U.S. officials are sounding the alarm after discovering unauthorized communication devices, including cellular radios, in Chinese-made solar power inverters and batteries. These hidden components, found by experts who dismantle grid-connected equipment to check for security issues, could potentially bypass security firewalls, allowing remote access to destabilize power grids and trigger widespread blackouts.
The Discovery and Its Implications
The existence of these rogue devices, which are not listed in product documents, has not been publicly acknowledged by the U.S. government. These devices provide undocumented communication channels that could circumvent firewalls, potentially leading to catastrophic consequences.
Mike Rogers, a former director of the U.S. National Security Agency, stated, “We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption”.
How the Hidden Devices Work
Power inverters, predominantly manufactured in China, are crucial for connecting solar panels and wind turbines to electricity grids. They are also used in batteries, heat pumps, and electric vehicle chargers. While inverters are designed to allow remote access for updates and maintenance, utility companies typically install firewalls to prevent direct communication with China. However, the discovered rogue communication devices can bypass these firewalls, enabling remote manipulation of the inverters.
Uri Sadot, cybersecurity program director at Israeli inverter manufacturer SolarEdge, warned, “If you remotely control a large enough number of home solar inverters, and do something nefarious at once, that could have catastrophic implications to the grid for a prolonged period of time”.
Global Concerns and Reactions
The discovery has prompted U.S. energy officials to reassess the risks associated with Chinese-made devices in renewable energy infrastructure. As U.S.-China tensions escalate, the U.S. and other nations are reevaluating China’s role in strategic infrastructure due to potential security vulnerabilities.
Europe’s Response
Europe is also grappling with growing concerns over the cybersecurity risks posed by Chinese-made photovoltaic inverters. The European Solar Manufacturing Council (ESMC) has urged the European Commission to develop a “toolbox” for inverter security. SolarPower Europe released a report identifying smart inverters as vulnerable gateways for cyberattacks, noting that compromising just 3 GW of generation capacity could significantly impact Europe’s power grid.
The ESMC has called for restricting remote access to inverters from “high risk” Chinese manufacturers. This follows a report from SolarPower Europe and consultancy DNV highlighting the security risks posed by digital inverters.
Lithuania’s Example
Lithuania passed a law in November blocking remote access to Chinese-made inverters, requiring power plant operators to install cybersecurity defenses to prevent tampering.
The Bigger Picture: Strategic Dependencies and Market Dominance
China’s dominance in the solar energy sector is a growing concern. Huawei is the world’s largest supplier of inverters, followed by Chinese peers Sungrow and Ginlong Solis. In Europe, over 200 GW of solar power capacity is linked to inverters made in China, equivalent to more than 200 nuclear power plants.
Experts suggest that China’s legal requirement for companies to cooperate with its intelligence agencies could give the government potential control over Chinese-made inverters connected to foreign grids.
Previous Incidents and Vulnerabilities
A commercial dispute in November between two inverter suppliers, Sol-Ark and Deye, led to solar power inverters in the U.S. and elsewhere being disabled from China, highlighting the risk of foreign influence over local electricity supplies.
Forescout researchers discovered 46 vulnerabilities in solar grids that could allow hackers to deploy remote code execution, denial of service, device takeover, and access cloud platforms or sensitive information.
Actions Taken and Proposed
U.S. Legislation
In February, U.S. Senators introduced the Decoupling from Foreign Adversarial Battery Dependence Act, banning the Department of Homeland Security from purchasing batteries from certain Chinese entities starting October 2027. This bill aims to prevent Homeland Security from procuring batteries from companies Washington says are closely linked to the Chinese Communist Party.
Addressing Forced Labor
The U.S. has also taken steps to address forced labor concerns in the solar industry. The Uyghur Forced Labor Prevention Act (UFLPA) bans imports from China’s Xinjiang region unless companies can prove their products are not connected to forced labor. The Department of Homeland Security has added several solar supply chain providers to the UFLPA entity list.
What’s Next?
As the U.S. and Europe grapple with the security risks posed by Chinese-made solar inverters, further actions may include:
- Enhanced cybersecurity measures: Implementing stricter security protocols and firewalls to protect energy infrastructure.
- Supply chain diversification: Reducing reliance on Chinese manufacturers by sourcing equipment from other countries.
- Policy and legislation: Enacting laws and regulations to restrict the use of high-risk vendors and promote domestic manufacturing.
- Increased scrutiny: Conducting thorough inspections and risk assessments of imported solar equipment.
The discovery of hidden communication devices in Chinese solar inverters has raised serious concerns about the security and stability of critical energy infrastructure. As governments and industry stakeholders work to address these vulnerabilities, the future of solar energy will likely involve a greater focus on cybersecurity and supply chain security.
