Is Europe ready to tackle solar cybersecurity risks?

The EU is responding to various actions from European states and a rising concern about cybersecurity in the solar sector, as the market dominance of Chinese inverter companies grows and renewables become increasingly integrated into the European power grid.

According to Uri Sadot, head of the digitisation workstream at SolarPower Europe and former cybersecurity director at SolarEdge, the EU is likely to have issued draft cybersecurity legislation for the sector by the end of the year,

“I think by the end of the year we’ll have clarity. I’m seeing such strong, authoritative voices making strong statements that it’s going to be done by the end of the year,” he tells PV Tech Premium. Discussions over legislation and implementation are ongoing in Brussels, Sadot suggests, and the outcome could take a number of different forms.

Ahead of any forthcoming legislation, PV Tech Premium asks whether Europe has taken cybersecurity seriously enough, how big the cyber risks are for the solar sector and what impact more security will have on the industry.

Geopolitical tensions

Europe is more exposed to cybersecurity risks from solar inverters than any other part of the world, according to a June report from cybersecurity company Forescout. It identified around 35,000 solar “devices” (meaning inverters, dataloggers and monitors, among others) across the world that are exposed to external internet access. Of those, 76% were in Europe.

“Given the current geopolitics, everything is very difficult right now,” Erika Langerova, head of cybersecurity research at UCEEB, a research centre under the Czech Technical University in Prague, tells PV Tech Premium.

Data from PV marketplace platform sun.store shows that Chinese companies currently have a stranglehold on European inverter supply, but many Chinese companies “want to be quick on the market and want to sell cheap inverters,” Langerova says, “which means they oftentimes overlook cybersecurity completely and they ship very cheap but very insecure products.”

Langerova has conducted extensive research into cybersecurity threats in the energy sector from a variety of angles, including studies of Chinese research into attacks on European grids.

While European countries and the European Commission are beginning to take legislative action, the EU is, in her estimation, “afraid to admit we have a problem with [dependence on] China.”

“They just say ‘dependency on foreign manufacturers’, but we all know it’s China. And then a set of problems emerges from this approach, because you’re not able to do targeted mitigation measures, you just have vague recommendations.”

A vulnerable position

As Langerova describes it, the European energy grid and its renewables industry are simultaneously integrated with and afraid of Chinese influence. She describes the involvement of big Chinese renewables firms in Europe’s trade associations and standardisation committees, and the fact that Chinese technology has enabled Europe’s energy transition to reach its current point.

Concurrently, she describes these Chinese economic interests in the European market as the threads holding the Damoclean sword of cyberattack from falling. “Europe has swapped one dependency for another,” she says; from Russian fossil fuels to Chinese renewables.

Langerova is clear that none of this proves, or necessarily indicates, intent from hacking groups, like those cited by the Czech government, or China itself, to attack Europe’s grid. This vulnerability is compounded by the fact that the necessary security infrastructure and protection are not effectively in place.

“We still have basic issues like weak credentials, weak passwords, a lot of vulnerabilities in the cloud platforms for managing those inverters,” she says.

“We need to protect these systems,” Sadot adds. “Having a default password [on an energy platform] is a bad idea, and everyone should agree on that. Even if China is the 28^th member state of the EU tomorrow, we need to agree that doors should be locked and critical energy systems should have strong passwords.”

China is also not the only potential international attacker for Europe’s solar infrastructure; it just happens to make most of the digital systems being deployed. Russia is more aggressive toward Europe than China, Langerova says, and the vulnerabilities in the continent’s inverters and battery energy storage system (BESS) installations could be exploited by bad actors from any country.

The risks of cyber insecurity

China does not allow remote control of devices in any of its networks, including the power grid, under the Multi-Level Protection Scheme (MLPS) 2.0 law of 2019. Europe, however, doesn’t have that level of protection.

Langerova says the main source of cybersecurity risks is “the cloud infrastructure the inverters are connected to,” and the main issue is “remote access.”

The Common Vulnerabilities and Exposures (CVE) database of cybersecurity vulnerabilities lists tens of entries under searches for the leading Western and Chinese solar inverter manufacturers, with some vulnerabilities reportedly allowing full remote control of inverters over either cloud infrastructure or wifi connections.

“We have issues so critical that when you attack certain vendors … you would be able to create a serious problem in the power grid, meaning, at minimum, local blackouts, at maximum, nationwide blackout,” Langerova says. It is also possible to physically damage inverters through remote access, she says, such as by disabling cooling fans and causing the equipment to overheat.  

The potential consequences are extreme, but how likely is a cyberattack on European inverters? There are regular reports of cyberattacks in other fields; the UK National Cybersecurity Centre, run by the country’s Government Communication Headquarters (GCHQ), said last week that it dealt with 204 “nationally significant” cyber incidents in 2024, more than three times the amount in 2023, and of those 18 were deemed “highly significant … meaning that they had the potential to have a serious impact on essential services”.

Crowdstrike, Sungrow and Iberia

“The grid is changing,” Sadot says. “And the majority of power production is not going to come from big plants with chimneys. It’s going to come from these small systems. So we need to make sure that they’re smart and protected.”

That means more potential points of digital vulnerability. Sadot points to the 2024 Crowdstrike incident, where a faulty update from US cybersecurity firm Crowdstrike inadvertently crashed around 8.5 million computer systems. “It was human error and you had airports stuck and planes didn’t take off,” he says.

He also mentions a 2023 incident where Chinese inverter and BESS manufacturer, Sungrow, sent a “bad update” and around 800 energy storage systems went down.

Sungrow told PV Tech Premium that its products are “regularly tested by independent third-party security experts” and that its servers are “fully hosted in a GDPR-compliant data centre located in Frankfurt, Germany, ensuring that all data remains within the European Union.”

In May, the Spanish government publicly ruled out a cyberattack as the cause of this year’s blackout in the Iberian Peninsula, which saw parts of the Spanish and Portuguese grid go dark for hours, but Sadot still has cybersecurity concerns over the incident.

Sadot continues: “Look … I’ve read every word of the Spanish blackout investigation. It’s still unclear what happened and the root cause. It’s still unclear. It could be a cyberattack; having been in that world, you could mask something to be a cyberattack with no clear evidence.”

“At the end of the day, if you look ten, 20 years into the future, you don’t want to build a continental grid that’s that risky,” Sadot says.

One concerning feature of the cybersecurity landscape is the idea of “pre-positioning”, which is where hackers—whether state-backed or not—can gain access to infrastructure systems without installing malware and can sit there, dormant and undetected.

The US and UK security agencies have warned of the risks of Chinese pre-positioning in advance of cyberattacks, and Langerova describes the practice as “a nice leverage.”

“[Pre-positioned actors] can just say ‘I’m controlling your infrastructure, you will do what I tell you otherwise I will shut you down’,” she says. “People are often saying that the shutdown scenario is unrealistic, but the mere fact they might have this ability is perceived as a big problem in the security community.”

When asked if there is likely to be a threat pre-positioned in European Energy infrastructure at present, Langerova says this would require a “really difficult forensic analysis” to determine, but points to the Salt Typhoon and Vault Typhoon cyberattacks, perpetrated by allegedly Chinese-linked persistent threat actors (PTA) on US telecoms and military infrastructure.

“People often think that this was only happening in the United States, but we also had issues with the Typhoons in Europe. We know that they at least tried to do similar things to infiltrate critical infrastructure, the same way they did it in the United States.”

In short, Europe shouldn’t rule it out.

Implications for the solar industry

One way to reduce the risk of cyberattack from nations outside of Europe would be to support European inverter manufacturers.

While they have been struggling for the last year, with many non-Chinese players announcing financial losses and rounds of job cuts as the market shifts and their products are undercut by cheaper imports, the trade body, SolarPower Europe, has called for greater support for the continent’s inverter manufacturers and for increased cybersecurity measures.

But it’s not the only way. Following the Czech and Lithuanian governments, the apparently forthcoming EU legislation could go in a few directions. Sadot says the most dramatic of those would be product recalls for inverters deemed unsafe. “That’s going to be a big drama, of course, there’s going to be a lot of political opposition.”

Even Lithuania, “which is a very hawkish country with sour relations with China”, Sadot says, capped inverter recalls at systems of 100kW and above to avoid thousands of homeowners having to replace their products “in an election year”.

He says there are “gradations” of recall, which could include banning inverters from connecting directly to the internet except through a “local controller”.

“The more lax measures would be something like setting a standard,” he says, presumably not of the type which Langerova has previously criticised for being “vague”.

Most likely, improvements in cybersecurity will require “growing adoption of the paradigm shift; that it’s critical infrastructure,” Sadot says.

“It doesn’t matter if it’s one big chimney or a million small inverters; it’s critical infrastructure.” That “paradigm” would introduce the audits and security checks around technology and direct foreign investment that comes with the critical infrastructure label.

He says that the possibility of introducing restrictions at interconnection points is “being discussed”, whereby the European Network of Transmission System Operators (ENTSO-e) says nothing over a certain threshold, which is linked to a data centre elsewhere in the world, or that has weak authentication or password credentials, can connect to the grid. This would be a move similar to China’s MLPS law.

In that case, “your market participation contracts would be void, you couldn’t participate in battery charge/discharge markets if you don’t meet those criteria,” he says. “It’s a very strong enforcement mechanism that doesn’t need all the legislative brouhaha.”

Whatever form the legislation takes, Europe seems to be waking up to the cybersecurity risks associated with solar energy. But the impacts on the solar industry itself are unclear. Sadot predicts a relatively smooth path where Chinese firms “cede critical control” in response to changing legislation, but Langerova’s assessments of the geopolitical tensions in Europe’s relationship with Chinese technology may complicate the picture.