Charalambos Konstantinou, associate professor and principal investigator of the SENTRY Lab at KAUST in Saudi Arabia, has spent years simulating attacks on solar inverters and developing methods to detect them. His lab’s work is one layer below the monitoring system compromises that have made headlines: the firmware itself, the code that determines how much power an inverter injects into the grid and at what phase.
“The message is that this firmware-level detection on solar inverters is technically feasible,” Konstantinou said pv magazine. “What’s missing isn’t the science. It’s just a connecting tissue between the inverters and the operators.”
The threat environment surrounding inverter-connected systems has become more concrete. In 2024, approximately 800 Contec solar monitoring devices were compromised in Japan through a known vulnerability, giving attackers unauthorized access. The same year, attackers accessed monitoring dashboards of 22 critical infrastructure customers of Lithuanian energy company Ignitis Group, according to trade press reports.
In 2025, Vedere Labs from security company Forescout revealed 46 vulnerabilities in inverters from Sungrow, Growatt and SMA. The advisory warned that exploitation could allow attackers to manipulate device functionality. All three cases involved monitoring or communication layers rather than direct firmware modification.
Konstantinou’s group uses hardware performance counters, originally designed for software performance analysis, to determine what legitimate inverter firmware is doing at the chip level and to detect whether it behaves as expected. Unlike signature-based antivirus programs, this approach does not require a database of known threats. Previous research achieved a detection accuracy of 97% on a commercial solar microinverter. “Later on we had another work showing that this can go up to 100% with just a single counter,” Konstantinou said.
The conceptual line of the approach is based in adjacent industries. Konstantinou said DARPA had an early program called Radix that proposed the underlying idea, Intel produced it in 2021 as Threat Detection Technology, and Microsoft Defender included it for ransomware detection.
“The template exists,” he said. Applying it to solar inverters is more difficult on two fronts. Inverters are embedded microcontrollers, not general purpose computers, and may not have built-in performance counters. His lab has proposed purpose-built counters derived from the firmware itself to address silicon limitations. The deeper obstacle is structural.
“The owner of the inverter, whether a utility or an independent power producer, has no way of seeing this signal coming out of the inverter, even if it is calculated,” Konstantinou said. “Because the standards we use today do not include this firmware integrity check.”
Konstantinou described the inverter’s attack surface across four layers. The first is the communication protocol. He said that when IEEE 1547 was updated in 2018, “it had a mandatory policy that inverters expose network support functions via a protocol called SunSpec Modbus.” Konstantinou’s group has that published research in IEEE Transactions on Industrial Informatics demonstrates how an attacker can access this protocol, shift register values, and push an inverter outside its intended control mode. “By changing these control modes you can do the opposite and make the situation worse,” he said.
Sandia National Laboratories has separately documented that SunSpec Modbus has no over-the-wire encryption, node authentication, or key management, and that the protocol is a generally accepted interoperability profile rather than a normative requirement of IEEE 1547.
The second layer is the phase-locked loop, the algorithm that gives the inverter its operational reference. “If you can manipulate the PLL, you can manipulate the whole sense of, let’s say, the reality of the inverter,” Konstantinou said. The third is the injection of spurious sensor data, which distorts the voltage measurements at the point of common coupling, affecting the entire reference frame of the inverter. The fourth, and most difficult to detect without HPC-based methods, is the modification of the firmware itself.
Scale is what turns individual compromises into systemic events. “A compromise with one inverter might cause some economic damage or maybe some local power quality issues,” says Konstantinou. “It gets interesting when the trade-off is, say, 5% or 10% of the feeder capacity, where you start to see voltage violations.” A coordinated attack on a manufacturer’s installation base, he added, is where system stability events become possible.
The regulatory picture is incomplete. NIS2, whose transposition deadline in all EU member states was October 2024 – with enforcement subject to national implementation – imposes obligations on major solar operators, independent power producers and aggregators to manage cybersecurity risks for both IT and operational technology. Konstantinou said NIS2 alone is insufficient.
“NIS2 on its own cannot fulfill the purpose of controlling and securing things,” he said. “But I don’t think it was ever designed to stand alone.” The EU’s Cyber Resilience Act focuses on the production side. Konstantinou said the law “will not apply until the end of next year.”
Regulation EU 2024/2847 sets requirements for vulnerability reporting from September 2026 and full enforcement from December 2027. “It is a shared responsibility between manufacturers, legislation, policy, operators and utilities,” said Konstantinou. “The question is about enforcement.”
Supplier disclosure remains an immediate gap. “Some suppliers have good disclosure procedures, but others are very difficult to reach,” says Konstantinou. He noted that many people who have identified vulnerabilities in inverters have not been able to reach manufacturers to report them. Globalization limits enforcement. “Maybe the EU is able to do that, the US or any other countries or regions, but it is very difficult to enforce a universal standard,” he said.
“The evidence is there,” Konstantinou said. “I think it’s a matter of taking action to integrate these firmware validation checks as part of the communications standards that exist today.”
Whether that happens, he said, is a policy and commercial question rather than a scientific one.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
