While there have been limited details to corroborate the recent reports of the discovery of undocumented communication devices in Chinese-made solar inverters, this incident points to a far broader risk: the unchecked sprawl of insecure remote access across critical national infrastructure (CNI).
If the reports are correct, more than 200GW of European PV capacity could potentially be exposed – equivalent to over 200 nuclear reactors. The issue is not just who manufactured the hardware, but how it can be remotely accessed, who can access it, whether it is secured, and if access is logged and audited.
Unlock unlimited access for 12 whole months of distinctive global analysis
Photovoltaics International is now included.
- Regular insight and analysis of the industry’s biggest developments
- In-depth interviews with the industry’s leading figures
- Unlimited digital access to the PV Tech Power journal catalogue
- Unlimited digital access to the Photovoltaics International journal catalogue
- Access to more than 1,000 technical papers
- Discounts on Solar Media’s portfolio of events, in-person and virtual
In Section 889 of the National Defense Authorization Act 2019, the US Congress sought to protect national security by preventing government procurement or contracting of Chinese telecommunications and video surveillance equipment and services which allegedly contain backdoors for espionage.
While the adversaries of Western democracies seek to use access to cyber-physical systems for espionage and to disrupt critical infrastructure, many industrial environments rely on a sprawling patchwork of remote access tools for day-to-day operations that is frequently insecure, uncontrolled, unmonitored and thus highly vulnerable.
This isn’t an isolated risk but an issue which spans the energy sector and beyond. If we are to protect the resilience of our energy infrastructure, we must confront the reality that remote access, while essential, has become one of the least governed aspects of cybersecurity with real world potential consequences.
The European Solar Manufacturing Council (ESMC)’s call for an EU-wide “Inverter Security Toolbox” reflects this shift in understanding. Security must extend beyond the device to the ecosystem of access surrounding it.
Solar’s security blind spot
For energy providers, the issue isn’t that remote access exists, but that it exists in such unmanageable volumes that are invisible to security teams.
Tools are regularly onboarded for practical reasons such as vendor maintenance, emergency fixes, or legacy system support. Over time, though, these legitimate needs accumulate into a fragmented jumble of digital doors, many of which inadvertently remain open.
In one notable case, a manufacturer discovered it had more than 7,000 remote access points across its plants. Any one of these connections, if compromised, could act as a highway through established security controls into the heart of its production systems.
This encapsulates the gulf between operational needs and cybersecurity fundamentals. While automation vendors and machine builders must maintain uptime and minimise onsite interventions, asset owners commonly overlook the security implications of their procurement and deployment decisions.
Once you see the scale of the sprawl, you can’t unsee it. Even more vexing: once seen, what was once ignorance becomes negligence if left untreated.
In the solar sector, this risk is no different. A recent analysis from US cybersecurity firm DER Security found that 45% of global solar capacity was exposed to nation-state adversaries or cybercriminal threats in the past year alone. As the sector matures, so too must the rigour applied to its cybersecurity practices throughout the entire procurement, deployment, and operations lifecycle.
Risks of fragmented remote access
The risks facing the sector are exacerbated by the widespread use of low-grade, unsecured, or ungoverned remote access software.
Claroty’s research found that 55% of industrial organisations have four or more non-enterprise-grade tools operating within their OT environments. While using multiple vendors may not necessarily be problematic, the number of remote access points – sometimes measured in hundreds or thousands – quite certainly is.
Some of these tools have been directly implicated in recent security breaches. For example, TeamViewer was reportedly compromised by the APT29 threat group, while AnyDesk disclosed a breach that forced the revocation of passwords and code-signing certificates across its user base. These widely deployed tools, when not properly managed, become significant liabilities within industrial settings.
But the risks extend beyond cybersecurity alone. The abundance of remote access tools creates operational challenges as well. A fragmented environment is less efficient, adding to the workload on both IT and OT teams, and is more complicated to enforce consistent security policies.
This sprawl increases costs and generates blind spots which hinder visibility and control. In environments where uptime, safety, and precision are critical, these operational consequences can be just as damaging as a direct cyberattack.
Fragmentation, centralisation, governance
Fortunately, organisations have an alternative. Leading energy companies are beginning to adopt centralised and policy-driven approaches to remote access management. These programs begin by mapping all access points and identifying outdated or risky tools. From there, they can consolidate access pathways under a single, secure entry point.
Importantly, this process involves not just internal restructuring but renegotiation with third-party vendors. Organisations are now requiring that vendors use the company’s preferred access method, rather than shipping their own tools or relying on outdated practices.
However, this transition is neither fast nor easy, and vendors regularly resist changes. The energy sector must put pressure on vendors to ensure that these standards are upheld. Centralised remote access not only reduces the attack surface but also improves productivity and ensures that critical operations are maintained securely and reliably.
A strategic imperative for the future
The alleged incident with Chinese solar inverters shouldn’t be a surprise. Yet, what might surprise asset owners is the deeper issue – a fragmented approach to remote access that frequently and silently proliferates in asset-intensive organisations.
If the energy industry is serious about securing its future, it must address this sprawl head-on. Visibility, standardisation, and accountability must become the new benchmarks.
Cybersecurity is not a matter of convenience or compliance. In the context of energy infrastructure, it is a matter of national resilience, economic security, and public safety.
Grant Geyer is chief strategy officer at cybersecurity firm Claroty.
