Man-in-the-middle (MITM) cyber attacks are a special type of cyber threat that targets a wide range of digital and cyber-physical systems where two parties communicate over a network, especially if the communication is not highly authenticated or encrypted.
In these attacks, an attacker intercepts communications between a sender and a receiver by splitting the original channel into two: one between the sender and the attacker, and another between the attacker and the receiver. As a result, the recipient does not have direct access to messages from the sender.
MITM attacks can also target PV systems and solar power plants connected to the grid, allowing attackers to intercept, alter or disrupt communications between controllers, inverters and monitoring systems, potentially leading to operational disruptions.
These attacks can also physically damage inverters, transformers or panels and accelerate equipment wear and tear. Furthermore, they can lead to significant financial losses due to reduced energy production and expensive repairs, while also posing safety risks to personnel. In addition, stakeholders may lose confidence in the system and operators may face legal sanctions for non-compliance.
Overall, such attacks combine operational, physical, financial and cybersecurity risks, leaving grid-connected solar power plants vulnerable.
“A simple way to think about it is that the attacker becomes an invisible intermediary. For a solar operator, imagine that an O&M sends a software update command to a facility. The local SCADA appears to acknowledge that it has been received and executed, but in reality the intermediary never delivers the command. Things can also get worse if the legitimate command is replaced with a malicious command sent to the inverters.” Uri Sadot, Managing Director of SolarDefend and Chair of the Digitalization Workstream of SolarPower Europe, said pv magazine.
Operational modes
MITM attacks can operate in eavesdropping mode and silently capture sensitive data such as control commands, system configurations, and performance metrics without alerting operators. Alternatively, they can function in intercept or modify mode, where the attacker not only monitors but also modifies communications, injecting false information or commands that can fool automated systems or human operators. In smart grids, this dual capability allows attackers to manipulate energy flows, cause unnecessary shutdowns or mask faults, increasing operational, financial and security consequences.
For PV systems, a MITM attack typically starts with the attacker’s positioning between critical components, such as inverters, the SCADA system or the monitoring platform. This is usually accomplished by accessing the factory network through a router, Wi-Fi connection, or maintenance connection. Once in place, the attacker redirects communications so that data flows through their device rather than directly between systems. Common techniques in local PV networks include ARP spoofing and gateway impersonation. In ARP spoofing, the attacker sends spoofed network messages to trick devices into believing they are communicating with the legitimate gateway, thereby redirecting traffic to the attacker. Gateway impersonation is where you impersonate the network router and ensure that all communications go through the attacker’s system.
Once in this position, the attacker can begin monitoring or modifying power data and control commands, while analyzing communication patterns and identifying sensitive information. At this stage the attack is usually passive before moving to active manipulation. In the next phase, the attacker can actively manipulate traffic, modify data, inject fake commands, or block legitimate messages, thereby controlling or disrupting system behavior. Finally, the attacker can exploit the system to achieve goals such as disruption or data theft.
“A good example of such a disruption occurred in Denmark, in the spring of 2023,” says Sadot. “Within a few days, nearly two dozen solar power plants and other energy sources all fell victim to an attack. The attackers discovered a common vulnerability in the firewall devices protecting these sites and managed to penetrate their internal networks.”
Once inside, the attackers significantly disrupted the facilities’ operations, Danish cybersecurity center SectorCERT reported. “No one likes to talk about it, but these types of attacks happen all the time. While some countries and companies take the high road and openly disclose cyber incidents, the vast majority choose not to report them,” Sadot added.
Defense
A possible defense against MITM attacks in PV systems is to implement encrypted communications, robust authentication protocols, and continuous monitoring for unusual traffic or unauthorized devices. If these measures are applied, traditional tools such as firewalls, which can easily be bypassed by new MITM attacks, can become more effective at segmenting and controlling network traffic, enforcing strong authentication and access controls, encrypting all communications between components, and continuously monitoring the network for unusual or unauthorized activity.
Standard network segmentation can also help protect PV systems from MITMs by isolating critical components such as inverters, SCADA systems and monitoring platforms into separate zones. This limits the spread of attacks if a segment is compromised. However, essential communications are often still cross-segment, creating opportunities for MITM attacks. Without encryption, strong authentication, and continuous monitoring, attackers can intercept or manipulate traffic within a segment.
Intrusion detection systems (IDSs) can also help detect MITM attacks in PV systems by monitoring network traffic for unusual patterns or protocol anomalies. They provide early warnings when communications are intercepted or altered and can identify issues such as duplicate ARP responses or unexpected routing changes. However, they cannot prevent attacks on their own, especially if the traffic is encrypted or the IDS is not aligned with PV protocols. For best results, IDS should also be combined with encryption, strong authentication and network segmentation as part of a layered defense.
“In the United States, Intrusion Detection Systems (IDS) recently became mandatory for large solar power plants under the latest revision of NERC CIP (CIP-015),” Sadot further explained. “While this requirement has not yet been adopted in Europe, the EU’s NIS 2 Directive requires solar operators to design and operate their assets in accordance with IEC 62443 principles and the Purdue model. As a result, both markets are moving in the same direction: preventing, detecting and responding to cyber attacks – placing an increasing share of responsibility on the asset owner.”
According to the cybersecurity expert, asset owners should not become overwhelmed by all the technical requirements. “Cyber security is not that different from physical security,” he concluded. “If your factory has a sturdy fence, monitored cameras and an alarm system, the factory will be insured and you will sleep well at night – without having to be an expert in barbed wire or camera technology. Cyber works the same way. Your factories need solid IT networks, well-configured firewalls and someone watching them 24/7 – usually through a Security Operations Center (SOC). If you have an IDS, that’s better. Some O&Ms will offer you all this as turnkey service, or you can set it up yourself Just get the basics right and you’ll have insurable assets, no risk of compliance, and you too will sleep well at night.’
