Responsible Disclosure
These findings were first reported to SMA (December 2016), the energy sector, and the official authorities (January 2017). Responsible disclosure was to be in place up to the first of June 2017. Following this time frame, the authorities and the vendor were given some additional time because no confirmation was given that the issues were solved. The official “live” date was set to early August 2017. In the time between June and August meetings were held with the energy sector and the official authorities and they were told of the upcoming publication in order to prepare accordingly. All parties involved in the responsible disclosure were very cooperative and had good responsible disclosure policies in place.
Solving the problem
Solving the problem however became quite the issue. Government officials state that the energy sector should work out how to deal with these issues themselves. They can only a play a role in the form of advising and consultancy to the sector. Power grid regulators state that vendors are responsible for creating secure devices. Vendors then state that users are responsible for making sure the device is in a 100% secure environment. Users state that they can’t all be cybersecurity experts and it should be secure out of the box. All in all everyone was simply pointing to another one.
Breaking the circle
After several meetings it became clear that responsibility was mainly being shoved around. In the end all parties picked up a part of the responsibility. SMA is working on fixing the vulnerabilities in current devices, and making sure future devices are secured in a better way. Our contacts in the energy sector have agreed to put the subject on the agenda in official energy cybersecurity meetings and conferences. Our contacts in the official authorities have agreed to share the findings of this study with their international counterparts, so every nation can make a plan on how to deal with this problem.
Going live
With all this in place there was only one thing left to do. Going live with the findings so that the sector may learn from it. Other ethical hackers will hopefully pick up this story and test their own inverters, responsibly disclosing many more vulnerabilities and making the world a little bit safer. Hence, a local newspaper was contacted (de Volkskrant) and plans were made to present the findings at SHA2017. In the end, it was decided to leave exact technical details and reproduction steps out of the publication for the time being as no one wants to give black hats an exact step by step guide on how to execute the Horus scenario. Perhaps, full disclosure will happen in time, but not right now.
Bug bounty?
Many companies nowadays have bug bounty programs, where you get a reward for responsibly disclosing vulnerabilities. Sadly, no bug bounty was ever given for these findings. Which is actually quite weird, because the black market most likely pays tons if not more to get their hands on vulnerabilities that can knock down power grids.
Since no bug bounty was ever given, we ask the public to donate if possible. If you enjoyed the article, used it as a news reporter, feel strongly that this issue should be fixed or are impressed about these findings please donate to the researcher using the information below.