A cyber attack targeting vulnerabilities in a popular brand of solar panels could lead to the complete shutdown of a country’s entire power grid, new research found.

Dutch security engineer Willem Westerhof disclosed 21 security vulnerabilities found in solar panels produced by German solar equipment company SMA. If exploited in mass, the vulnerabilities could lead to a domino effect that would result in electrical grids getting knocked offline.

Read: Can Utility Companies Be Hacked? More Cyberattacks Targeting Unregulated US Energy

According to Westerhof, an attacker could exploit the flaws in SMA panels and damage the operations of solar power plants. Such an attack could have far-reaching effects beyond disrupting the harnessing of solar energy at the point of attack.

Solar plants are part of a global, interconnected network that allows plants to draw power from those who have a surplus available. Those grids are operated based on the expected amount of power generated and power consumed. Any disruption to that balance could result in the shutdown of the entire grid.

For a country like Germany, where solar energy covers up to half of all power demand at a given time, such an attack could be devastating—especially without the preemptive warning to increase production at other plants to make up for the lost production at a disabled solar plant.

"A cyberattack in this grid at the right time could take out up to 50 percent of the nation’s power supply," Westerhof wrote. "Almost instantly causing a very large (nation-wide, up to continental due to the intertwined power grids) power outage."

Read: IoT Security Threats: Survey Finds Government, Financial Sectors Vulnerable

Westerhof noted that it’s too costly for regulators to keep large supplies of powers on standby at all times, meaning most countries wouldn’t have the type of energy reserves available to cover the lost production at a plant that falls victim to a cyber attack.

The result of such an attack has been dubbed the Horus Scenario by Westerhof. If executed in the wild, Westerhof predicted it would adversely affect millions of people and cost governments and organizations billions of dollars.

More troubling than the researcher detailing the possibility of such an attack is the fact that the vulnerabilities that could be exploited have yet to be fixed. Westerhof said he disclosed the flaws to SMA in December 2016 and followed up in January by disclosing the vulnerabilities to governments and regulators that could be affected.

Despite the disclosures, SMA has yet to patch the flaws nearly eight months later. While some of the exploits would require a more sophisticated attack, including physical access to fully execute, others are rather easily exploitable by a low-level hacker.

In some cases, a denial of service (DOS) attack could knock out part of a grid. In others, the use of default passwords leave the operation of solar panels at risk of being hijacked. Other bugs can be exploited remotely, requiring little more than an internet connection to carry out.

While Westerhof hasn’t provided the technical details of his proof-of-concept attack for security reasons, he will be presenting his findings at SHA2017, a hacking conference held in the Netherlands.

RELATED STORIES
Security Germany Cybercrime Energy