Responsible Disclosure
Obviously, if you ever find a vulnerability similar to this, it is wise to responsibly disclose it. However in the past a significant amount of manufacturers have not responded well to responsible disclosure. Should you find something yourself and are not sure how to disclose it, please reach out to the DIVD. They can assist in getting in touch with the right people to get things fixed.
The original findings for horusscenario1.0 were first reported to SMA (December 2016), the energy sector, and the official authorities (January 2017). Responsible disclosure was to be in place up to the first of June 2017. Following this time frame, the authorities and the vendor were given some additional time because no confirmation was given that the issues were solved. The official “live” date was set to early August 2017. In the time between June and August meetings were held with the energy sector and the official authorities and they were told of the upcoming publication in order to prepare accordingly. All parties involved in the responsible disclosure were very cooperative and had good responsible disclosure policies in place.
Several findings for horusscenario2.0 are currently under responsible disclosure and handled through the DIVD.
Solving the problem
Solving the problem however has become quite the issue. Government officials intially stated that the energy sector should work out how to deal with these issues themselves. They can only a play a role in the form of advising and consultancy to the sector. Power grid regulators state that vendors are responsible for creating secure devices. Vendors then state that users are responsible for making sure the device is in a 100% secure environment. Users state that they can’t all be cybersecurity experts and it should be secure out of the box. All in all everyone appears to be pointing to another one and over the past years the overal problem and threat of exploitation has only gotten worse.
Breaking the circle
With geopolitics changing rapidly in 2024/2025 this topic became more relevant and governments across the globe are starting to push for additional regulation. Furthermore research reports such as the work from Secura and DNV outlined specifically which further measures need to be taken by which actors to secure society from this attack. It is strongly recommend to read these reports to see how you in your role can contribute to the prevention of this attack.
Going live
In the past several researchers (including the original findings for horusscenario1.0) had to be shown on stage before a manufacturer actually addressed the issue. While the preference is to responsibly disclose and work with the manufacturer, anyone testing systems in this field should also consider a “plan B” approach.
In those cases it’s often best to send out an early warning about the upcoming disclosure to local grid operators and possibly national cyber security centres or similar governmental authorities so they can prepare accordingly. Permanently keeping these type of findings secret is discouraged, as it’s safe to assume that others with evil intentions will find it sooner or later anyway.
Bug bounty?
Many companies nowadays have bug bounty programs, where you get a reward for responsibly disclosing vulnerabilities. Sadly, no bug bounty was ever given for the majority of the findings on this website. Which is somewhat odd, given the black market most likely pays a significant sum of money to get their hands on vulnerabilities that can knock down power grids. But at least society is slightly safer now ¯\_(ツ)_/¯ Should you want to donate, to at least pay the server bills for this website, use the QR at the bottom of the page.