Although solar inverters are generally thought to be the main target of cyber attacks, the threat landscape for solar PV systems extends far beyond these devices, as the cyber attack perpetrated to several solar plants in Poland in late December demonstrated.

“Attackers often target the broader ecosystem of distributed energy resources, not just individual devices,” the chief technology officer (CTO) of US-based cybersecurity firm DER Security Corp (DERSec), Jay Johnson, told pv magazine. “30 renewable energy sites were hit and, surprisingly, the inverters remained untouched. Instead, attackers deployed wiper malware against substation equipment, affecting operations at the interface between the generating sites and the power grid. While the incident did not cause widespread blackouts, it underscored the multiple ways in which PV systems can be disrupted.”

Historical data on solar infrastructure attacks and vulnerabilities shows that inverters remain a potential target, but vulnerabilities often lie in solar monitors, application programming interfaces (APIs), and mobile applications that communicate with the equipment. These backhaul communication channels, such as Secure Shell (SSH), File Transfer Protocol (FTP), Message Queuing Telemetry Transport (MQTT), Representational State Transfer application programming interfaces (REST APIs), or Hypertext Transfer Protocol Secure (HTTPS) interfaces, allow for firmware updates and real-time monitoring but can also serve as entry points for attackers.

Through these communication platforms, operators can perform firmware updates and monitor system performance. It is also typically how the homeowner or asset owner accesses solar production data over time. They are not using the standardized communication interface for this purpose, as that interface is generally intended for utility interactions. “Instead, the API or other backhaul communication channels provide production data throughout the day and power the mobile applications that show users how their systems are performing,” Johnson explained. “These channels effectively act as a backdoor in many devices, and both interfaces present clear cybersecurity concerns.”

 Do you want to strengthen and enhance the cyber security of your solar energy assets to safeguard them against emerging threats?

Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned

Industry experts will explore real-world cyberattack scenarios, highlight potential vulnerabilities in solar and storage systems, and share practical, actionable strategies to protect your energy assets. Attendees will gain valuable knowledge on how to anticipate, prevent, and respond to cyber threats in the rapidly evolving solar energy sector.

Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned

Industry experts will explore real-world cyberattack scenarios, highlight potential vulnerabilities in solar and storage systems, and share practical, actionable strategies to protect your energy assets. Attendees will gain valuable knowledge on how to anticipate, prevent, and respond to cyber threats in the rapidly evolving solar energy sector.

Remote manipulation of solar inverters is not a matter of high-tech espionage alone. With standardized communication protocols like IEEE 1547, IEEE 2030.5, DNP3, and SunSpec Modbus, any device connected to an operational technology (OT) network could be manipulated using relatively simple tools. “Even cutting a fence on a solar site and connecting a laptop could allow an attacker to interact with inverters, making network security a critical concern,” Johnson emphasized.

Standards and guides like IEC 62443, NIS2, and IEEE 1547.3 include security provisions, but these are not globally mandated and often cover only a small subset of the necessary cybersecurity controls required to protect the generation systems. Many fielded distributed energy resources (DER) assets include unencrypted interfaces, contain weak authentication and authorization controls, and have other vulnerabilities that allow remote code execution or arbitrary firmware updates. “While local access to DER devices is generally possible, the greater risk is gaining access to cloud portals or APIs that allow bulk updates or changes to millions of devices simultaneously,” Johnson cautioned. “In those cases, an adversary may significantly impact power operations in power systems around the world.”

While this has not happened yet, chaining multiple public exploits would enable an attacker to compromise cloud management portals and then push firmware or settings updates to hundreds of thousands of internet-connected DER devices. To mitigate these risks, PV system owners can implement several layers of protection. Standard best practices include least-privilege access, network segmentation, avoiding unnecessary internet exposure, and ensuring authentication and authorization for all communication interfaces. Firewalls, encrypted protocols, and secure remote access points help reduce the attack surface, even for small-sized rooftop systems.

Johnson also notes that more sophisticated detection systems can monitor inverter behavior, comparing it against expected operational bounds and digital twins. Abnormal deviations, such as unexpected power set points or inconsistent reactive power output, can indicate a potential cyber incident.

The potential consequences of a compromised inverter extend beyond data theft, according to the cybersecurity expert. Simple attacks manipulating active or reactive power could trigger localized blackouts, while firmware manipulation could alter switching behavior in microinverters or large devices, causing harmonic distortions or DC offsets that physically stress transformers and other grid infrastructure. Such attacks, though technically complex, could accelerate equipment wear, increase failure rates, and necessitate costly hardware replacement.

While discussions about inverters often touch on geopolitics, Johnson warns of theoretical risks. In wartime scenarios, companies with high penetration in a power system could be pressured to act in ways that affect grid stability. From a technical standpoint, the ability exists to remotely shut down connected inverters, irrespective of country of origin. However, he stresses that the primary incentive for manufacturers is to maintain secure, reliable operation, and malicious interventions remain unlikely outside extreme circumstances.

Johnson concludes with a caution against sensationalism. While solar PV systems face genuine cybersecurity threats, he encourages measured awareness rather than fear. “There are plenty of risks here, but it’s not productive to promote fear, uncertainty, and doubt,” he said. “Practical, layered defenses and vigilant monitoring remain the best strategy to protect distributed energy assets from increasingly sophisticated threats.”

DERSec sells intrusion detection software that runs on embedded devices in the field or in the cloud to identify threats to distributed energy equipment in real-time. This enables grid operators and asset owners to quickly mitigate the attack's impact and duration using autonomous or human-in-the-loop mechanisms.

This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.