Flaws In Popular Solar Power Management Platform Could Crash the Grid

mask.of.sanity (1228908) writes "Criminals could potentially cause black-outs and mess with power grid configurations by exploiting flaws in a popular solar panel management system used by thousands of homes and businesses. The threat is substantial because, as the company boasts, its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 566TWh of electrical energy."

Criminals?

[Rosco+P.+Coltrane]

You misspelled terrorists... Only terrorisme is important.

we just hack it at night

and all will be fine.

Time travel!

Luckily that is far more power than the required 1.21 gigawatts that will be used to travel back in time and address the flaw.

Unit

[bluefoxlucid]

556TWh is a cumulative unit. It's not an average output. If it's over an hour, that's 556TW; if it's over 1000 hours, that's 556GW.

Re:Unit

[DeathToBill]

Typical, isn't it?

Re:Unit

[Mr+D+from+63]

As far as the US is concerned; Since in 2013 solar only accounted for less than 1/2 of 1 percent of the electrical generation (that includes commercial and residential), and since they are variable supplies to start with that depend on the rest of the grid to be useful, I wouldn't worry too much about them crashing the grid.

Re:Unit

[Guspaz]

less than 1/2 of 1 percent

One might even say less than half a percent.

Re:Unit

[CheshireDragon]

less than 1/2 of 1 percent

One might even say less than half a percent.

But it sound so much more sophisticated when saying it like that. We're supposed to oooh an aaah

Re:Unit

[CheshireDragon]

You have your maths wrong there my friend. Giga doesn't come after Tera...Peta does

Re: Unit

I'd be more worried about someone peeing in the water supply like in Portland and needing to drain it because the water might hold the memory of this criminal behavior and through the mechanisms of homoeopathy cause a crimal hive mind of rioting.

Re:Unit

[Jane+Q.+Public]

As far as the US is concerned; Since in 2013 solar only accounted for less than 1/2 of 1 percent of the electrical generation (that includes commercial and residential), and since they are variable supplies to start with that depend on the rest of the grid to be useful, I wouldn't worry too much about them crashing the grid.

I think more relevant, since this is supposed to be about "home and business" solar installations, is the question: "Why would you want your home or business solar installation available via the internet?"

Status reports? Maybe. But it's hardly difficult to secure something like that.

Re:Unit

[Forty+Two+Tenfold]

Whoa. Are you sure you've got your kindergarten diploma legally?

10^9W * 1^3h = 10^12Wh

1^12W * 1h = 10^12Wh

And 10^9W = 1GW, 10^12W = 1TW.

HTH. HAND.

Re:Unit

[Forty+Two+Tenfold]

I lost a "0" in the first equation. Should be "10^3h".

Re:Unit

[Forty+Two+Tenfold]

And in the second one there should be "10^12W".

How much electrical energy per time unit?

[h5inz]

"... that typically pump out 566TWh of electrical energy." - per day, hour or is it is just 566TW?

Re:How much electrical energy per time unit?

Without further data it makes most sense to assume in total.
Hours per hour or hours per day are not really units that makes sense.

Re:How much electrical energy per time unit?

[Mr+D+from+63]

So we can just assume a total of 566TWh of electrical energy has been generated since the beginning of time?

Re:How much electrical energy per time unit?

No. What we should assume is that the summary claims that 229,300 solar plants has pumped out 566TWh of electrical energy in total. Then we should use that number to estimate the accuracy of the rest of the summary.

Re:How much electrical energy per time unit?

By "total" do you mean total per hour, total per day, total over the lifetime of a plant? Are we referring to an individual plant or is it the sum of all plants? Which total is the one which makes most sense?

Re:How much electrical energy per time unit?

[Mr+D+from+63]

No. What we should assume is that the summary claims that 229,300 solar plants has pumped out 566TWh of electrical energy in total.

In total since the beginning of time?

Re:How much electrical energy per time unit?

Hours per day makes perfect sense, it's the dimension of the time I spend sleeping, for example.

Kilowatt-hours per day makes even more sense, it's a scaled version of watt, which translates from a unit useful for analysing a circuit into a unit useful for analysing your energy bills.

Re:How much electrical energy per time unit?

Since the construction of the 229,300 solar plants, which would be equivalent to the beginning of time since I've never heard of a power plant that produces output before it is constructed. So the remaining question is whether the 566TWh is a measured total at the time the article was written, or whether it is an estimated total over the lifetime of the plants.

Re:How much electrical energy per time unit?

[Mr+D+from+63]

566TWh is not an instantaneous or capacity measurement. So "at the time" does not make sense. hence the point.

"566TWh was generated between time A and time B" is correct statement
"We have 566TWh of solar capability at the moment" is incorrect.

Wrong by 5 orders of magnitude

[Doub]

Original article has two flaws with the number you quote. It's not 566TWh, it's 5.66TWh (that's the value advertised for yesterday as total energy), that's 2 orders of magnitude. And it's not "typically" since it's the accumulated value over the service lifetime. If you want to quote a typical value, you quote current power (in W, not Wh) and the website advertise it as 6.74 GWp (p for peak, the bullshit suffix used by the solar panel industry (should be 6.74 GWbs IMHO), so the actual value is even less), that's another 3 order of magnitude. I guess the actual numbers are less impressive...

Re:Wrong by 5 orders of magnitude

[Barny]

Oh hell, is this another W vs W RMS thing? I thought we had given up and just measured things in libraries of congress?

Speaking of, how quiet is that, I figure it being a library it would be quiet...

Re:Wrong by 5 orders of magnitude

Ah, where is this kind of hard-nosed skepticism when there's a 3D printing story or a private space orgasm?

Re:Wrong by 5 orders of magnitude

Wp is not bullshit. Like "thermal design power" for CPUs, Wp is something that the system must be designed to handle. Furthermore, since the relation between actual output depends on the local installation and the relation between actual and peak output is well understood, Wp is the only honest and useful measure of output power that can be given without knowing the specifics of a particular installation.

In case you need a ballpark figure for the output of a south-facing solar installation at moderate latitudes with moderately cloudy climate: You can expect about 1000kWh per year per kWp of installed capacity, i.e. an average of one ninth compared to the peak capacity.

Re:Wrong by 5 orders of magnitude

[Lawrence_Bird]

thank you for saving me the trouble.. its hard to take anything seroiusly when they can't even get those simple figures correct.

Re:Wrong by 5 orders of magnitude

[andy16666]

I think the intent was "its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out [5.66TWh] of electrical energy [annually]." It makes more sense to average over a long period of time with solar which is presumably what they were doing. A smart editor would have caught that.

Re:Wrong by 5 orders of magnitude

[aaarrrgggh]

No, the output of a panel is a function of the incident angle of light hitting it, as well as temperature. The peak number is "standard conditions." You convert from standard conditions to "equivalent hours" via the DOE's PV-Watts tool for a given location and installation/mounting type.

Re:Wrong by 5 orders of magnitude

[draconx]

The article says exactly what is meant:

Its eponymous management system runs globally on roughly 229,300 solar plants that typically pump out 5.66TWh of electrical energy a day, or so we're told.

So averaged over an entire day, those 229,300 plants have a typical combined output of 235GW -- about 1MW per plant.

Re:Wrong by 5 orders of magnitude

[mspohr]

The output of solar panels varies from zero (at night) to some peak value (when the sun is hitting them just right). Most solar installations generate significant power for about 5 hours a day. When describing solar installations, the peak output is useful for understanding the size of the installation and what can be expected in power output. Everyone knows that the peak is not the average, etc.
Solar power is very quiet, just like the Library of Congress.

Re:Wrong by 5 orders of magnitude

[bobbied]

Just to clarify some terms...

A WATT is a measure of the RATE of power flow. It's like saying you are going a specific speed in your car. You can calculate this by multiplying Volts times Amps but the value you get is only valid for the instant you measured the values. (You EE guys don't complain to me for ignoring power factor... I'm trying to make this simple. )

A WAT HOUR is a measure of the AMOUNT of power that has flowed. This is like saying you went 100 miles in your car by driving 50 for 2 hours.

So, you pay for electricity in WATT HOURS (usually KILO-WATT HOURS) which is an amount of power transfered. It doesn't matter if you consumed 2 KW for 30 min and nothing for 30 min, or 1 KW continiously for the whole hour. (At least for most of us who don't pay for power by time of use yet. )

Re:Wrong by 5 orders of magnitude

Well, the article is wrong (Not too surprising: It's theregister.co.uk). The Solar-Log homepage lists the stats:

Plants worldwide 229453
Inverters worldwide 963703
Inst. output in GWp 6.75
Total energy in TWh 5.67
CO2 prevention in Mt 3.24

5.67 TWh from 6.75 GWp worth of panels is obviously impossible to get in one day. That's the total output up to today, not today's output.

Actual average installed capacity is about 30kWp per plant, which can be expected to output a little more than 3kW on average. Do you have any idea what size of installation would be needed to generate 1MW on average?

Re:Wrong by 5 orders of magnitude

A WAT HOUR

Wat

Re:Wrong by 5 orders of magnitude

[Urquhardt]

Sorry..... but A WATT is a measure of the RATE of ENERGY flow and in Physics we like to call it the unit for POWER. In whichever system; electrical or mechanical, it is JOULES PER SECOND.

A WATT HOUR is a measure of the amount of ENERGY used or produced. As it is calculated by multiplying WATTS by TIME you end up with just ENERGY left.

Eg: 6 Watts for 120 secs gives 6 Joules per second x 120 seconds = 720 Joules... and the numbers will be bigger for KILOWATTS and HOURS...

The Cloud

Can we just not move the system to the Cloud, or something, to make it better and enable a new, richer experience?

Re:The Cloud

[Joe_Dragon]

Clouds cut power output we need full power

Re:The Cloud

[Sockatume]

It's solar, it's not compatible with clouds.

Re:The Cloud

[The+New+Guy+2.0]

Weather does impact solar... so this needs some sort of power-storing battery in order for it to work.

Re:The Cloud

[mlts]

There is the opposite which seems to be the way to go, especially with the fees for on-grid solar power.

As usual, batteries are the biggest problem. However, with even a few 12 volt batteries paralleled, one can get 300-400 amp-hours of capacity. Add a solar array that has about 400-500 watts, MPPT charge controller, and a decent PSW inverter, and this won't run an air conditioner, but it could be a circuit that all one's low-wattage parasitic devices (cell phone chargers, a laptop, etc.) Add to the battery bank and a panel or two, and one's desktop machines can have independent power. One can also have multiple circuits, one for chargers, one for a low-draw fridge, one for the computers, all completely separate from utility power.

Re:The Cloud

[Mr+D+from+63]

One can do a lot of things, if one has the money doesn't care about the cost.

Re:The Cloud

[mlts]

It isn't that expensive, all things considered. Not cheap ($1-2k), but not too pricy for something that is going to pretty much be installed with little to no upkeep needed for 20+ years. Panels are around 75 cents a watt. A decent MPPT charge controller is several hundred, or you can go with more panels and a PWM controller. A pair of six volt "golf cart" batteries is about $400. A 1500-2000 watt PSW inverter is about $400 as well.

Again, not cheap, but not too expensive, and once set up (assuming everything is wired correctly), it is about as expensive as a decent online (not standby) UPS, and will provide stable power for a long time.

Re:The Cloud

[Mr+D+from+63]

$2K to charge your phones? Its a whole lot cheaper to just buy your power from the bulk generators. Batteries are the cost killers. And don't kid yourself about low cost batteries lasting 20 years.

Calculate cost/kWh over a given time period, that's the only way to evaluate the cost.

Re:The Cloud

[operagost]

Because what everyone wants to do is install separate receptacles in every room for low-draw devices.

Copper wiring is expensive.

Re:The Cloud

[operagost]

He forgot to calculate about $500-1000 to add a few off-grid receptacles to your house. That is, unless you want to put every low-power device in your house in one room.

Re:The Cloud

[bobbied]

Weather does impact solar... so this needs some sort of power-storing battery in order for it to work.

Yea, great idea... Can we please get the efficiency of industrial scale electrical power storage within some kind of useable range? Right now, converting into DC to charge batteries and then converting back into AC to release power is *really* inefficient. That's going to have to change.

Right now, it's SO much cheaper to just build a natural gas fired plant to handle the dark nights and cloudy days. Actually, it's cheaper to build a natural Gas plant and forget the solar thing altogether, but folks who support solar and wind go nuts when you tell them that. Not to mention that you are going to need that gas fired plant anyway to cover the dark calm days, so it's going to be built. (At least until storage capacity is efficient enough to actually make sense to use. )

Re:The Cloud

[mattack2]

Is it still cheaper when you account for the pollution created by burning the natural gas, and having to deal with rising oceans, etc., due to the pollution?

Re:The Cloud

[bobbied]

Is it still cheaper when you account for the pollution created by burning the natural gas, and having to deal with rising oceans, etc., due to the pollution?

Only if you assume man made global warming is true. I'm not so sure it is (Note the MAN MADE caveat). IMHO, we need to concentrate on conservation, spend our money on fusion research and forget this renewable energy nonsense as an attempt to be "green". Just build NG plants until fusion comes online.

Not to mention that industrial scale battery manufacturing has a huge carbon footprint. But this whole man made global warming brew-ha-ha is not about the environment, it's about control and the money that comes from having control.

Re:The Cloud

[mattack2]

Even if man made global warming isn't true (but all the science says it is), why pollute? It raises health costs too.

Fusion research? That's been going on for how many decades?

Why not use solar in addition to the rest of the energy providers?

Re:The Cloud

[viperidaenz]

Carbon dioxide isn't pollution.
Neither is the product of burning natural gas (hint: it's water and carbon dioxide)

Re:The Cloud

[bobbied]

Even if man made global warming isn't true (but all the science says it is), why pollute? It raises health costs too.

ALL the science does NOT say that it is, only what you hear about from the media, politicians and those who are trying to sell something.

Have you heard about the claim of more extreme weather would come from this? Guess what? Doesn't seem to be true, looking at the available government data, but you hear it as fact all the time.

But, to your point. Why pollute? I agree with the sentiment in principle. We need to be good stewards of the planet and the resources it provides. But we must remember that some choices we make are about doing the least harm. It is impossible for humans to live and not have some impact, no matter how primitive we choose to make life. For me, I first choose life over death, with the understanding that man does and will have an impact on the environment when I do. I will also choose to limit said impact when possible, but life comes first.

We'd like our power turned on, thank you!

There's some things in this world that need to be kept hot, and some that need to be kept cold, especially in food. So, whenever there's a long enough blackout, we lose a lot of food. That was the big damage from Enron, and we seem to be on the path to making the same mistake.

MOD PARENT DOWN!

[The+New+Guy+2.0]

Uhm, Taco... we need to ban the URL Shorteners again!

Re:MOD PARENT DOWN!

Wow, you really are the new guy.

Rob "CmdrTaco" Malda Resigns From Slashdot
Posted by CmdrTaco on Thursday August 25, 2011 @09:00AM
from the steve-got-front-cutsies dept.
After 14 years and over 15,000 stories posted, it's finally time for me to say Good-Bye to Slashdot.

Re:MOD PARENT DOWN!

Actually, Taco is the one who posted it.

Re:MOD PARENT DOWN!

Just wait till he figures out that Bill Gates is not the CEO of Microsoft anymore.

Re:MOD PARENT DOWN!

I'm disappointed that you didn't provide that link through a URL shortener. It's a missed opportunity.

Re: MOD PARENT DOWN!

You insensitive clod! While researching those Gates story I discovered Steve Jobs had cancer....I hope he is ok.

Re: MOD PARENT DOWN!

He's fine. He even got a new liver out of the deal.

I can't wait for him to announce the new product line. I hear it's going to totally reinvent the phone.

Re: MOD PARENT DOWN!

If Microsoft is to retain its usual position with respect to Apple, Bill Gates needs to get cancer no later than October this year.

"Criminals"?

They're in the wrong business. If they potentially caused a crash of the stock market and wiping out the retirement funds of millions of people, then they're financial wizards and job creators.

To be fair ...

[quietwalker]

Squirrels could potentially cause black-outs and mess with power grid configurations. In fact, they have.

Re:To be fair ...

[TubeSteak]

Yea, but squirrels aren't doing it maliciousl....
I see your point.

Re:To be fair ...

[GameboyRMH]

I once suffered a multi-day nation-wide power outage because a monkey touched some power equipment (an act that left him extra crispy).

Re:To be fair ...

[bobbied]

Squirrels could potentially cause black-outs and mess with power grid configurations. In fact, they have.

Yes, but they usually are small scale outages because squirrels are limited to shorting circuits they can bridge using their bodies. Not to mention that it usually costs a squirrel its life. This means that the really high voltage transmission lines are beyond what a single Squirrel can do and I don't see too many squirrel power grid assault teams being formed...

Sounds like a solar FUD piece

[Mad+Quacker]

Solar power is still just a tiny tiny fraction of total energy output, yet hackers can cause massive blackouts? If only they knew how to hack the SCADA systems that run traditional power plants :rollseyes:

Re:Sounds like a solar FUD piece

indeed, the problem is not that solar management systems is capable of creating problems for the grid, it's that the grid is vulnerable to problems created from solar management systems, along with a whole host of other issues.

Re:Sounds like a solar FUD piece

Huge FUD piece. Your average run of the mill thunderstorm probably takes more infrastructure out of service than all of the solar panels in the country combined.

Re:Sounds like a solar FUD piece

[bobbied]

The Grid is vulnerable to all sorts of things, weather being the most likely.... Misbehavior in Solar controllers is likely to be an issue only in very specific conditions which grid operators tend to avoid like the plague. Grid operators keep significant safety margins in place at all times they can deal with unexpected equipment outages. They go so far as to do controlled shut downs of parts of the grid to maintain the grid's stability (although this is not something they like to do)

IMHO a CME event is much more likely to have any disruptive effect on the grid than some software glitch in a solar controller.

Re:Sounds like a solar FUD piece

[fustakrakich]

It's a giant FUD piece. It looks like someone is trying to limit solar for all the obvious reasons with legislation. The backlash against solar has already started with the electric companies tacking on all those extra fees onto people who install solar panels. Self sufficiency is an anathema to big business

Re:Sounds like a solar FUD piece

[viperidaenz]

I could take out an entire power station with a single solar panel. You just need to throw it at the right piece of equipment.

Popular. Solar.

Oxymoron.

Simple solution

[TVmisGuided]

Why not just keep the management system OFF the network? Make it local-only?

Just because something CAN be hooked to the Internet, it doesn't necessarily follow that it SHOULD be hooked to the Internet.

Just my 2p worth. Save up the change for a cup of coffee or something.

Re:Simple solution

[retchdog]

Local? What local? You can save a bunch of money by not having so many redundant management locations, and frankly they probably should.

Likewise, they could build a parallel control network with security and reliability in mind but again you can save a bunch of money by just using the internet.

Your tuppence of advice is to incur major expense for inadequate reason. That's why no one listens to it.

Re:Simple solution

[TVmisGuided]

What's the cost of the tradeoff between saving money and risking security? That's the first question you need to be asking.

Everyone's excited about IF they can put something on the Internet, and no one's stopping to think if they SHOULD.

John Barnes, author of several programming texts, clearly outlines the concepts of "safe" and "secure" software. For software to be considered "safe", it must not harm the world, and for software to be "secure", the world must not harm it. Given the tacit invitation for attack which is issued any time anything is connected to the Internet, such control systems MUST be developed with those two concepts not only in mind, but integrated into the core design.

I invite dissenting commentary.

Re:Simple solution

[retchdog]

Yes, it is the first question I asked. I don't know the answer and would welcome an analysis (as opposed to knee-jerk "save the world by just doing a better job!" nonsense). Hint: an analysis will include a cost/benefit analysis at the very least, and other quantitative arguments. I won't hold my breath.

Why would I care about a programmer's opinion about saving money? I'd rather ask the janitor, at least he is less biased.

There's your dissenting commentary.

Re:Simple solution

[TVmisGuided]

You ask the programmer because it's the programmer's job to implement the design. There's no bias involved in doing one's job, unless you consider it biased to want to produce both safe and secure code.

Think "Heartbleed."

'Nuff said.

Reporting and Monitoring via the Internet

[lippydude]

How about putting the devices behind an encrypted firewalled connection?

Missing the Point

[some+old+guy]

Lots of things could crash the grid, and have. Lightning, squirrels, high demand, or an idiot with a pair of pliers. The real problem is the oft-described obsolescence and inherent instability of the systems running the grid. One of the chief problems with the US grid is the underpinning accounting algorithms that configure power buys and connections to maximize profits over stability and efficiency. System reaction time and response modes to anomalies are hampered by "What's the cheapest?" arguments over-riding "What's the best?" logic in the software. The decisions of switching station load dispatchers are driven by...wait for it...money.

Re:Missing the Point

[bobbied]

Disruption of the GRID costs LOTS of money so it is avoided like the plague. Yes, grid operators are driven by $$, but don't forget they have SLA's with many of their customers who depend on reliable power to be available and they are going to be out a pile of money if the grid goes down. Not to mention that there is a regulatory requirement for minimum margins and safety of the grid so if you mess around and crash something, the regulators are going to have you in a hearing answering questions.

So, as news worthy as this "The GRID is UNSTABLE" scare mongering FUD being passed about, is IMHO more about scaring up support for more utility regulation than it is about what actually is necessary.

Re:To be fair ... Look! a squirrel!

[mspohr]

Stop trying to distract us from this very serious discussion.

Bad Slashdot Editing

[Daetrin]

I'm not sure if it was the person who submitted the article or if samzenpus decided to condense things, but the quote is straight from the article, except for removing one sentence from the middle:

"Details of how the attacks could be executed were kept under wraps while solar panel monitoring kit vendor Solar-Log distributed a patch for the flaws."

Which wouldn't be that big a deal, except that the part included in the Slashdot blurb refers to the "eponymous management system", which makes absolutely no sense if you don't include the name of the software/company.

Re:sponsorship program.

[bobbied]

We a Koch Bros. Industries are now hiring enterprising talent

Sorry, not moving back to Wichita, KS... Thanks anyway.

Never interviewed at Koch, not that I tried very hard to get one, but I knew a number of folks who worked there. Not the best place to work for job security and if you loose your job there isn't much else in Wichita to do. Sort of a dead end kind of town for technology careers. Every company I know that *used* to be there, moved to FL or TX, just went broke or wasn't anyplace you ever wanted to work anyway. The exception was the aircraft makers, but they only wanted "tin binders" and machine operators.

cats too

I work for a power company and remember a certain outage involving a cat. Apparently it got into the mesh at a local substation. A coworker asked what color the cat was. Another answered, "I don't know, but it's black now!"

Open-source it... not quite

Part of the problem is that these are residential units, not commercial. If we make the presumption that the software is open-sourced and it magically becomes secure over night, there is still a major problem: people. A residential user is far less likely to go back and update their software unless they have to; look at the number of wifi access points running with the default credentials. There isn't a large corporate entity with open-source reaching out to their end-users telling them new stuff is available and that security is really important and should be installed asap. The only two entities I know of that do that are RedHat & Canonical, but that's a paid service. If the primary market for these units were commercial, then they have a financial and legal incentive to keep up with what's current.

How did this article make it here?

Those aren't home solar panels. So the criminal would have to gain access to a power plant........ Hmm... I wonder who posted this article..