Energy facilities are key to the functioning of our society, as was demonstrated in the blackout of April 28. These facilities are considered critical infrastructures and must therefore be robust, secure and resilient. They are regular targets of attacks, and their vulnerability represents a problem that affects national security.
An example of such attacks occurred a few years ago, in 2015, leaving thousands of Ukrainians without power. A year later, a similar malware family hit Kiev again. But if we talk about critical infrastructure malware, we have to talk about Stuxnet, created by U.S. and Israeli intelligence agencies with the aim of disabling a key part of the Iranian nuclear program. This malware was the precursor that made us start talking about cyberwarfare all over the world.
The current geopolitical situation has led us to a scenario similar to the one we were talking about a decade ago, but with a fundamental difference: now intelligence agencies around the world have done their homework. It would not be unreasonable to think that this type of access to critical infrastructures is already in the possession of these agencies, so that, if “necessary”, they can press that button and exploit vulnerabilities or backdoors according to their particular interests.
The widespread use of renewable generation plants in Spain has added to this context, which increases the points of exposure to a cyberattack. While it is true that this fragments the impact in the event of a plant being compromised, it still represents a vital point in the national security strategy, especially now that renewables are acquiring greater weight in the total energy generated in Spain.
Technical details of the operation of renewable generation plants
In renewable generation plants, especially solar and wind, it is common to find a Power Plant Controller (PPC), which acts as the brain of the installation. Its main function is to coordinate the delivery of active and reactive power, sending operating instructions to the different generation equipment (inverters or power converters).
Communication between the PPC and the generation equipment is often via Modbus TCP/IP, a simple and widely used industrial protocol. However, it lacks authentication or encryption, allowing any device with access to the network to read or modify registers, provided it knows their address. These addresses are usually available in the manufacturer’s manuals, which are generally public.
In addition, the PPC can also receive commands from the SCADA system through the same protocol. This means that any actor with access to the network-either the SCADA or the PPC-could issue valid control commands to the plant. This architecture makes the PPC and SCADA critical from a cybersecurity point of view.
Communications with the outside are usually managed from an Authorized Control Center (ACC), using protocols such as IEC 60870-5-104 (IEC 104) or, in simpler installations, Modbus TCP/IP. Orders from the ACC can reach both the SCADA and the PPC, extending the attack surface.
Network Exposure Levels
- Exposed port without filtering or encryption: The protocol port is accessible from the Internet or shared networks. It is enough to know the public IP to send commands. Although extreme, there are still installations in this state.
- Filtering by origin (IP whitelisting): Connections are allowed only from authorized IPs, typically those of the CCA. However, IP spoofing or prior intrusion into the CCA allows control of multiple plants.
- IPsec tunnel between CCA and plant: Creates an encrypted and authenticated connection. This is currently the most recommended method. However, within the tunnel, if there is no additional authentication at the application level, the devices are still vulnerable.
Systemic and Coordinated Risk
In a coordinated attack, a malicious actor could gain access to multiple plants in a region and issue synchronized commands to destabilize specific nodes. While the transport network can tolerate variations of 20%, in isolated areas, a 5% change could cause disconnections or collapses.
In Spain, it is estimated that between 10 and 12 GW of renewable power – mainly solar – are managed by PPCs or SCADA using Modbus TCP/IP with remote access. Although distributed in small and medium-sized installations that do not always prioritize their securitization, they represent a significant power and an attack vector with potentially serious consequences.
Sofistic and QPV’s Vision
From Sofistic, we work to ensure the highest degree of cybersecurity to our customers, being specialists in cybersecurity for industrial and critical environments. QPV is a company specialized in the renewable energy sector, working on the integration of technology and digitalization. Both companies agree that the security of critical infrastructures should not depend on the size of the installation, since each connected control point represents a possible entry point for an attacker. Cybersecurity must be integrated from the design phase, thus preventing it from being a later improvised solution.
To mitigate these risks, we propose a comprehensive vision based on the following pillars:
- Mutual authentication through digital certificates: Ensures that only legitimate devices can send passwords, drastically reducing the risk of impersonation.
- Continuous auditing and traceability of consignments: Allows the identification of anomalous patterns and malicious traffic from the control center.
- Intrusion detection and response systems: Detect unauthorized activity in real time, enabling fast and effective responses.
Progressive migration to industrial protocols with native security (such as OPC UA or IEC 61850 with TLS): Incorporate encryption, authentication and traceability as part of the protocol itself.
Network segmentation and least privilege policy: Limits access to critical systems and minimizes the impact of an intrusion.
If you want to know how we can help you protect your critical infrastructure, contact us. At Sofistic Cybersecurity and Qualifying Photovoltaics we work together to develop customized cybersecurity strategies, combining QPV’s specialized solar energy vision with Sofistic’s cybersecurity expertise.
We strongly believe that the collaboration between the two companies significantly enhances our ability to deliver robust and effective solutions to address current and future cybersecurity challenges.