Research

Enhancing Cybersecurity Resilience in Energy Infrastructure

Preliminary Experiments

A second HIL lab setup, shown in Fig.1, contains an electrical network simulating a home solar power setup and allows for expansion to include devices such as but not limited to Electrical Vehicle Supply Equipment and battery storage. There is also a Home Local Area Network that allows for expansion to include other home and cloud connected devices. A Photovoltaic (PV) Emulator simulates a working solar panel, generating direct current (DC) electricity. A solar power microinverter converts DC power from the emulator to alternating current (AC) power compatible with the power grid. A solar power gateway controller monitors and manages the flow of solar power. Battery storage allows for the smart home to store and release energy for complete energy independence. The mobile app provides a comprehensive interface for monitoring and managing the solar power system. A solar power cloud serves as the centralized platform for data processing and storage. The electrical junction box acts as a central hub for wiring connections within the home solar power setup. The HIL setup is placed in the Flex Lab in EPIC, and it is connected to the grid emulator in the Smart Grid Lab in EPIC.

fig3

Fig.1: HIL Testbed with a Home Solar System in a Micro Smart Home

We conducted several preliminary cybersecurity experiments using the HIL testbed. We show the steps involved in the attack in blue, green, yellow and pink in the figure. Additionally, we were also able to identify several other vulnerabilities in the system targeting the solar power gateway controller, outlined below:

Fig.2: Privilege Escalation Attack

 Hard-coded credentials: The default administrator password is the last 6 digits of the device’s serial number. The serial number is easily accessible from being physically printed on the device and can be remotely accessed from the status page. This vulnerability allows attackers with physical or remote access to gain administrative control. 

Predictable Solar Power Installer Password: The device generates a unique installer password with elevated privileges using a hash of the entire 12-digit serial number. Knowing the entire serial number allows attackers to predict the installer password, enabling unauthorized configuration changes to the solar power setup. 

Brute force: The solar power gateway controller allows for unlimited attempts to attempt to use trial and error to guess passwords. 

Denial-of-Service (DoS) Attack: Solar power gateway controllers often include APIs for polling real time energy production data. These APIs can be susceptible to denial-of-service attacks where the threat actor floods the device with illegitimate requests overwhelming its resources. Most Internet of Things devices lack the processing power and features to defend against Denial-of-Service attacks effectively. Our tests demonstrated that launching as few as 17 concurrent connections saturated the web server within the device, requiring a system reboot to restore functionality. The home user may not be able to access the device until it is reset. 

Replay Attack: This vulnerability allows attackers to intercept and replay valid data transmissions to manipulate the system. The solar power gateway controller lacks Secure Socket Layer (SSL) encryption, transmitting data unencrypted. We successfully intercepted and replayed a packet that can be used to start and stop power generation, demonstrating the potential safety risk for personnel working on a remotely controlled system under attacker control. Replayed commands could potentially damage grid infrastructure or other connected equipment. 

By emulating a threat actor’s approach, we were able to identify potential vulnerabilities and explore the feasibility of gaining unauthorized access to an grid connected IoT device within the system. Once a threat actor has gained sufficient privileges within a system, an attack payload may be created that could lead to an attack on a power grid. This will allow us to analyze the broader electrical disruptions a threat actor could potentially orchestrate by compromising one or multiple smart homes within a larger system.