The U.S. Department of Homeland Security has issued another industrial control warning (pdf) regarding critical vulnerabilities found across a number of solar panel systems. Affected systems can be easily exploited using "proof of concept" code developed by security researchers Roberto Paleari and Ivan Speziale last month.
The Sinapsi eSolar Light Photovoltaic System Monitor is just one of several systems known to be affected. The devices can be infiltrated by hackers and manipulated remotely, allowing maclious individuals to affect their operation. Other systems afflicted with the same vulnerabilities are the Enerpoint eSolar Light, Schneider Electric Ezylog Photovoltaic Management Server, Gavazzi Eos-Box, and Astrid Green Power Guardian.
Amongst the vulnerabilities known for these products is an SQL injection attack which can execute commands and expose passwords. Unfortunately, all passwords on these devices are stored in plain text. Even worse, default administrative passwords are hard-coded into their firmware -- passwords which cannot be removed or otherwise changed.
Devices like Electric Ezylog are more generically known as SCADA (supervisory control and data acquisition) systems. SCADA systems are used to manage much of today's modern infrastructure from power plants to water reclamation facilities. Interfering with the operation of -- or gaining control of -- such systems poses potentially tangible risks to citizens and governments.
Last week, U.S. Secretary of Defense Leon Panetta recently voiced his timely concerns over infrastructure vulnerabilities and their possibly crippling effects. Panetta mentioned the Shamoon virus which securely wiped 30,000 computers in Saudi Arabia clean, prompting their replacement. "All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date," Panetta said.
The DHS is advising owners of the affected systems to minimize their network exposure and isolate the devices from networks with Internet connectivity. If remote connections must be made, logging into solar SCADA systems should be done over an encrypted, trusted VPN using the most secure methods possible -- sound advice for any industrial management system, certainly.