China is studying in detail how to trigger a blackout in Europe. Experts warn that Chinese companies control most solar panels on houses in the Czech Republic. They can turn them off or destroy them at the push of a button, which would destabilize the grid.
Cybersecurity expert Erika Langerová from the Czech Technical University (ČVUT) in Prague decided to find out whether Chinese scientists are studying the vulnerabilities of Western energy grids. Her recently published findings have caused a stir in Washington and Brussels.
It turns out that experts linked to Chinese security institutions are examining in detail, across dozens of studies, how to achieve a blackout in Western countries using surgically targeted attacks. This refers to a total power outage that paralyzes people’s lives, as occurred in Spain in April and during a smaller incident in parts of the Czech Republic in July.
By law, the transmission system and power plants in the Czech Republic are part of the so-called critical infrastructure, and the National Cyber and Information Security Agency, intelligence services, the army, and the police participate in their protection and defense. Taking them out of operation would be difficult for attackers.
The Great Chinese Switch
However, cybersecurity expert Langerová points out that Chinese companies, which are required to cooperate with the communist government under threat of draconian punishment, have quietly gained control over another part of the Czech (and Western) energy grid in recent years—solar panels, which are now installed on thousands of rooftops in the Czech Republic. They are operated by ordinary people without any protection or assistance from state security experts. And in recent years, these small solar power plants have experienced a boom.
“If China wanted to shut us down, it has an easy way to do it,” described Langerová, who also participated in an analysis published in April that simulated the impacts of various types of cyberattacks conducted through solar components on grid stability. The details of the simulations are non-public, but they are known to European institutions that are working with them further.
Langerová did not penetrate any classified databases of the communist regime. She relies solely on studies that Chinese scientists upload to international scientific databases to collect academic points. Even these public studies are alarming, according to her.
“Of course, Western researchers also focus on such scenarios. However, in addition to vulnerabilities, they study how to defend against them. But a large mass of Chinese studies focuses solely on attacks. At the same time, they do not examine their own networks, but Western ones—in the USA, France, or Germany,” Langerová, who is the head of the Cybersecurity for Energy team at ČVUT, told Seznam Zprávy.
China has long denied any malicious intent in the West. At the same time, private Chinese companies deny cooperating with the communist government in hybrid operations (such as espionage or hacker attacks).
Smart brains controlled from China
The brains of small solar power plants are the so-called inverters. In recent years, these have been supplied to the Czech Republic almost exclusively by Chinese companies (partly due to the specific Czech method of measurement).
What’s more, to avoid losing their extended warranty, operators of small solar power plants agree to the condition that the components are permanently connected to Chinese servers, from where companies can control them and even turn them off. Or update their control software to behave maliciously and destroy the inverter, or even cause a fire. According to Langerová, this is effectively similar to letting the Chinese manage some of our nuclear or coal-fired power plants in the Czech Republic without any certainty as to how they will handle them.
The National Cyber and Information Security Agency also drew on Langerová’s work, using its authority to issue an unprecedented warning against all Chinese technologies in early September. In the materials available to Seznam Zprávy, it extensively analyzes, among other things, the threat of Chinese components in small solar power plants.
“In the event that the People’s Republic of China had the motivation to carry out destabilizing or destructive attacks on the Czech power grid, it would almost certainly (90–100%) possess the ability to achieve such a goal through Chinese suppliers, thanks to the local legislative environment under the current state of affairs,” warn the experts responsible for the state’s cybersecurity.
However, the warning does not legally apply to operators of small solar power plants, and it does not make economic sense for them to buy Western inverters that are tens of thousands more expensive.
It is not clear whether and under what circumstances their misuse would be enough to cause a blackout in the Czech Republic, given the current share of small solar power plants in the Czech energy mix. The data is not publicly available.
At the European Union level, however, the ESMC association, which represents European solar technology manufacturers, estimates that China controls some 200 gigawatts of solar capacity through inverters—a capacity corresponding to roughly two hundred nuclear power plants. According to experts, a change on the order of gigawatts is enough for a large-scale blackout, similar to the one that hit Spain and Portugal.
A window of opportunity for Russia as well
In its annual reports, the Security Information Service (BIS) has long identified China, alongside Russia, as the greatest security threat to the Czech Republic. However, experts agree that such an attack would fundamentally damage China’s business interests and is an extreme option for the communist state.
However, a similar incident has already occurred on a smaller scale. Last year, the Chinese company Deye disconnected its inverters in the USA and other countries without the prior knowledge or consent of users. The cause is still not entirely clear.
Sources from the security community that Seznam Zprávy has spoken with in recent weeks mention that Chinese inverters could also serve as a weapon for Russia. Chinese manufacturers leave known but long-unpatched security vulnerabilities in them, through which hackers can gain control.
“For some Chinese manufacturers, the time from receiving a vulnerability report to issuing a patch is often on the order of several months, and in some cases, the manufacturer does not respond to patch requests at all. As a result, there is currently a significant percentage of Chinese inverters in the power grid connected to the servers of Chinese manufacturers that contain unpatched critical flaws,” warns the Czech cybersecurity agency.
“If exploited, these flaws can allow an attacker to remotely take control of entire fleets of small inverters. The attacker can then remotely change operating parameters en masse, turn inverters on and off, or upload malicious firmware to them,” state cybersecurity experts warn.
Solution? Nowhere in sight
Replacing the inverters, each of which costs 50,000 or 60,000 (and Western ones are tens of thousands more expensive), would likely cost private operators billions in total. The Ministry of Industry and Trade, which is responsible for the agenda in the government, has not yet commented on how the Czech Republic will react.
“Institutions at the national and European levels are currently working on proposing possible measures. At the national level, a risk analysis is nearing completion, which includes a proposal for recommended measures. At the European level, two risk analyses are currently underway directly under the European Commission,” responded ministry spokesperson Marek Vošahlík to the warning from the National Cyber and Information Security Agency.
The European Commission is also compiling a risk analysis. However, it is not clear when it will be finished.
The United States, whose relations with China are escalating, was unsettled by a finding that came to light this spring. In Chinese solar inverters that their operators had cut off from direct communication with China, experts found additional hidden secret communication devices.
Estonian intelligence publicly warned of the risk of Chinese inverters as early as last year. Intelligence director Kaupo Rosin stated at the time that if Chinese inverters were not replaced, the country would be exposed to the risk of Chinese blackmail. In November, Lithuania already approved a law banning Chinese remote access for solar power plants over 100 kilowatts, but the government is considering extending it to smaller rooftop installations.
India, where 80% of inverters are Chinese-made, has also realized the threat. Thanks to a newly introduced measure, the government will require components to be connected exclusively to servers in India managed by a government agency. Two years ago, Iran even opened its own production line so that it would not have to buy components from Western or Chinese companies.
“There is currently a consensus in all relevant quarters that it is no longer possible to ignore the great risk posed by the current situation. In the near future, we will have to officially admit the problem, not only in the Czech Republic but throughout Europe. And then take appropriate technical interventions that can reduce all risks to an acceptable level,” adds Langerová.
SOURCE: Seznam Zprávy