Are Chinese Inverters a Security Risk?

The federal opposition seems to think it has discovered a “gotcha” to argue against the proliferation of rooftop solar PV – and against Australia’s renewable energy target: Chinese hardware.

Senator James Paterson is leading the charge, fresh from his success in persuading the government to discard Chinese CCTV cameras (here at tech publication iTnews) and calling for the same to happen to 3000+ DJI drones owned by government agencies (disclosure: the author writes for iTnews).

Now, Paterson has the solar business in his sights, taking to News Limited outlets to tell the world that Chinese solar inverters could be used to bring down Australia’s grid.

This Sky News video posted to YouTube says almost all you need to know about the senator’s campaign in the chyron: “Chinese spy concerns in solar power market”.

To quote Senator Paterson from the video:

“These are inverters that are internet-connected, and their role is to connect the solar panels on the roof of your home or business to the grid and make it work.

“The problem that we have is that the smart inverters … are predominantly made by Chinese companies, including companies like Huawei.”

The senator believes there’s a “critical mass” of devices at which they become “a significant proportion of our electricity grid”.

“That could be disrupted by an external party, by a signals intelligence agency like the People’s Liberation Army’s cyberspace force or the Ministry of State Security cyber hacking unit.”

How Great a Risk?

China-baiting has proven fruitful for conservative politicians worldwide ever since they began campaigning against Huawei from supplying major telecommunications projects like 5G networks and the NBN.

In this case, the China-baiting appears to have at its heart the opportunity to attack the government over its ‘82% by 2030’ renewable energy target, because the target will bring more Chinese kit into Australia’s solar PV supply, increasing our exposure to whatever the Chinese Communist Party has in mind.

It’s easy to think that attacking the renewables target, rather than a genuine understanding of the cyber security risks, is the point of the coalition’s campaign.

And it would be a travesty if renewable energy targets became hostage, yet again, to political point-scoring.

So how genuine are the risks?

Regular readers will know that I believe the solar PV industry needs to take cybersecurity seriously and that security vulnerabilities have been found (and fixed) in inverter products.

However, the risk of a critical security vulnerability – such as an unsecured login to an inverter – isn’t dependent on a product’s country of manufacture. Any internet-exposed device with a vulnerability can be exploited by any attacker that finds it.

Senator Paterson appears to be hinting that the Chinese vendors are building secret backdoors into their products – that one day ten thousand Huawei inverters (or Growatt or Solax or Sungrow or any of many) will be taken over by state-backed Chinese hackers to bring down the grid.

At the very least, Senator Paterson is assuming that there is no way to stop this happening.

And that isn’t true.

For one thing, grid-connected, internet-connected inverters don’t exist in a vacuum.

If they’re part of a Virtual Power Plant, they’ll be controlled by a third party who manages the import and export of grid electricity from the battery. If they are part of a Flexible Exports program (currently mandatory in SA and optional in QLD) a third party will control how much solar can be exported to the grid.

These programs are not managed by a consumer who doesn’t understand cyber security – they should be in the hands of organisations with cyber security expertise familiar with the Australian Signals Directorate’s Essential Eight cyber security control list, and its Australian Information Security Manual.

At the very least, organisations controlling fleets of inverters can ensure that smart inverters communicate with the network management centre over an encrypted channel and don’t make connections to or from Chinese network addresses.

And if the organization controlling thousands of inverters through the cloud is one of the big genetailers (AGL, Origin, Energy Australia, etc.), they’ll be in the hands of companies that already invest millions in security and are subject to the Security of Critical Infrastructure Act.

That Act was initiated by the previous government – the one of which Senator Paterson was a part.

Original Source: https://www.solarquotes.com.au/blog/chinese-inverters-security-risk/