Back

Cyber Threats Target Solar Infrastructure Beyond Inverters

Severity: High (Score: 66.5)

Sources: www.pv-magazine.com

Published: 2026-06-04 · Updated: 2026-06-04

Keywords: solar, inverters, cyber, attacks, detect, cyberattacks, sees

Severity indicators: rat, cyberattack, cyber attack

Summary

In late December 2025, a cyber attack impacted 30 solar plants in Poland, primarily targeting substation equipment with wiper malware, while inverters remained unaffected. The attack highlighted vulnerabilities in the broader ecosystem of distributed energy resources, including solar monitors and APIs. Historical data indicates that while inverters are often seen as prime targets, attackers are exploiting backhaul communication channels like SSH and FTP. Concurrently, research from KAUST revealed that solar inverters can detect cyberattacks at the firmware level, but lack the necessary communication protocols to alert operators effectively. In 2024, approximately 800 solar monitoring devices in Japan were compromised, and in 2025, 46 vulnerabilities were disclosed across inverters from major manufacturers. The current threat landscape emphasizes the need for improved cybersecurity measures across all layers of solar infrastructure. Key Points: • A cyber attack in December 2025 affected 30 solar plants in Poland, targeting substation equipment. • Solar inverters can detect attacks at the firmware level, but operators lack visibility into these signals. • Vulnerabilities in solar monitoring devices and communication protocols pose significant cybersecurity risks.

Detailed Analysis

**Impact** Thirty renewable energy sites in Poland were targeted in a cyberattack affecting substation equipment, disrupting operations at the interface between solar plants and the power grid without causing widespread blackouts. The broader solar PV ecosystem, including solar monitors, APIs, and mobile applications, is at risk globally due to vulnerabilities in communication channels. Previous incidents include 800 compromised solar monitoring devices in Japan (2024) and unauthorized access to monitoring dashboards for 22 critical infrastructure clients in Lithuania (2024). The affected sectors include distributed energy resource operators and utilities across Europe and Asia. **Technical Details** Attackers deployed wiper malware against substation equipment, bypassing solar inverters which remained untouched. Exploited attack vectors include unsecured backhaul communication channels such as SSH, FTP, MQTT, REST APIs, and HTTPS interfaces used for firmware updates and real-time monitoring. Vulnerabilities exist in unencrypted protocols like SunSpec Modbus, which lacks encryption and authentication, allowing remote manipulation of inverter control modes. No specific CVEs or IOCs were provided. The kill chain involved initial access through communication interfaces and lateral movement to substation equipment. **Recommended Response** Prioritize securing backhaul communication channels by enforcing encryption, strong authentication, and authorization controls on APIs and remote access protocols. Deploy firmware integrity monitoring on inverters using hardware performance counters or equivalent detection methods to identify anomalous behavior. Apply industry standards such as IEC 62443 and NIS2 where applicable, and monitor cloud portals for unauthorized bulk updates. Operators should conduct regular security audits of distributed energy resources and implement network segmentation to limit lateral movement.

Source articles (2)

  • Solar Cyber Threats Expand But Inverters Still Stay In The Crosshairs — www.pv-magazine.com · 2026-06-04
    Although solar inverters are generally thought to be the main target of cyber attacks, the threat landscape for solar PV systems extends far beyond these devices, as the cyber attack perpetrated to se…
  • Solar Inverters Can Detect Cyberattacks But No One Sees The Signal — www.pv-magazine.com · 2026-06-04
    Charalambos Konstantinou, associate professor and principal investigator of the SENTRY Lab at KAUST in Saudi Arabia, has spent years simulating attacks on solar inverters and building methods to detec…

Timeline

  • 2024-01-05 — Compromise of solar monitoring devices in Japan: Approximately 800 solar monitoring devices made by Contec were compromised via a known vulnerability.
  • 2025-01-10 — Vulnerabilities disclosed in solar inverters: Forescout’s Vedere Labs disclosed 46 vulnerabilities across inverters from Sungrow, Growatt, and SMA.
  • 2025-12-30 — Cyber attack on solar plants in Poland: 30 renewable energy sites were hit by wiper malware targeting substation equipment, leaving inverters untouched.

Related entities

  • Malware (Attack Type)
  • Contec (Company)
  • Growatt (Company)
  • Ignitis Group (Company)
  • SMA (Company)
  • Sungrow (Company)
  • Vedere Labs (Company)
  • Japan (Country)
  • Lithuania (Country)
  • Poland (Country)
  • Saudi Arabia (Country)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Energy (Industry)
  • T1021 - Remote Services (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • DNP3 (Platform)
  • FTP (Platform)
  • Https (Platform)
  • IEC 62443 (Platform)
  • IEEE 1547 (Platform)
  • IEEE 1547.3 (Platform)
  • IEEE 2030.5 (Platform)
  • Microsoft Defender (Platform)
  • MQTT (Platform)
  • NIS2 (Platform)
  • REST (Platform)
  • SunSpec Modbus (Platform)
  • SSH (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed