National Security, Chinese solar power poses serious risk of cyber-sabotage

The European Solar Manufacturing Council, the association representing the continent's solar power manufacturers, has issued a serious warning that remote software access to European photovoltaic inverters-that is, the essential control units of solar power systems-produced by non-European manufacturers, particularly those in China, have significant cyber vulnerabilities

As solar energy increasingly becomes an integral part of Europe's clean energy and energy security goals, the European Solar Manufacturing Council (ESMC), the association representing the continent's solar energy producers, recently launched a serious alarm: Remote software access to European photovoltaic inverters - the essential control units of solar energy systems - produced by non-European manufacturers, particularly Chinese ones, presents significant cyber vulnerabilities.

For this reason, in addition to a general ban on the import of inverters from China into all European Union (EU) member states, the trade association also called for the immediate adoption of an "Inverter Security Toolbox", i.e. a risk monitoring and mitigation system similar to that created by the EU in the telecommunications sector with 5G cellular network technology.

In his request, the ESMC calls back a relationship on cybersecurity by the consultancy firm DNV, entitled “Solutions for PV Cyber ​​Risks to Grid Stability”, which highlights how an attack on just 3 GW of inverter capacity could have "significant implications" for the European electricity grid. This document warns that almost 70% of all photovoltaic inverters installed globally in 2023 will come from Chinese producers.

It is not the first time that the ESMC has asked European bodies for greater efforts in cybersecurity. Just last year, immediately after the approval of the regulatory framework called "Net Zero Industry Act” aimed at promoting the competitiveness of industry and technologies necessary for European decarbonisation, the association has published an ad hoc recommendation document.

Previously, in 2023, it was the Dutch Authority for Digital Infrastructure (RDI) that had raised the alarm on the vulnerabilities of solar panel inverters, adding that “none of the nine inverters tested met the standard” of cybersecurity.

Finally, at the beginning of April, researchers from the IT security company Forescout discovery 46 vulnerabilities in solar inverters from three major vendors, among which two of them, Sungrow and Growatt, are based in China.

Effectively, with the global shift to renewable energy, attention is increasingly shifting to the digital systems that enable this transformation. And it is precisely solar energy - one of the fundamental pillars of clean energy - as it depends on inverters and networked control platforms, it has become an interesting target for cyber attacks, leading experts to request security improvements.

For this reason, in November 2024, Lithuanian legislators adopted a law - one of a kind - aimed at limiting the capacity of Chinese inverter manufacturers to remotely access the country's solar and wind plants.

Christoph Podewils, Secretary General of the ESMC, said that more than 200 GW of Europe's PV capacity is currently connected to inverters produced in China, an amount comparable to the output of more than 200 nuclear power plants. He warned that this had effectively placed remote control of a significant part of Europe's electricity infrastructure in foreign hands.

The threat is real, not hypothetical

Internet connectivity is essential for modern inverters to perform grid support functions and participate in energy markets. However, this connectivity also allows for remote software updates, allowing manufacturers to potentially modify the performance of devices. 

This poses serious cybersecurity risks, including that of large-scale intentional disruption (sabotage), the ESMC has warned, highlighting a critical threat to Europe's energy autonomy arising from unregulated remote access capabilities to such photovoltaic inverters. 

At this risk, the trade association added further concerns, such as:

• 70% of all inverters installed in 2023 came from Chinese suppliers, mainly Huawei and SunGrow;

• These two companies alone already control remote access to 168 GW of PV capacity in Europe (relationship DNV, p. 40).

• by 2030 this figure is expected to exceed 400 GW, or the power produced by 150-200 nuclear power plants.

• One of these suppliers has already been banned from the 5G sector in many countries and is currently under investigation in Belgium for corruption and bribery.

Need to intervene immediately

L'ESMC has asked the EU for immediate intervention, to be achieved through the establishment of an "Inverter Security Toolbox", i.e. a risk monitoring and mitigation system modeled on the 5G Security Toolbox”, which includes:

• A comprehensive risk assessment of inverter manufacturers;

• The requirement that high-risk sellers must not be allowed to maintain an online connection to European electricity systems;

• The evaluation of a total ban on these providers from connecting to the network;

• A replication of Lithuania's proactive legislation, which bans the import of inverters from China, in all EU member states, ensuring that safety measures are applied to PV systems of all sizes.

  
  

“Europe must act now to prevent a future energy crisis that could rival gas dependence on Russia,” Podewils said. “We support the European Commission's upcoming assessment of cybersecurity risks in the solar energy supply chain and are ready to make our expertise available.”

The DNV report

The relationship produced by DNV and commissioned by Solar Power Europe says the EU should update its cybersecurity legislation which analysts say focuses on centralized and outdated energy infrastructure, while it should “address the specific security needs of distributed energy sources, such as small rooftop solar installations”. 

According to the analysis, a targeted compromise of 3 GW of generation capacity can have significant implications for the European electricity grid. The analysis reveals that over a dozen Western and non-Western manufacturers now control significantly more than 3 GW of installed capacity. As a result, of the 14 risk areas assessed in the report, 5 are classified as medium risk, 6 as high risk and 3 as critical risk. The risk measurement combines the severity of the impact and the probability. While European legislation, such as the Cyber ​​Resilience Act, the NIS2 Directive and the Network Code for Cybersecurity (NCCS) mitigate some of the risks, SolarPower Europe outlines a path to achieve “low risk” status in all 14 risk areas.

To return to a "low" risk category for cybersecurity, the document therefore recommends two solutions:

• The first would ensure that existing cybersecurity laws are sufficiently specific to the needs of the solar sector;

• The second would introduce new rules that maintain control of affected solar installations via inverters within the EU or jurisdictions capable of ensuring an equivalent level of safety.

  
  

Regarding the latter, the analysis recommends following a similar approach to the GDPR rules, whereby the control of aggregated distributed devices, such as small rooftop solar systems, should only take place in regions considered equivalent in terms of security to those of the EU. This solution should be implemented via the EU NCCS or another new fast-track procedure. High-risk entities would then be required to develop IT solutions that would be monitored and approved by relevant authorities. 

“Like every technological revolution, digitalisation offers incredible opportunities, for example energy system cost savings of 160 billion euros per year. But it also brings with it new challenges, such as cybersecurity. We didn't need virus protection for a typewriter, but we need it for our laptops,” said Walburga Hemetsberger, CEO of SolarPower Europe.

The analysis Forescout

Last April, it was theIT company  American Forescout to have made it note 46 vulnerabilities in solar inverters from three major vendors: Sungrow and Growatt, based in China, and SMA Solar Technology, based in Germany. Additionally, researchers found that 80% of vulnerabilities in solar power systems disclosed over the past three years were classified as high severity or critical.

These findings reveal serious systemic security weaknesses in the solar ecosystem that could impact the stability of the electric grid, utility operations and consumer data privacy, Forescout said. 

Vulnerabilities include information leaks, buffer overflows, and flaws in website code.

The report found that Growatt inverters were particularly exposed due to fundamental weaknesses in the company's cloud platform. These issues could have allowed hackers to access and modify Growatt devices without having to log in. According to Forescout, one flaw allowed attackers to "upload arbitrary files" to the platform, while another revealed lists of authorized users.

According to the document, the attacks on the Sungrow and SMA inverters were, however, “more complex, but still exploited fundamental security flaws, such as hardcoded login credentials and stack overflow vulnerabilities”. In particular, it was found that while an SMA website was misconfigured, allowing unauthorized code to run, a Sungrow Android app failed to validate security certificates and relied on weak encryption, making it vulnerable to man-in-the-middle attacks.

Such vulnerabilities, the company warned, could allow hackers to gather information about equipment and their users, manipulate data within web portals, and even overwrite device firmware with malicious code.

Lithuanian law

In 2024, Lithuania has approved a rule that limits the possibility for Chinese companies to remotely access the control systems of solar and wind farms and batteries with a power exceeding 100 kW, with the aim of strengthening cybersecurity. This law, which took effect on May 1, 2025, forces operators of new power plants to implement additional safeguards for information management systems and inverters, especially those manufactured by "hostile countries" such as China. While existing Chinese-made equipment will not be banned, operators will need to ensure their systems meet the new safety standards.

The US situation

While no state has enacted an outright ban on Chinese solar and wind farms, there is growing concern at both the federal and state levels about the risks to IT security associated with foreign-made technology in critical infrastructure.

Several states have introduced or approved laws to ban or limit the use of Chinese technology in government agencies, focusing on potential cyberattacks and reliance on equipment from “Countries of Interest.” These bans often target computer systems, drones and other technologies, but the debate is also extending to energy infrastructure.

At the moment, the federal government has limited itself to adopted measures such as banning imports from specific Chinese solar energy companies due to forced labor issues in the Xinjiang region. Although this is not a direct ban on access system, it limits the availability of some Chinese-made components on the U.S. market.