Powering Up Risk: Inverters Vulnerable to Cybersecurity Threats Through Software
Advanced cloud-based monitoring software integrated into modern inverters enables users to remotely oversee power production and overall energy usage. Unfortunately, like numerous internet-connected devices(IoT), these systems are vulnerable to cybersecurity breaches. Various regulatory authorities have cautioned about potential cybersecurity risks associated with the pre-installed software found in imported inverters. The recent restrictions and potential bans on Huawei’s 5G infrastructure across Europe could have repercussions on the Western solar industry, given Huawei’s dominant position in the solar market. This article aims to illuminate the cybersecurity issues, their possible repercussions on the future of renewable energy and individual privacy, and suggest strategies to alleviate these risks.
So what exactly is an inverter? A solar inverter is a crucial component in a solar system, responsible for converting direct current (DC) from solar panels into alternating current (AC) suitable for powering your electronic devices within your home and business. It serves as the central control unit for a solar setup. The inverter, paired with an Internet connection gives you the ability to control and monitor how the system functions and view your solar generation as well as usage. Now, this is where things become somewhat alarming.
According to an article by Canary Media, China is responsible for over 80% of the current solar technology PV supplied worldwide and Europe, is its biggest customer. This means that most solar panels and inverters are manufactured in China and therefore some may use Chinese-based cloud software. One popular company, Huawei, which very rapidly became the biggest player in the solar industry, provides Tier 1 solar solutions globally and seems to be popular in Europe. While their products have received great ratings across the globe, they have come under scrutiny from the Western governments for alleged cyber-security risks associated with their equipment.
This has led to bans, as well as curbing of Huawei 5G equipment throughout Europe. An article published by Reuters on the 29th Of September 2023 shared the latest update on the sentiment going forward stating that “Germany last week became the latest European country to propose restrictions or bans on the use of equipment made by China´s Huawei(HWT.UL) and ZTE(000063.SZ), citing security concerns”.
The European Union’s chief of industry has also urged more countries to work together on further restricting the use of any Huawei or ZTE equipment via their mobile operators.
The list of countries that have issued bans or restrictions are:
Britain, Estonia, Denmark, France, Germany, Italy, Latvia, Lithuania, Portugal, Romania, Sweden
Additionally, an article by Reuters stated that major mobile operators in Portugal, including Altice, NOS, and Vodafone, have announced their intentions to discontinue the use of Huawei products in their 5G infrastructure due to concerns raised by European and U.S. authorities about cybersecurity threats. Huawei, however, has refuted all allegations of posing cybersecurity risks, and no concrete evidence has been presented to substantiate such claims. The legal dispute is ongoing, and the timing of any official agreement or ban remains uncertain. If Huawei were to be excluded from the Western market, it could have repercussions for current Huawei product owners. It’s worth noting that a comprehensive ban on Huawei or its services in Europe has not been formally declared. Still, it must be noted that recent developments suggest a strong inclination in the West toward such a ban.
So what is all this fuss about cyber-security?
In the past, there was no concern regarding inverters since they weren’t connected to the Internet, and did not matter where an electronic device was made. However, in today’s era where almost every device is connected to the Internet, inverters have emerged as a significant cybersecurity risk. This is especially true as an increasing number of households and businesses are adopting smart solar systems to power their premises. What’s worrisome is that the majority of these smart inverters are imported, primarily from China, and they often come with Chinese-based software which is protected by their laws.
The widespread installation of solar systems worldwide brings with it the potential for unsafe and unverified software to be integrated. This situation poses a substantial threat to the national security of countries that have these systems integrated into their power grids. The inverter, if connected to the grid in parallel using the grid as a backup, can potentially be hacked into via its software portal and have its functions altered causing catastrophic power disruptions if enough of them are interconnected within a region.
As per a report in pv-magazine, a Dutch hacker successfully infiltrated an inverter connected to Solarman, a solar monitoring software tool owned by a Chinese company. This breach allowed the hacker to circumvent security protocols, gaining access to sensitive data of Dutch users associated with the Solarman app, including their electricity data and GPS coordinates. Moreover, the hacker could manipulate the client list at will and make changes to the inverter software. This has, according to the company since been patched however, what it tells us is that inverters can be hacked and we need to shift attention to ensuring that sufficient security and auditing on the various software portals are in place.
Multiple nations are seeing the emerging threat regarding the ongoing mass installations of internet-connected inverters using software built and operated by foreign countries. That is because, the software or cloud-based server is run by a centralized entity, under their government rules, meaning that there may be future privacy concerns if an unfriendly nation manages to get control of that system to issue cyber attacks. Australia is one country where ongoing installations have been a cause of concern for officials. According to an article by australiancybersecuritymagazine, the shadow minister for cyber-security in Australia, Senator James Paterson is warning the nation of the increased risk of the weaponization of solar inverters by “unfriendly nation-states”. According to his statements, over 58% of inverters connected to the internet across Australia come from China.
Furthermore, the concern is that these companies are subject to “China’s national intelligence laws and can be compelled to assist the work of Chinese intelligence agencies.” This essentially gives another country access to user data without consent, as well as the ability to destabilize a network and potentially the entire electric grid via the software without the ability for any intervention. He believes that if enough inverters are connected to the grid, they can be used to launch malicious cyber attacks, with the potential of causing damage to the grid throughout the country.
The Cybersecurity Cooperative Research Center published a highly informative web document and cited China’s adopted controversial “Intelligence Law” under Article 7 which states that “Any organisation and citizen shall, in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any national intelligence work that they are aware of. The state shall protect individuals and organisations that support, cooperate with, and collaborate in national intelligence work”.
Should we be alarmed or instead focus on solutions?
Excessive reliance on Chinese-manufactured electronics isn’t the primary concern. The real issue arises when these devices are bundled with software governed by Chinese data protection laws, which may potentially be a cyber threat depending on how one interprets the laws. To safeguard IoT devices, in this case, inverter software portals, a universal shift to decentralized software is imperative.
By decentralizing inverter software, we gain autonomy from centralized entities. Integrated cloud-based software governance should be open and audited globally to defend against cyber threats. That way, there are no grey areas and we would have more peace of mind when it comes to having any Internet-connected electronic devices within our homes.
Additionally, countries have the opportunity to enhance the resilience of their solar product supply chains by expanding domestic manufacturing and reducing dependence on foreign sources. This strategy not only promotes local businesses but also aligns with the goals of national intelligence agencies, facilitating consumer protection through streamlined auditing capabilities.
Nonetheless, this doesn’t address the core issue, as it maintains a centralized model, granting complete data control to a single entity. Achieving software decentralization and its associated security would represent genuine progress for the industry as a whole.
At Solar2Power, we specialize in Tier 1 solar solutions, featuring inverters from renowned European companies such as SMA, Kostal, and Fronius. Although these products may come at a slightly higher premium compared to imported inverters, they offer the assurance of audited and regularly updated software in accordance with European laws. That means consumers are more protected under their own nations’ data laws and if any breaches were to be made, consumers can claim damages more easily.
Disclaimer: We strive to provide accurate and up-to-date information, but we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability concerning the information, products, services, or related graphics in this blog post. Any reliance you place on such information is strictly at your own risk.
References
BELLINI, E. (2022) Dutch agency investigates cybersecurity of PV inverters after hack, pv-magazine. Available at: https://www.pv-magazine.com/2022/09/06/dutch-agency-investigates-cybersecurity-of-pv-inverters-after-hack/ (Accessed: 26 October 2023).
Goncalves, S. (2023) Portugal’s telecom watchdog working with operators to Bar Huawei, Reuters. Available at: https://www.reuters.com/business/media-telecom/portugals-telecom-watchdog-working-with-operators-bar-huawei-2023-09-18/ (Accessed: 26 October 2023).
Reuters (2023) European countries who put curbs on Huawei 5G equipment, Reuters. Available at: https://www.reuters.com/technology/european-countries-who-put-curbs-huawei-5g-equipment-2023-09-28
/ (Accessed: 26 October 2023).
ACSM_Editor (2023a) Cyber vulnerabilities identified in Australia’s rooftop solar systems, Australian Cyber Security Magazine. Available at: https://australiancybersecuritymagazine.com.au/cyber-vulnerabilities-identified-in-australias-rooftop-solar-systems/ (Accessed: 26 October 2023).
Falk , R. and Brown, A.-L. (2023) POWER OUT? SOLAR INVERTERS AND THE SILENT CYBER THREAT, cybersecuritycrc. Available at: https://cybersecuritycrc.org.au/sites/default/files/2023-08/3320_cscrc_powerout_art_web.pdf (Accessed: 26 October 2023).
Decode39 (2022) How chinese green tech could render EU vulnerable to cyberattacks, Decode39. Available at: https://decode39.com/4936/china-solar-pv-eu-cyber-attacks/ (Accessed: 26 October 2023).
Wesoff, E. and Olano, M.V. (2023) Chart: China’s solar export dominance grows with surging European…, Canary Media. Available at: https://www.canarymedia.com/articles/solar/chart-chinas-solar-export-dominance-grows-with-surging-european-orders (Accessed: 26 October 2023).