New documents reveal that the US government found only two cases of communications in Chinese inverters that differed from official documentation. The discrepancies were deemed “non-malicious” and “non-intentional” by investigators.
A US government analysis of Chinese-made inverters found “no definitive evidence” of malicious wireless functions, a report finds pv magazine research into the scope of wireless communication in inverters and the risks they entail.
The US Department of Energy (DOE) shared its analysis with energy industry partners following media reports pointing to the presence of undocumented wireless communications in Chinese-made inverters, which was first broken by Reuters in May 2025.
The DOE National Laboratories inspected “approximately 30 inverters” and found two instances where the observed communications differed from official documentation, but these were deemed “non-malicious” and “non-intentional.”
In its analysis, the DOE noted that as-built documentation often shows only enabled communications functions, meaning inverter owners and operators should verify the communications protocols on their device and disable those that are not needed. The analysis shows that manufacturers may retain access for warranty or security purposes, but this is often specified in contract terms “as required.”
The DOE did warn that supply chain threats remain, and that the “complexity of inverter supply chains” could create opportunities for cybersecurity breaches and malicious components. The department noted that undocumented or implanted communications in a single inverter are “unlikely” to have a network-wide impact, but that coordinated tampering across multiple locations could have greater effects, although such an attack would be more difficult to carry out.
Managing supply chain risk was described by the DOE as a responsibility shared by engineers, manufacturers, integrators, service providers and system operators. The department highlighted the Supply Chain Cybersecurity Principles for suppliers and suggested that operators adopt them for security and resilience activities.
DOE risk management recommendations for dealing with undocumented wireless communications in inverters include taking a tiered approach for components manufactured in countries considered “foreign entities of concern.” These are tiered based on whether there are concerns about foreign ownership, control and influence among the manufacturers and integrators involved in the production and installation of the inverters. Mitigation strategies for the US industry put forward by the DOE include conducting detailed firmware analyzes and using US-based companies to perform operations and maintenance work.
In the article published in May, Reuters reported that U.S. energy officials were reassessing the risk from Chinese-made devices, citing two unnamed sources. The number of devices examined was not disclosed. Reuters also claimed that a source revealed that undocumented communications equipment had been found in some batteries from multiple Chinese suppliers.
A few days later, European trade body SolarPower Europe urged the European Union to introduce strict cybersecurity rules for solar infrastructure, following findings of undocumented components in energy equipment imported into Denmark.
In early June, Danish trade group Green Power Denmark ruled out any link between suspicious components found in local energy equipment and reports of compromised solar inverters in the United States, limiting the scope of an ongoing cybersecurity investigation. Green Power Denmark said the investigation into the incident concerns a broader energy supply technology, and not the solar energy sector.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
