US energy officials have found unexplained communication equipment inside some Chinese-made inverter devices, according to a report from the Reuters news agency.
This morning, Reuters reported the presence of undocumented and “rogue” communication devices in a number of Chinese-made solar inverters. These could potentially introduce unregulated and undocumented remote communication channels to the inverters, by which an actor could remotely bypass the cybersecurity firewalls that utility companies use to prevent direct communication back to China.
Unlock unlimited access for 12 whole months of distinctive global analysis
Photovoltaics International is now included.
- Regular insight and analysis of the industry’s biggest developments
- In-depth interviews with the industry’s leading figures
- Unlimited digital access to the PV Tech Power journal catalogue
- Unlimited digital access to the Photovoltaics International journal catalogue
- Access to more than 1,000 technical papers
- Discounts on Solar Media’s portfolio of events, in-person and virtual
Or continue reading this article for free
Similar devices were also found in Chinese-made batteries.
Inverters are highly digitalised products, often referred to as the “heart” or “brain” of a PV system. In theory, hackers could remotely disrupt or switch off solar power supply if they could control the inverter, resulting in power losses, blackouts or damage to energy infrastructure.
The concerned parties that spoke to Reuters did not disclose the manufacturers or the number of products where they found the rogue devices. Energy analyst Wood Mackenzie said that Chinese firms Huawei and Sungrow dominated over 50% of the global inverter market share in 2023.
PV Tech has reached out to trade body the Solar Energy Industries Association (SEIA) for comment on this discovery.
European concerns
Though discovered in the US, the presence of unregistered equipment has raised alarm in Europe.
The European Solar Manufacturing Council (ESMC), the body which represents the interests of some Europe-based PV companies, said that: “With over 200GW of Europe’s solar capacity relying on these inverters—equivalent to more than 200 nuclear power plants—the security risk is systemic.”
In a LinkedIn post, it called on the European Commission (EC) to examine the “risk potential for sabotage and espionage” of manufacturers of components that can “significantly influence the behaviour” of the European grid. It also called for “rigorous audit and validation tools” and a fully transparent software bill of materials (BOM).
The ESMC and fellow trade body SolarPower Europe have been ramping up calls for greater cybersecurity protection for European inverters. Earlier this month, the ESMC called for a restriction for remote access to inverters from “high risk” Chinese manufacturers.
This followed a report from SolarPower Europe and consultancy DNV highlighting the security risks posed by digital inverters. The report said that the risks were “above acceptable limits”, as an attack on just 3GW of inverter capacity—far lower than the production capacity of the leading suppliers—could have “significant implications” for the power system.
In the report from DNV and SolarPower Europe published last month, the authors said there is “growing concern for potential damage” from cyber attacks in the solar industry as it grows. It also cited hacker groups which had been associated with the Chinese and Russian governments, identified by the US Cybersecurity and Infrastructure Security Agency (CISA) “with a focus on attacking critical infrastructure in the US and Europe.”
Opinions from Intersolar Europe
Last week, PV Tech spoke to a leading European inverter manufacturer at the Intersolar Europe trade show in Munich, who said that the risk of cyberattacks to cut power supply from solar inverters was “real”, and that “it’s very clear inverter companies could switch off the grid if they want to.”
Our interviewee likened the prospect to Russia restricting gas supply to Europe after its invasion of Ukraine. “Probably 99% of people would have said ‘No, there’s no risk [of that happening].’ But it did. We saw it. And I see the same risk here.”
PV Tech Premium also spoke to companies present at the event, including SolarEdge and Solargis, about growing cybersecurity concerns in the European solar sector.
What could have been thought of as a hypothetical “risk” is perhaps now closer to reality with today’s report from the US.
