Any power grid with a lot of PV power in it will be affected heavily. Due to the intertwinedness of power grids, large scale power failures can, and should, be expected.

Based on both the statistical information and the comparison to a real life scenario it can be concluded that this type of attack is indeed theoretically possible.

 

Practical proof

Showing evidence

Proving that the Horus scenario is theoretically possible is one thing, but if no security vulnerabilities exist in PV-installations it is still practically impossible. A live test setup was used to discover vulnerabilities in the market leading ,and likely the most secure, brand: SMA. Devices of this brand are generally considered to be the Mercedes among PV inverters, have won several awards for outstanding solar energy products and have been the market leader for several years.

Laws & guidelines

Several laws and guidelines exists for power supply equipment and its cyber security. For example IEC62443, IEC 62351 & ISO/IEC 27000. That said, the PV installation businesses and PV inverter suppliers are in no way obliged to  actually follow these laws and guidelines. Since they are not obliged to follow these laws and guidelines it can be expected that very little cyber security measures are in fact in place. Not only for this vendor, but for all PV inverter vendors.

Field testing

In the Thesis of Willem Westerhof a hands on black box study was done to find vulnerabilities in the test setup. Full technical details will not be provided here for ethical and security reasons. Findings ranging from a 0.0 CVSS3.0 (Informational) score up to a 9.0 CVSS3.0(Critical) score were discovered. These findings resulted in an attacker being able to remotely compromise the device completely. Not only was it possible to hack the device and control its flow of power, there were actually several different ways of doing this.

In total seventeen (later spliced to twenty-one findings as requested by the vendor) vulnerabilities were discovered. Fourteen of which have been awarded a CVE-ID. Using several of these vulnerabilities it is possible to create a complete kill chain from start to finish executing the Horus scenario.

All these vulnerabilities were responsibly disclosed to the vendor, in December 2016. Early 2017 the theoretical concept as well as the vulnerabilities in this scenario were disclosed to specific governmental institutes and power grid regulators since they have a direct impact on the vital infrastructure.

 

Conclusions & Expectations

Concluding

Under the assumption that the SMA brand is indeed representative for the PV inverter branches and the assumption that the “attacker” is technically skilled, it can be stated that the Horus scenario is possible. Based on the theoretical proof as well as the practical proof the sad conclusion is that the Horus scenario can in fact be realized. It is possible for a smart and dedicated attacker to shut down large parts of entire continental power grids this way. Any power grid with a significant amount of PV installations in place may be facing this attack.

Expectations

In the worst case scenario an attacker compromises enough devices and shuts down all these devices at the same time causing threshold values to be hit. Powergrids start failing and due to the import and export of power cascading blackouts start occuring. Several other power sources, such as windmills, automatically shut down to protect the grid and amplify the attack further. Despite their best efforts power grid regulators are unable to stop the attack. It is only after the sun sets, or when there is no longer enough sunshine for the attack to take place, that the grid stabilizes again. Depending on the authorities way of dealing with this attack, this scenario may keep going for several days.

Costs

Using a blackout simulator tool it is possible to estimate the costs of this scenario happening. In the worst case scenario, a 3 hour power outage across Europe, somewhere mid day on June is estimated to cause +/- 4.5 billion euros of damage. We should also consider the impact it may have on human lives, as previous outages are known to cause problems which sometimes end fatally.

 

Responsibility

Responsible Disclosure

These findings were first reported to SMA (December 2016), the energy sector, and the official authorities (January 2017). Responsible disclosure was to be in place up to the first of June 2017. Following this time frame, the authorities and the vendor were given some additional time because no confirmation was given that the issues were solved. The official “live” date was set to early August 2017. In the time between June and August meetings were held with the energy sector and the official authorities and they were told of the upcoming publication in order to prepare accordingly. All parties involved in the responsible disclosure were very cooperative and had good responsible disclosure policies in place.

Solving the problem

Solving the problem however became quite the issue. Government officials state that the energy sector should work out how to deal with these issues themselves. They can only a play a role in the form of advising and consultancy to the sector. Power grid regulators state that vendors are responsible for creating secure devices. Vendors then state that users are responsible for making sure the device is in a 100% secure environment. Users state that they can’t all be cybersecurity experts and it should be secure out of the box. All in all everyone was simply pointing to another one.

Breaking the circle

After several meetings it became clear that responsibility was mainly being shoved around. In the end all parties picked up a part of the responsibility. SMA is working on fixing the vulnerabilities in current devices, and making sure future devices are secured in a better way. Our contacts in the energy sector have agreed to put the subject on the agenda in official energy cybersecurity meetings and conferences. Our contacts in the official authorities have agreed to share the findings of this study with their international counterparts, so every nation can make a plan on how to deal with this problem.

Going live

With all this in place there was only one thing left to do. Going live with the findings so that the sector may learn from it. Other ethical hackers will hopefully pick up this story and test their own inverters, responsibly disclosing many more vulnerabilities and making the world a little bit safer. Hence, a local newspaper was contacted (de Volkskrant) and plans were made to present the findings at SHA2017. In the end, it was decided to leave exact technical details and reproduction steps out of the publication for the time being as no one wants to give black hats an exact step by step guide on how to execute the Horus scenario. Perhaps, full disclosure will happen in time, but not right now.

Bug bounty?

Many companies nowadays have bug bounty programs, where you get a reward for responsibly disclosing vulnerabilities. Sadly, no bug bounty was ever given for these findings. Which is actually quite weird, because the black market most likely pays tons if not more to get their hands on vulnerabilities that can knock down power grids.

Since no bug bounty was ever given, we ask the public to donate if possible. If you enjoyed the article, used it as a news reporter, feel strongly that this issue should be fixed or are impressed about these findings please donate to the researcher using the information below.