In an interview with pv magazineJay Johnson, the CTO of US cybersecurity company DERSec, explains that PV systems face cybersecurity risks that extend far beyond inverters, as evidenced by a December attack on Polish solar power plants, where wiper malware targeted substation equipment rather than the inverters themselves. Vulnerabilities often lie in backhaul communication channels such as APIs and mobile apps, making layered defenses, network segmentation and vigilant monitoring essential to protect distributed energy resources.
While solar inverters are widely believed to be the main target of cyber attacks, the threat landscape for solar PV systems extends far beyond these devices, as evidenced by the cyber attack on several solar power plants in Poland in late December.
“Attackers often target the broader ecosystem of distributed energy resources, not just individual devices,” Jay Johnson, the Chief Technology Officer (CTO) of US cybersecurity company DER Security Corp (DERSec), told me. pv magazine. “30 renewable energy sites were affected and, surprisingly, the inverters were left untouched. Instead, attackers deployed wiper malware against substation equipment, affecting operations at the interface between the generation sites and the grid. While the incident did not cause widespread power outages, it underscored the multiple ways in which PV systems can be disrupted.”
Historical data on attacks on solar infrastructure and vulnerabilities, it appears that inverters remain a potential target, but vulnerabilities often lie in solar monitors, application programming interfaces (APIs) and mobile applications that communicate with the equipment. These backhaul communication channels, such as Secure Shell (SSH), File Transfer Protocol (FTP), Message Queuing Telemetry Transport (MQTT), Representational State Transfer application programming interfaces (REST APIs), or Hypertext Transfer Protocol Secure (HTTPS) interfaces, enable firmware updates and real-time monitoring, but can also serve as an entry point for attackers.
These communication platforms allow operators to perform firmware updates and monitor system performance. It is also typically how the homeowner or asset owner accesses solar production data over time. They do not use the standardized communications interface for this purpose, as that interface is generally intended for interactions with utilities. “Instead, the API or other backhaul communication channels provide production data throughout the day and feed the mobile applications that show users how their systems are performing,” Johnson explains. “These channels effectively act as a backdoor on many devices, and both interfaces raise obvious cybersecurity concerns.”
Remotely manipulating solar inverters isn’t just a matter of high-tech espionage. With standardized communications protocols such as IEEE 1547, IEEE 2030.5, DNP3 and SunSpec Modbus, any device connected to an operational technology (OT) network can be manipulated with relatively simple tools. “Even cutting a fence at a solar site and plugging in a laptop could allow an attacker to communicate with inverters, making network security a critical concern,” Johnson pointed out.
Standards and manuals such as IEC 62443, NIS2 and IEEE 1547.3 include security features, but these are not globally mandatory and often cover only a small portion of the necessary cybersecurity controls needed to protect generation systems. Many deployed Distributed Energy Resources (DER) assets contain unencrypted interfaces, contain weak authentication and authorization controls, and have other vulnerabilities that allow remote code execution or arbitrary firmware updates. “While local access to DER devices is generally possible, the greater risk is gaining access to cloud portals or APIs that allow bulk updates or changes to millions of devices simultaneously,” Johnson warned. “In those cases, an adversary can have a significant impact on power operations in energy systems around the world.”
While this hasn’t happened yet, chaining multiple public exploits together could allow an attacker to compromise cloud management portals and then push firmware or settings updates to hundreds of thousands of internet-connected DER devices. To mitigate these risks, PV system owners can implement several layers of protection. Standard best practices include least privilege access, network segmentation, avoiding unnecessary Internet exposure, and ensuring authentication and authorization for all communications interfaces. Firewalls, encrypted protocols and secure remote access points help reduce the attack surface, even for small rooftop systems.
Johnson also notes that more advanced sensing systems can monitor inverter behavior and compare it to expected operational limits and digital twins. Abnormal deviations, such as unexpected power set points or inconsistent reactive power output, can indicate a potential cyber incident.
According to the cybersecurity expert, the potential consequences of a compromised inverter go beyond just data theft. Simple attacks involving active or reactive power manipulation can cause local power outages, while firmware manipulation can change switching behavior in microinverters or large devices, creating harmonic distortions or DC offsets that physically stress transformers and other network infrastructure. Such attacks, even though technically complex, can accelerate equipment wear and tear, increase the likelihood of failure and require costly hardware replacement.
While discussions about inverters often focus on geopolitics, Johnson warns of theoretical risks. In war scenarios, companies with high penetration into an energy system may be pressured to act in ways that affect the stability of the electricity grid. From a technical point of view, it is possible to remotely switch off connected inverters, regardless of the country of origin. However, he emphasizes that the main incentive for manufacturers is to maintain safe and reliable operation, and that malicious interventions remain unlikely outside of extreme circumstances.
Johnson concludes with a warning against sensationalism. While solar PV systems face real cybersecurity threats, he encourages measured awareness rather than fear. “There are a lot of risks here, but it is not productive to promote fear, uncertainty and doubt,” he said. “Practical, layered defenses and vigilant surveillance remain the best strategy to protect distributed energy resources from increasingly sophisticated threats.”
DERSec sells intrusion detection software that runs on embedded devices in the field or in the cloud to identify threats to distributed energy equipment in real time. This allows grid operators and asset owners to quickly limit the impact and duration of the attack using autonomous or human-in-the-loop mechanisms.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
