The European electricity network has become a ‘smart grid.’ This offers many opportunities for sustainability but also makes our energy system more vulnerable to digital attacks. In a time of increasing threat of hybrid warfare, the government and the energy sector realize that we as a society must prepare for possible disruption of the energy system and do everything we can to prevent it. Various institutions test smart devices, set safety standards, and monitor compliance with these standards. However, parties such as our grid operators only have control over the energy grid equipment up to the front door. They are not allowed to look beyond the electricity meter, where most smart equipment is located. DIVD is allowed to do this and by identifying devices that can form a botnet, DIVD helps to make the smart grid more secure. DIVD has been conducting research into vulnerabilities in equipment of the energy system, such as charging stations, solar panel inverters, home batteries, and (Home) Energy Management Systems. Previous findings have led to several parliamentary questions and follow-up actions by authorities such as RDI, the Dutch Authority on Digital Infrastructure. With the CVD in the Energy Sector project, DIVD will set up a research and education line with the DIVD.academy in collaboration with the energy sector to reduce the digital vulnerability of our energy system. DIVD will also build a hardware lab to test devices and scenarios. You may join too and help to save the grid. In this talk, we will demonstrate how we could have generated outages using zero-days we found in solar converters and electric car chargers. But we also did it with just one user-password combination… The European electricity network has become a ‘smart grid’. Consumers are not only users but also producers of energy. More and more devices are connected, smart and online, so supply and demand can be more easily matched. This offers many opportunities for sustainability and possibilities for new players to enter the market. But also makes our energy system more vulnerable to digital attacks. In a time of increasing threat of hybrid warfare, the government and the energy sector realize that we as a society must prepare for possible disruption of the energy system and do everything we can to prevent it. In the Netherlands and Europe, various institutions test smart devices, set safety standards, and monitor compliance with these standards. However, parties such as our grid operators only have control over the energy grid equipment up to the front door. They are not allowed to look beyond the electricity meter, where most smart equipment is located. Being an independent non-profit research institute, DIVD is allowed to do this. By looking for devices that can form a botnet, DIVD helps to make the smart grid more secure. DIVD has been scanning the entire internet for vulnerabilities since 2020 and reporting them to the owners of systems. This may involve known vulnerabilities (Common Vulnerabilities and Exposures), new vulnerabilities (Zero-days), leaked credentials (username-password combinations) and online sources that are unintentionally accessible. DIVD is also a CVE Numbering Authority (CNA) and can publish new vulnerabilities. Our way of working is supported by the parties responsible for digital security in the Netherlands, such as NCTV, NCSC, AIVD, police, and many cyber security companies. In addition to these activities, DIVD also conducts research into vulnerabilities in the equipment of the energy system, such as charging stations, solar panel inverters, home batteries, and (Home) Energy Management Systems. Previous findings have led to several parliamentary questions and follow-up actions by authorities such as RDI, the Dutch Authority on Digital Infrastructure. With the CVD in the Energy Sector project, DIVD will set up a research and education line with the DIVD.academy in collaboration with the energy sector to jointly reduce the digital vulnerability of our energy system. In 2025, we will: - Incorporate all energy-related research by DIVD into a research line under a Research Lead Energy. - Establish structural partnerships with the energy sector to jointly resolve vulnerabilities. - Build our own hardware lab where we will test peripheral equipment for security and collaborate with other hardware labs. - Set up our CNA to receive, process, and publish CVEs of digital solutions used in the energy system. Share research findings with authorities to support their enforcement. DIVD.academy familiarize students with basic knowledge of energy systems and energy equipment and involve them in practice-oriented research. - Develop teaching materials for the installation sector and training courses to increase awareness of vulnerabilities in the energy system. - Share our knowledge via hacker events and security conferences. In this talk, we will demonstrate how we could have generated outages using zero-days we found in solar converters and electric car chargers. But we also did it with just one user-password combination… Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://pretalx.hackerhotel.nl/2025/talk/TFJCBD/