Hackers who guard the energy network

Changing focus from privacy to physical security

DIVD started in 2019 as a platform for what Director Chris van 't Hof calls ‘ethical hackers’: well-intentioned and sharp-eyed people committed to making the virtual world safer. Chris recognises something familiar in hackers. “They’re typically out of place in mainstream education, preferring to try things for themselves and learn independently. I’m just like that myself.”

DIVD’s interest in the energy system began when one of their hackers discovered something remarkable: a platform linked to servers in China for updating and monitoring the transformers that convert the power from solar panels into a form that can be fed into the power grid. The connection was open and unsecured! “Initially, he saw it as a privacy problem,” recalls Chris. “You can see when people are at home, and you can turn the electricity on and off. However, because my background is in electrical engineering, I immediately saw a much bigger issue. The platform was being used to manage a million transformers with a total capacity of 10 gigawatts. Taking that much hardware offline would cause a continent-wide blackout.” That was when DIVD switched its focus from the traditional protection of personal data, to something much more tangible: physical security.

Identifying and reporting vulnerabilities and getting them fixed

DIVD monitors the main targets in the energy system: transformers for solar panels, EV docking stations, smart meters and the increasingly important energy management software that connects all the hardware together and aligns each piece of kit with the next. “All smart devices are vulnerable,” says Chris. “And everything that’s online will get hacked sooner or later. What makes DIVD unique isn’t simply that we’re able to find vulnerabilities, it’s that we have the legal authority to do so. We have a ‘licence to hack’: we can search for vulnerabilities without first getting permission from the owner or vendor, precisely because vulnerabilities only come to light when a system is already leaky.”

If DIVD finds a vulnerability, it reports the issue to the vendor. “The vendor can then investigate the problem, and apply a patch (a software update to fix a particular vulnerability or fault in a program). The consumer then gets an update on their device,” explains Chris. That process is known as ‘coordinated vulnerability disclosure’ (CVD). Formal registration of the vulnerability involves the preparation and release of a uniquely numbered Common Vulnerability and Exposure (CVE). “That’s important for everyone that buys, uses, instals or resells the hardware in question: they can see right away whether their version has a particular vulnerability and needs updating. The system also helps other investigators in the community, who can see what’s already been discovered and can take things from there.”

CVE (Common Vulnerability and Exposure)

DIVD acts as a ‘CNA’ (CVE Numbering Authority): a body with formal authorisation to issue CVE numbers. “A heck of a lot of devices have vulnerabilities, and there are lots of people investigating them,” explains Chris. “Previously, though, there wasn’t anywhere for them to report their findings so that something got done. We’ve taken on that role.” That involves administrative work as well: processing investigation reports, obtaining evidence, communicating with vendors.

If a vendor doesn’t resolve a vulnerability, DIVD takes things a step further. “Plenty of vulnerabilities simply don’t get fixed,” acknowledges Chris. “In cases like that, we inform the Dutch Authority for Digital Infrastructure (RDI).” The RDI assesses the report and can force the vendor to act or face a fine. At the moment, the RDI is looking at 3 DIVD reports about transformers. “It’s an amusing situation,” says Chris, “to have a hacker collective working with the authorities!”

Hacking lab and teaching material

At the HermitHive – a former bank in Nieuwegein – DIVD has set up a hardware lab for the physical testing of devices. However, vulnerabilities often begin much earlier, at the time of installation. DIVD.academy, an existing foundation that teaches young people to hack, and judges them on their skills, rather than their qualifications, is therefore developing teaching materials for the installation industry. Recent geopolitical developments have made the initiative more urgent than ever. “Energy systems are an attractive target,” says Chris. “And they’re more vulnerable than people realise.”

Support from SIDN Fund

For an organisation whose work is done mainly by volunteers, external funding is vital. Securing such funding has been far from easy, however. Chris: “DIVD is a good cause, but security is often seen as something that companies or the government should be taking care of. And we’re not allowed to offer commercial services, because that would distort the market. Our role is doing what everyone else isn’t allowed to.”

SIDN Fund has been involved with DIVD right from the start. The DIDV.academy also receives support from the SIDN Fund. It was the Fund that gave DIVD its very first grant, to cover the cost of a website and initial set-up. DIVD.academy has also received help from SIDN Fund. A grant for CVD in the Energy System enabled DIVD to appoint a project leader, buy equipment, organise events such as Hack the Power Grid at the Green Village in Delft, and build a solid basis for collaboration with the energy sector. The money also enabled DIVD to recruit other partners, including Topsector Energie, which co-funded the hacking demos.

SIDN Fund's Elise van Schaik: “DIVD’s work is incredibly valuable for a secure and open internet. They have demonstrated how closely our energy supply system is integrated with the internet – and how important it is that everything remains secure and operational. We’re proud to be able to support their mission.”

Next: the water management infrastructure

DIVD’s methodology – assembling a team of investigators, identifying and reporting vulnerabilities, and seeing that they get fixed – is transferable to other critical infrastructures. Chris: “Water management is the next step. Many of the pumps and other equipment that control drainage systems and flood defences are online but lack proper security. That has potentially huge implications for physical security: if they got hacked, the Netherlands could be flooded.” DIVD’s mission remains the same: making the world safer by identifying and addressing vulnerabilities.

Want to know more? Visit divd.nl/energie or the SIDN Fund project page.