Vangelis Stykas sounds the alarm on critical vulnerabilities threatening electric vehicles and photovoltaic systems

Vangelis Stykas is the CTO and co-founder of Atropos, a pentesting company specializing in IoT APIs. Recently, Atropos has also focused on the security of electric vehicles (EVs) and photovoltaic (PV) systems and their cloud connections.

Mr. Stykas recently sat down with InCyber News to discuss this pivotal research, emphasizing the need for regulation, strengthened security protocols, and proactive cybersecurity measures to prevent massive disruptions to our critical infrastructure–in a so-called Horus scenario, Mr. Stykas warned, a carefully-targeted cyberattack could theoretically black out the entire European continent–and ensure the reliability of renewable energy and charging infrastructures.

InCyber News: During your investigation, what are the main and most critical vulnerabilities you identified in EV/PV systems? Were there any particularly unexpected vulnerabilities?

Vangelis Stykas: Many vulnerabilities were found, some very critical. I was able to gain administrator level access on several platforms. With this access, I could remotely push firmware updates, potentially “breaking” photovoltaic chargers and EVs and, in some cases, causing them to catch fire. 

Unfortunately, this was not unexpected as I had encountered this type of vulnerability before. What was unexpected was the ease with which these vulnerabilities were found and the general ignorance about them. Most [of the vulnerabilities I identified] are still present, and unfortunately, someone will exploit them at some point.

Are there any PV inverter/EV charger manufacturers you consider more secure and reliable than others? Were there any inverters/chargers you tried to infiltrate but were unsuccessful?

Vangelis Stykas: There are several I couldn’t hack, thankfully! Vulnerabilities will always appear. What matters is how one reacts and how quickly they are fixed. That’s what makes a good, reliable provider. 

It’s not a question of if it will happen, but when it will happen and how one will react at that moment.

What were the reactions of different manufacturers when you alerted them?

Vangelis Stykas: Two of the five photovoltaic manufacturers [China-based SOLARMAN, China-based SOLAX, China-based SUNSYNK, China-based GROWATT, and Spain-based INGECON] responded and fixed the vulnerabilities after my interventions. The others ignored me. All acknowledged receiving my email, but only two acted. 

The EV charger manufacturers [China-based SHENZHEN; China-based GROWATT; Netherlands-based EVBOX; Spain-based WALLBOX; UK-based EOHUB; California-based CHARGEPOINT] all responded at some point. In the end, they all fixed the vulnerabilities—some very quickly, others after being forced to. Having vulnerabilities is inevitable; what matters is how you handle and fix them.

What do these vulnerabilities mean for the stability of national power grids?

Vangelis Stykas: There’s a thorough study called the “Horus scenario.” Willem Westerhof provided theoretical proof that if enough photovoltaic systems are attacked, it could severely destabilize the grid. In Europe, national grids are so interconnected that an attack could black out an entire continent. It’s theoretical, but it could happen before other non-renewable energies like nuclear or coal take over to stabilize the grid.

In your opinion, what is the most important thing that suppliers and end customers could and should do about the vulnerabilities you have identified?

Vangelis Stykas: I identified some pretty basic web vulnerabilities. For the end customer, I recommend putting IoT devices on their own subnet to limit damage in case of compromise. 

Suppliers should always check their own security, do penetration tests, and follow security checklists. 

Unfortunately, governments and other regulatory bodies are lagging. Regulation must start requiring suppliers to have proper security protocols.

Do you have any particular recommendations for regulators/policymakers? How important is collaboration among stakeholders (manufacturers, regulators, cybersecurity experts, etc.) in addressing these vulnerabilities?

Vangelis Stykas: Regulators, especially in Europe, are good at regulating; that’s not the problem. The problem is there’s no regulation yet for photovoltaics. 

The green revolution is progressing, which is great, but no security measures are yet imposed on the photovoltaic industry. NIS 2 is a good starting point, but we need stricter regulations specific to photovoltaics and EV chargers.

If an attacker manages to access a PV inverter/EV charger via one of the vulnerabilities you identified, are there solutions (e.g., antivirus, secure boot, etc.)?

Vangelis Stykas: Antivirus is not very relevant in this case. Network isolation and VLANs can limit exposure, but if compromised firmware is pushed, batteries can explode or catch fire. It’s a different attack vector that few people currently think about.

What future trends do you foresee in the cybersecurity landscape for renewable energies and EVs?

Vangelis Stykas: It’s an interesting but sad question. Currently, the EV and renewable energy sectors are still breaking in; it’s a fairly young sector. A situation similar to the 2000s for IoT or the 90s for web applications. We need to strengthen [our] security posture. My hope is that companies [in the renewable energy and EV sectors] become aware of the importance of cybersecurity. They must stop rushing to market without considering security.

Any final insights?

Vangelis Stykas: I hope the situation with green energy and the rush to this market continues, while considering its security. In 2024-2025, I’d like to see companies asking for help if they don’t know how to secure their products.