So can anyone hack Solar panels? Only if you couldn’t care less

A headline asking the question, “What if the solar energy grid got hacked?” made us sit up and think last week, and we set up a chat with Sectigo, a Certification Authority for a variety of security eco-systems, one of which includes the SunSpec Alliance, a 100-strong trade alliance of solar plus energy storage players.

Sectigo (formerly Comodo) has partnered with non-profit Kyrio, itself owned by CableLabs, the R&D arm of US cable firms, which has driven a number of breakthrough standards particularly in broadband (DOCSIS).

The main question is how do you have an open eco-system so that 100 plus providers can interact and share in the US Solar economy, and still make sure everything is secure. The answer is Public Key Infrastructure (PKI) – the default play for high level security. PKI works by issuing the initial key on a device when it is made, and then a certification authority keeping track of all keys and instructions to that device throughout its life so that encrypted content can flow to it and back, unhindered and unread.

Unlike many areas of IoT, the one thing that solar brings are devices which are not battery constrained and have plenty of access to electricity. That’s perhaps the biggest issue in IoT, when a battery has to last ten years in say something like a sensor, supporting full PKI with long string keys will certainly eat into that battery life. But in a system which is basically about creating electricity, that’s not going to matter and the steps to encrypt at the right level to protect say a solar inverter, or a cloud-based controller, can be prioritized.

Which is perhaps why California made a key interconnection ruling called simply Rule 21 for residential Distributed Energy Resource (DER) solar systems (home solar). All that means is effectively that each PV or Storage device should be ready to communicate to host utilities using a protocol called the IEEE 2030.5-2018. This protocol includes the requirement for Transport-Level Security (TLS) and strong encryption.

Put simply this is just PKI already used in eco-systems as diverse as internet browsing, online banking, and cable modems. For embedded applications such as DER devices, the systems also use Elliptic Curve Cryptography, which effectively allows both ends of a conversation to share secrets to one another to start an encrypted conversation, on a line which cannot be assured as “safe”, and yet still protect all security keys, which are always processed inside a TEE (Trusted Execution Environment)  where even a device’s operating system cannot view encryption keys – Elliptic Curve techniques were used for instance in the famous 4Cs Digital Transmission Content Protection (DTCP), for moving premium content freely around a home without it being pirated.

Interestingly a number of US senators recently called for Huawei inverters to be blocked in sales to home solar (DER) which can talk back to the utility servers. At the time we wrote that “as long as you do your security properly, then the provider cannot maintain a backdoor,” by which we meant using PKI. It looks like California and the SunSpec Alliance both agree.

We talked to Damon Kachur, VP IoT at Sectigo, and he said, “Sending energy from a utility one way to a home was never a problem and this always left the energy supplier in control. But with the advent of smart meters, and DER there could be problems. It is now a two-way street, with the pipe sending to the grid, and that must be controlled by the intelligence at the Utility. It also has to account for correct payments in return, and every part of the system needs a PKI certificate to ensure that every device is who it says it is.”

He pointed out that US home solar tends to be connected to the open internet, with the exception of Tesla’s, “sometimes it is attached to the internet for just 30 seconds every two weeks,” he added “but it’s connected.”

“When that energy goes into yet another home and the solar panels on the roof talk to batteries at the side of the house, which is then used to charge your car and then later that same car owner is downloading off the grid charging an EV, it all has to be accurately accounted for and secure.”

While he would not say which automotive manufacturer he was talking about, Kachur said that the DER segment was becoming increasingly competitive in the US. “By connecting all that data to the internet, you can build systems which tell you how much more time you need to charge your car, and talk to you through an App on your phone, wherever you are. We are working with some premium brand automotives who operate high end luxury brands and they want to show they can be user-friendly.” And he added, “There are now 3 million new solar installations a year in California.”

“And to do everything, each smart meter must have its own PKI Certificate, and so much each sub-utility, while transmission of data must be over SSL (Secure sockets layer) with keystrings between 40 and 128 characters.” He is right that among US states California is leading the way, and will have 100% of energy generated from renewable sources by 2045.

PKIs are generally segregated into branches according to the type of element and the security properties characteristic of elements of that type. Each type of element is grouped under a subordinate Certificate Authority that issues certificates with data and properties appropriate for those element types. End device elements may have a very long certificate validity period if they are deployed in the field and are difficult to update.

Sectigo’s other clients are not in the energy space, but include the Open Connectivity Foundation, and the CBRS WInnForum, and the WiMAX Forum which provides communications services to new AeroMACS (Aeronautical Mobile Airport Communication System) which allows communications across airports.

So, can anyone hack home solar panels? As we said it’s a lot less likely if proper PKI security is put in place. Kachur added, “We’ve seen some pretty dumb security implementations, with 1234 as the default password,” but if they use our system it places more of a serious speedbump in the way.”