Huawei: Our inverters are not a cybersecurity threat

“We write to express our concern over the national security threat products manufactured by Huawei Technologies Co., Ltd. (Huawei) pose to our nation’s critical energy infrastructure. We understand that Huawei, the world’s largest manufacturer of solar inverters, is attempting to access our domestic residential and commercial markets,” states the letter. “Congress recently acted to block Huawei from our telecommunications equipment market due to concerns with the company’s links to China’s intelligence services. We urge similar action to protect critical US electrical systems and infrastructure.”

In a statement sent to PV Tech, Huawei said its inverters complied with all cybersecurity requirements.

“As a global leading ICT and Network Energy solutions provider, Huawei is fully aware of the importance of cybersecurity,” it said.

“So far, our products and solutions have been safely and stably used in more than 40 countries, and have won the trust of tens of thousands customers around the world. We have never received any cybersecurity allegations by our customers.

“Huawei commits to providing customers with high-quality products and services. At present, the quality and reliability of Huawei Solar inverters are higher than the industry average standard. The Solar products and solutions Huawei is selling in the United States are in compliance with local US cybersecurity rules.

“Cybersecurity and privacy protection are customers’ basic demands and a core value Huawei creates for the customers. Huawei has clearly defined cybersecurity and privacy protection as the company's highest priority to protect customers' cybersecurity and ensure the secure and stable development of customers around the world.

“Huawei complies with all applicable laws and regulations where it operates, including applicable export control and sanction laws and regulations of the UN, US and EU.”

Willem Westerhof is an ethical hacker and public speaker with the Dutch digital security firm Qbit and has previously uncovered vulnerabilities in solar modules.

“There are many ways an attacker can target electricity grids. Some attack vectors, however, are more feasible than others,” he told PV Tech. “An attacker often thinks in scenarios: they want to achieve a certain goal such as causing a blackout or obtaining money etc. Any device within the electricity grid, that is capable of aiding in such a scenario, can be targeted by an attacker. This is in no way limited to solar inverters,” said Westerhof.

“By conducting a hardware ban, it is possible to stop widespread use of devices that are deemed ‘untrustworthy’ by the ones who set up the hardware ban. The ban ensures, if properly enforced, that an attack targeting an electrical grid via the ‘untrustworthy’ device is no longer a feasible attack vector. Whether this ban actually stops a determined and sophisticated attacker depends on the security level of all remaining systems that have not been banned.”

“A hardware ban does not necessarily stop a determined and sophisticated hacker. Any hardware from any vendor can be targeted and attacked by a malicious attacker. Whether this attack is successful or not, depends on the security level of the attacked device. It is, however, possible for hardware to have vulnerabilities present due to a lack of testing, or due to the deliberate creation of backdoors. A ban on specific hardware is more of a reflection on how much trust an entity is willing to put in another entity,” he added.