Exploiting a weak spot in the power grid
Welcome to Horusscenario.com. This website was created to inform the public of the “Horus” cyber attack scenario that could impact everyone’s lives.
The existence of this scenario was discovered and proven to exist by Willem Westerhof during his internship at ITsec in late 2016. Following the responsible disclosure period, details are now made available to the public. As an addition to reading this website, you could also check out the presentation at SHA2017.
The Horus scenario, is a scenario describing a large scale cyber attack targeting the vital electrical infrastructure. This scenario was both theoretically and practically proven to exist during the thesis of Willem Westerhof.
Horus is an ancient Egyptian god, refered to in many different ways, which is in most cases related to the heavens or the sun. In mythology, one of his eyes stands for the sun, the other one of his eyes stands for the moon. The Horus scenario focuses on a cyber attack on PhotoVoltaic-installations (solar energy systems) and “recreates” the impact that a Solar eclipse has on the stability of the power grid, hence the reference to the old god.
In essence, this means that a scenario was created and proven where a malicious hacker targets the electrical grid by focusing on PV-installations and succeeds in causing large scale (Nation-wide or even continental) power outages. If this attack is ever truly executed in the wild, it is expected to cost billions of euros and have a direct and severe impact on everybody’s lives.
The power grid needs to maintain a constant balance, between supply of power, and demand of power. If supply exceeds demand, or demand exceeds supply, outages can occur. In order to maintain stability all sorts of countermeasures exist to prevent outages due to peaks or dips in demand or supply. Under normal circumstances, these countermeasures ensure grid stability. There is however a limit to these countermeasures. A maximum peak or dip value in a specific period of time. If an attacker is capable to go beyond this maximum peak or dip value, outages will occur.
The thing with power grids, at least in Europe, is that they are very intertwined. Nations are constantly exporting and importing power to each other, and power grid regulators have made agreements to help each other during crisis times. Because of this intertwinedness an attack or failure of any part of the power grid, automatically has effects in other intertwined power grids as well.
PV installations influence the balance of the power grid in two ways. They supply power directly to local appliances (lessening the demand) and any excess power is supplied to the grid (increasing the supply). An attacker capable of controlling the flow of power from these devices can therefore have a direct effect on the balance of the Power grid.
A hacker controlling a single device of course isn’t much of a problem. The available countermeasures for grid stability will easily protect us from such an attack. Hacking these devices becomes a problem when done at a large scale. Since more and more of these PV installations are being connected to the internet or the local network, to provide the user with certain functionalities, they can be targeted easily, and remotely, by hackers.
In Europe there is over 90 GW of PV power installed, an attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of several GigaWatts causing massive balancing issues which may lead to large scale power outages.
In order to proof that this scenario is possible, two methods were used. A statistical method, and a comparison to the 2015 solar eclipse.
Using a mathematical model it is possible to estimate the amount of PV energy in a power grid at a given time. Based on this model as well as official sources it was determined that an attack like this is statistically possible. For example, the German power grid can (at peak sunshine times) cover 35% up to 50% of its power demand using only PV installations. A cyberattack in this grid at the right time could take out up to 50% of the nation’s power supply. Almost instantly causing a very large (nation-wide, up to continental due to the intertwined power grids) power outage.
Sadly, it is impossible to determine exact numbers on the threshold values (though hearsay shows a range of 3-5 GW). That said, it cannot realistically be expected of a nation like Germany to lose 35 up to 50% (+/- 20-30GW) of its power supply instantly and not see a power outage. It is simply too costly for power regulators to have that amount of power balancing on standby at all times. It may even be impossible, to have that kind of reserves trigger instantly as power plants take quite some time to increase and decrease their overall power output.
Another way of estimating the impact of such a cyber attack, is by comparing it to the 2015 solar eclipse. This solar eclipse happened in the morning when the sun was shining and affected almost all PV-installations in Europe (some more than others). Effectively, the solar eclipse controlled the flow of power from these devices (less sun equals less power from those devices, more sun equals more power from those devices).
The Solar eclipse event was a 2-3 hour long event the power grid regulators were well prepared for. Large solar fields had been temporarily shut off, additional reserves and regulation materials were available, an exact plan of when to regulate in what amounts was calculated based on the expected solar eclipse pattern, extra manpower was available, etc. The power grid stayed balanced that day, due to the effort of all these regulation parties. Had they done nothing, the power grid would have failed without a doubt.
When we compare this to the potential cyber attack it looks very grim. This cyber attack will not take 2-3 hours but +/- a minute. The speed of the peaks and dips will be very hard, if not impossible, to deal with. Besides that, the cyber attack is not something they are prepared for, the additional reserves and regulations are not in place, no extra manpower is present, and no exact plan exists. Another critical point, is that the solar eclipse happened in the morning as the sun was rising. The cyber attack will likely take place in the middle of the day when the sun shines brightest, increasing the impact of controlling the flow of these devices. Then finally, the solar eclipse follows a perfect logical pattern. A cyber attack can follow any pattern the attacker creates. This may in fact be random, or shifting between on and off very fast. For example causing several GW swings per minute. It becomes nearly impossible for power grid regulators to deal with this as it follows no expected pattern and the attacker is capable of controlling the flow faster than the grid regulators. The below shown graph is an example, but the pattern may very well be much more random, with far more peaks and dips than shown below.
Based on this comparison it can be concluded that the cyber attack is far worse. Any power grid with a lot of PV power in it will be affected heavily. Due to the intertwinedness of power grids, large scale power failures can, and should, be expected.
Based on both the statistical information and the comparison to a real life scenario it can be concluded that this type of attack is indeed theoretically possible.
Proving that the Horus scenario is theoretically possible is one thing, but if no security vulnerabilities exist in PV-installations it is still practically impossible. A live test setup was used to discover vulnerabilities in the market leading ,and likely the most secure, brand: SMA. Devices of this brand are generally considered to be the Mercedes among PV inverters, have won several awards for outstanding solar energy products and have been the market leader for several years.
Several laws and guidelines exists for power supply equipment and its cyber security. For example IEC62443, IEC 62351 & ISO/IEC 27000. That said, the PV installation businesses and PV inverter suppliers are in no way obliged to actually follow these laws and guidelines. Since they are not obliged to follow these laws and guidelines it can be expected that very little cyber security measures are in fact in place. Not only for this vendor, but for all PV inverter vendors.
In the Thesis of Willem Westerhof a hands on black box study was done to find vulnerabilities in the test setup. Full technical details will not be provided here for ethical and security reasons. Findings ranging from a 0.0 CVSS3.0 (Informational) score up to a 9.0 CVSS3.0(Critical) score were discovered. These findings resulted in an attacker being able to remotely compromise the device completely. Not only was it possible to hack the device and control its flow of power, there were actually several different ways of doing this.
In total seventeen (later spliced to twenty-one findings as requested by the vendor) vulnerabilities were discovered. Fourteen of which have been awarded a CVE-ID. Using several of these vulnerabilities it is possible to create a complete kill chain from start to finish executing the Horus scenario.
All these vulnerabilities were responsibly disclosed to the vendor, in December 2016. Early 2017 the theoretical concept as well as the vulnerabilities in this scenario were disclosed to specific governmental institutes and power grid regulators since they have a direct impact on the vital infrastructure.