The hidden digital highways threatening critical solar PV infrastructure

By Grant Geyer
Facebook
Twitter
LinkedIn
Reddit
Email
This isn’t an isolated risk but an issue which spans the energy sector and beyond. Image: Andreas Troll via Pixabay

While there have been limited details to corroborate the recent reports of the discovery of undocumented communication devices in Chinese-made solar inverters, this incident points to a far broader risk: the unchecked sprawl of insecure remote access across critical national infrastructure (CNI).

If the reports are correct, more than 200GW of European PV capacity could potentially be exposed – equivalent to over 200 nuclear reactors. The issue is not just who manufactured the hardware, but how it can be remotely accessed, who can access it, whether it is secured, and if access is logged and audited.

This article requires Premium SubscriptionBasic (FREE) Subscription

Unlock unlimited access for 12 whole months of distinctive global analysis

Photovoltaics International is now included.

  • Regular insight and analysis of the industry’s biggest developments
  • In-depth interviews with the industry’s leading figures
  • Unlimited digital access to the PV Tech Power journal catalogue
  • Unlimited digital access to the Photovoltaics International journal catalogue
  • Access to more than 1,000 technical papers
  • Discounts on Solar Media’s portfolio of events, in-person and virtual

Or continue reading this article for free

In Section 889 of the National Defense Authorization Act 2019, the US Congress sought to protect national security by preventing government procurement or contracting of Chinese telecommunications and video surveillance equipment and services which allegedly contain backdoors for espionage.

While the adversaries of Western democracies seek to use access to cyber-physical systems for espionage and to disrupt critical infrastructure, many industrial environments rely on a sprawling patchwork of remote access tools for day-to-day operations that is frequently insecure, uncontrolled, unmonitored and thus highly vulnerable.

This isn’t an isolated risk but an issue which spans the energy sector and beyond. If we are to protect the resilience of our energy infrastructure, we must confront the reality that remote access, while essential, has become one of the least governed aspects of cybersecurity with real world potential consequences.

The European Solar Manufacturing Council (ESMC)’s call for an EU-wide “Inverter Security Toolbox” reflects this shift in understanding. Security must extend beyond the device to the ecosystem of access surrounding it.

Solar’s security blind spot

For energy providers, the issue isn’t that remote access exists, but that it exists in such unmanageable volumes that are invisible to security teams. 

Tools are regularly onboarded for practical reasons such as vendor maintenance, emergency fixes, or legacy system support. Over time, though, these legitimate needs accumulate into a fragmented jumble of digital doors, many of which inadvertently remain open. 

In one notable case, a manufacturer discovered it had more than 7,000 remote access points across its plants. Any one of these connections, if compromised, could act as a highway through established security controls into the heart of its production systems.

This encapsulates the gulf between operational needs and cybersecurity fundamentals. While automation vendors and machine builders must maintain uptime and minimise onsite interventions, asset owners commonly overlook the security implications of their procurement and deployment decisions. 

Once you see the scale of the sprawl, you can’t unsee it. Even more vexing: once seen, what was once ignorance becomes negligence if left untreated.

In the solar sector, this risk is no different. A recent analysis from US cybersecurity firm DER Security found that 45% of global solar capacity was exposed to nation-state adversaries or cybercriminal threats in the past year alone. As the sector matures, so too must the rigour applied to its cybersecurity practices throughout the entire procurement, deployment, and operations lifecycle.

Risks of fragmented remote access

The risks facing the sector are exacerbated by the widespread use of low-grade, unsecured, or ungoverned remote access software.

Claroty’s research found that 55% of industrial organisations have four or more non-enterprise-grade tools operating within their OT environments. While using multiple vendors may not necessarily be problematic, the number of remote access points – sometimes measured in hundreds or thousands – quite certainly is. 

Some of these tools have been directly implicated in recent security breaches. For example, TeamViewer was reportedly compromised by the APT29 threat group, while AnyDesk disclosed a breach that forced the revocation of passwords and code-signing certificates across its user base. These widely deployed tools, when not properly managed, become significant liabilities within industrial settings.

But the risks extend beyond cybersecurity alone. The abundance of remote access tools creates operational challenges as well. A fragmented environment is less efficient, adding to the workload on both IT and OT teams, and is more complicated to enforce consistent security policies. 

This sprawl increases costs and generates blind spots which hinder visibility and control. In environments where uptime, safety, and precision are critical, these operational consequences can be just as damaging as a direct cyberattack.

Fragmentation, centralisation, governance

Fortunately, organisations have an alternative. Leading energy companies are beginning to adopt centralised and policy-driven approaches to remote access management. These programs begin by mapping all access points and identifying outdated or risky tools. From there, they can consolidate access pathways under a single, secure entry point. 

Importantly, this process involves not just internal restructuring but renegotiation with third-party vendors. Organisations are now requiring that vendors use the company’s preferred access method, rather than shipping their own tools or relying on outdated practices.

However, this transition is neither fast nor easy, and vendors regularly resist changes. The energy sector must put pressure on vendors to ensure that these standards are upheld. Centralised remote access not only reduces the attack surface but also improves productivity and ensures that critical operations are maintained securely and reliably. 

A strategic imperative for the future

The alleged incident with Chinese solar inverters shouldn’t be a surprise. Yet, what might surprise asset owners is the deeper issue – a fragmented approach to remote access that frequently and silently proliferates in asset-intensive organisations. 

If the energy industry is serious about securing its future, it must address this sprawl head-on. Visibility, standardisation, and accountability must become the new benchmarks.

Cybersecurity is not a matter of convenience or compliance. In the context of energy infrastructure, it is a matter of national resilience, economic security, and public safety.

Grant Geyer is chief strategy officer at cybersecurity firm Claroty.

7 October 2025
San Francisco Bay Area, USA
PV Tech has been running an annual PV CellTech Conference since 2016. PV CellTech USA, on 7-8 October 2025 is our third PV CellTech conference dedicated to the U.S. manufacturing sector. The events in 2023 and 2024 were a sell out success and 2025 will once again gather the key stakeholders from PV manufacturing, equipment/materials, policy-making and strategy, capital equipment investment and all interested downstream channels and third-party entities. The goal is simple: to map out PV manufacturing in the U.S. out to 2030 and beyond.
21 October 2025
New York, USA
Returning for its 12th edition, Solar and Storage Finance USA Summit remains the annual event where decision-makers at the forefront of solar and storage projects across the United States and capital converge. Featuring the most active solar and storage transactors, join us for a packed two-days of deal-making, learning and networking.
2 December 2025
Málaga, Spain
Understanding PV module supply to the European market in 2026. PV ModuleTech Europe 2025 is a two-day conference that tackles these challenges directly, with an agenda that addresses all aspects of module supplier selection; product availability, technology offerings, traceability of supply-chain, factory auditing, module testing and reliability, and company bankability.
10 March 2026
Frankfurt, Germany
The conference will gather the key stakeholders from PV manufacturing, equipment/materials, policy-making and strategy, capital equipment investment and all interested downstream channels and third-party entities. The goal is simple: to map out PV manufacturing out to 2030 and beyond.

Read Next

June 19, 2025
Spanish independent power producer (IPP) Sonnedix has launched Project Douro, a 150MW solar plant in Tarouca, northern Portugal.
June 19, 2025
The China Enterprise Bankruptcy and Reorganization Case Information Network has published a notice regarding creditor claims for Suntech.
June 19, 2025
The addition of solar panels to existing wind and hydroelectric plants in Turkey could add 8GW of new capacity to the country’s energy mix.
June 19, 2025
Renewable energy investment platform Nexwell Power has acquired a 248MWp solar PV portfolio from energy service provider Q Energy in Spain.
June 19, 2025
Norwegian energy company Statkraft has narrowed down its focus on fewer markets and technologies as it targets to reduce its expenses by NOK2.9 billion (US$290 million) annually by 2027.
June 19, 2025
Boralex is driving organic growth across Canada, the US, France, and the UK, fueled by a project pipeline totalling 8GW.

Subscribe to Newsletter

Upcoming Events

Upcoming Webinars
June 30, 2025
10am PST / 6pm BST
Solar Media Events
July 1, 2025
London, UK
Solar Media Events
July 1, 2025
London, UK
Media Partners, Solar Media Events
July 2, 2025
Bangkok, Thailand
Media Partners, Solar Media Events
September 2, 2025
Mexico City, Mexico