Solar inverters can detect cyberattacks but no one sees the signal
AI Analysis
Summary
A King Abdullah University of Science and Technology (KAUST) researcher whose lab has demonstrated up to 100% accuracy using a single hardware counter tells <b>pv magazine</b> that firmware-level detection of inverter attacks is technically viable – but today’s communication standards do not transmit the firmware‑integrity signal to operators.
<p class="p1"><span class="s1">A King Abdullah University of Science and Technology (KAUST) researcher whose lab has demonstrated up to 100% accuracy using a single hardware counter tells <b>pv magazine</b> that firmware-level detection of inverter attacks is technically viable – but today’s communication standards do not transmit the firmware‑integrity signal to operators.</span></p><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Charalambos Konstantinou, associate professor and principal investigator of the SENTRY Lab at KAUST in Saudi Arabia, has spent years simulating attacks on solar inverters and building methods to detect them. His lab's work sits at a layer below the monitoring-system compromises that have made headlines – at the firmware itself, the code that governs how much current an inverter injects into the grid and at what phase.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">“The takeaway message is that this firmware-level detection on solar inverters is technically viable,” Konstantinou told <strong>pv magazine</strong>. “What is missing is not the science. It's just a connecting tissue between the inverters and the operators.”</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The <a href="https://www.pv-magazine.com/2026/04/07/microinverters-hacked-with-ai-coordinated-remote-shutdown-possible/" rel="noopener" target="_blank">threat environment around inverter-connected systems</a> has grown more concrete. In 2024, approximately 800 solar monitoring devices made by Contec were compromised in Japan via a known vulnerability, with attackers gaining unauthorized access. The same year, attackers accessed monitoring dashboards for 22 critical infrastructure clients of Lithuanian energy company Ignitis Group, according to trade press reports.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">In 2025, security firm Forescout's Vedere Labs disclosed 46 <a href="https://www.pv-magazine.com/2026/03/24/solar-cyber-threats-expand-but-inverters-still-stay-in-the-crosshairs/" rel="noopener" target="_blank">vulnerabilities across inverters</a> from Sungrow, Growatt, and SMA. The advisory warned that exploitation could allow attackers to manipulate device functionality. All three cases involved monitoring or communication layers rather than direct firmware modification.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Konstantinou's group uses hardware performance counters, originally designed for software performance analysis, to fingerprint what legitimate inverter firmware does at the chip level and detect whether it is behaving as expected. Unlike signature-based antivirus, the approach does not require a database of known threats. Earlier work achieved 97% detection accuracy on a commercial solar microinverter. “Later on, we had another work that shows that this can go up to 100% using just a single counter,” Konstantinou said.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The conceptual lineage of the approach is established in adjacent industries. Konstantinou said DARPA had an early program called Radix that proposed the underlying idea, that Intel productized it in 2021 as Threat Detection Technology, and that Microsoft Defender included it for ransomware detection.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">“The template exists,” he said. Applying it to solar inverters is harder on two fronts. Inverters are embedded microcontrollers, not general-purpose computers, and may lack built-in performance counters – his lab has proposed purpose-built counters derived from the firmware itself to address the silicon constraints. The deeper obstacle is structural.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">“The asset owner of the inverter, whether this is a utility or the independent power producer, has no way to see this signal coming out of the inverter, even if it's being computed,” Konstantinou said. “Because the <a href="https://www.pv-magazine.com/2025/09/05/the-cybersecurity-gap-in-solar-and-how-to-close-it/" rel="noopener" target="_blank">standards that we use today</a>, they don't carry this firmware integrity check.”</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Konstantinou described the inverter attack surface across four layers. The first is the communication protocol. He said that when IEEE 1547 was updated in 2018, “it had a mandatory policy that inverters would expose grid support functions through a protocol called <a href="https://www.pv-magazine.com/2026/02/25/german-startup-launches-gateway-to-block-inverter-kill-switches/" rel="noopener" target="_blank">SunSpec Modbus</a>.” Konstantinou's group has <a href="https://ieeexplore.ieee.org/document/11193993/" rel="noopener" target="_blank">published research</a> in <em>IEEE Transactions on Industrial Informatics</em> demonstrating how an attacker can reach this protocol, shift register values, and push an inverter outside its intended control mode. “By changing these control modes, you can do the opposite and make the situation even worse,” he said.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Sandia National Laboratories has documented separately that SunSpec Modbus lacks over-the-wire encryption, <a href="https://www.pv-magazine.com/2025/05/14/hidden-devices-found-in-chinese-made-inverters-in-the-us-reports-reuters/" rel="noopener" target="_blank">node authentication</a>, or key management, and that the protocol is a widely adopted interoperability profile rather than a normative requirement of IEEE 1547.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The second layer is the phase-locked loop, the algorithm that gives the inverter its operational reference. “If you can manipulate the PLL, you can manipulate the inverter's whole sense of, let's say, reality,” Konstantinou said. The third is sensor false data injection – corrupting voltage measurements at the point of common coupling, which corrupts the inverter's entire reference frame. The fourth, and hardest to detect without HPC-based methods, is firmware modification itself.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Scale is what converts individual compromises into systemic events. “Single inverter compromise, maybe get some economic harm or maybe some localized power quality issues,” Konstantinou said. “Things get interesting when the compromise is, let's say, 5% or 10% of the feeder capacity, where you start seeing voltage violation limits.” A coordinated attack across a manufacturer's install base, he added, is where system stability events become possible.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">The regulatory picture is incomplete. <a href="https://www.pv-magazine.com/2026/04/23/eu-moves-to-restrict-funding-for-projects-using-inverters-from-high-risk-suppliers/" rel="noopener" target="_blank">NIS2</a>, whose transposition deadline across EU member states was October 2024 – with enforcement dependent on national implementation – places obligations on large solar operators, independent power producers, and aggregators to manage cybersecurity risk across both IT and operational technology. Konstantinou said NIS2 alone is insufficient.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">“NIS2 in isolation cannot fit the purpose of controlling and securing things,” he said. “But I think it was never designed to stand alone.” The EU's Cyber Resilience Act addresses the manufacturing side. Konstantinou said the act is “not applicable until the end of the next year.”</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Regulation EU 2024/2847 sets vulnerability reporting requirements from September 2026 and full enforcement from December 2027. “It's a shared responsibility between manufacturers, legislation, policy, operators and utilities,” said Konstantinou. “The question is about enforcement.”</p>
<p>Vendor disclosure remains an immediate gap. “Some vendors have proper disclosure procedures, but others are <a href="https://www.pv-magazine.com/2025/09/08/czech-cybersecurity-agency-warns-against-chinese-solar-inverters/" rel="noopener" target="_blank">very difficult to reach</a>,” Konstantinou said. He noted that many people who have identified vulnerabilities in inverters have been unable to reach manufacturers to report them. Globalization constrains enforcement. “Maybe the EU is able to do that, the US or any other countries or regions, but it's very difficult to enforce a universal standard,” he said.</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">“The proof is there,” Konstantinou said. “I think it's about a matter of act upon it in order to integrate these firmware validation checks as part of the communication standards that exist today.”</p>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Whether that happens, he said, is a policy and commercial question rather than a scientific one.</p>