The state-run Dutch Radiocommunications Agency has launched an investigation into whether PV inverters pose a threat to the cybersecurity of the electricity system in the Netherlands, according to Dutch Minister for Climate and Energy Rob Jetten.
In a document published on the Dutch parliament's website, Jetten said that Internet of Things devices such as PV inverters can pose a risk to the electricity grid.
“To mitigate the risks of these devices, we focus on prevention, awareness, and additional legislation that makes products more resilient to digital attacks,” he said. “The Radiocommunications Agency will enter into discussions with the relevant manufacturers on how to improve cybersecurity.”
A Dutch hacker known as “Jelle Ursem” recently gained access to PV systems operated via a monitoring tool developed by Chinese manufacturer Solarman, according to Tweakers, a Dutch media outlet.
For this very reason, I placed an rs232 logger between the sunsynk inverter and the dongle to see what traffic is being sent to the inverter. My intention is eventually to replace the logger with an Arduino which will reject any request which is not 'normal'. The problem I have is knowing the correct pinout and the voltages that sunsynk is using. Also the modbus registers being used and the pins which provide power to the dongle. Providing this information would allow us to be in control of our own inverters and reduce the risk of remote control. It would also allow the dongle to be kept in place for firmware updates. which would be allowed through if customers…
Location of servers, or experience of who runs it, is immaterial as with time, the younger generation of hackers will undoubtably become more prolific than us turds. So this then comes to my suggestion of having the ability to localise input to the inverter, ie, it’s a closed loop, by default and anyone wish to have remote access can be limited, even by Bluetooth, which in itself is also susceptible but at least this means anyone hacking truly will anyway. So can I just remove all online options & simple have my installer come on site or I put in the connection, only when I desire. This would mean having an onboard data logger which can be accessed physically, but…
If Gary Mckinnon can hack the CIA with a 56k modem then anything is possible !
Keith, I am glad that you find it concerning. The paper authored by @SchizoDuckie is here, along with his recommendations, the high -level ones are:
I would like to know:
Is GitHub used by Sunsynk developers? If so, is it private of public Github repos?
How often are credentials changed?
Does Sunsynk prohibit the use of hard-coded login creds embedded in code?
Sunsynk is hosted on a European server