Showing evidence
Proving that the Horus scenario is theoretically possible is one thing, but if no security vulnerabilities exist in PV-installations it is still practically impossible. A live test setup was used to discover vulnerabilities in the market leading ,and likely the most secure, brand: SMA. Devices of this brand are generally considered to be the Mercedes among PV inverters, have won several awards for outstanding solar energy products and have been the market leader for several years.
Laws & guidelines
Several laws and guidelines exists for power supply equipment and its cyber security. For example IEC62443, IEC 62351 & ISO/IEC 27000. That said, the PV installation businesses and PV inverter suppliers are in no way obliged to actually follow these laws and guidelines. Since they are not obliged to follow these laws and guidelines it can be expected that very little cyber security measures are in fact in place. Not only for this vendor, but for all PV inverter vendors.
Field testing
In the Thesis of Willem Westerhof a hands on black box study was done to find vulnerabilities in the test setup. Full technical details will not be provided here for ethical and security reasons. Findings ranging from a 0.0 CVSS3.0 (Informational) score up to a 9.0 CVSS3.0(Critical) score were discovered. These findings resulted in an attacker being able to remotely compromise the device completely. Not only was it possible to hack the device and control its flow of power, there were actually several different ways of doing this.
In total seventeen (later spliced to twenty-one findings as requested by the vendor) vulnerabilities were discovered. Fourteen of which have been awarded a CVE-ID. Using several of these vulnerabilities it is possible to create a complete kill chain from start to finish executing the Horus scenario.
- CVE-2017-9851
- CVE-2017-9852
- CVE-2017-9853
- CVE-2017-9854
- CVE-2017-9855
- CVE-2017-9856
- CVE-2017-9857
- CVE-2017-9858
- CVE-2017-9859
- CVE-2017-9860
- CVE-2017-9861
- CVE-2017-9862
- CVE-2017-9863
- CVE-2017-9864
All these vulnerabilities were responsibly disclosed to the vendor, in December 2016. Early 2017 the theoretical concept as well as the vulnerabilities in this scenario were disclosed to specific governmental institutes and power grid regulators since they have a direct impact on the vital infrastructure.