**Major cyber-security holes have been found in technology made by some leading solar panel brands, raising the risk of targeted blackouts due to remote attacks on the energy grid.**
While individual residential solar systems only produce limited power, their combined output can reach dozens of gigawatts – making their collective impact on grid reliability too significant to ignore.
In a new report, software company Forescout has identified vulnerabilities on three leading solar power system manufacturers: Sungrow, Growatt and SMA. The most affected components are solar monitors, which let owners track and manage the performance of solar panels in real time.
Other vulnerabilities were detected in cloud backends and sometimes solar inverters directly, which convert the DC electricity generated by solar panels into AC.
Forescout also said there were “growing concerns” over the dominance of foreign-made solar power components, which risks targeted state-led attacks.
China alone is responsible for manufacturing 53% of solar inverters, 58% of storage systems and 20% of the monitoring system manufacturers. The second and third most common countries of origin for components are India and the US.
The report analysed six of the top 10 vendors of solar power systems worldwide: Huawei, Ginlong Solis, Growatt, Sungrow, GoodWe and SMA. It found 46 new vulnerabilities affecting different components made by the latter three manufacturers.
While the vulnerabilities were disclosed to their manufacturers and security patches implemented, they would have allowed attackers to take full control of an entire fleet of solar power inverters via two scenarios.
Once in control of these inverters, attackers can tamper with their power output settings or switch them off and on in a coordinated manner as a botnet. The combined effect of the hijacked inverters produces a large effect on power generation in a grid.
Previous research showed that control over just 4.5GW on the European grid would force load shedding – a process by which controlled blackouts are instigated to maintain grid stability. Since current solar capacity in Europe is around 270GW, it would require attackers to control less than 2% of inverters in a market that is dominated by Huawei, Sungrow and SMA.
Forescout recommended that photovoltaic inverters in residential, commercial and industrial installations are treated as critical infrastructure, which would necessitate strict cyber-security protocols.