Solar Rooftops and National Security: The Unexpected Connection

The Emerging Cybersecurity Risks of Home Solar Inverters

A concerning, though currently unlikely, security threat has been outlined by James Showalter. The scenario involves an unauthorized individual gaining access to a home's Wi-Fi network and subsequently manipulating the solar inverter – the often-overlooked gray box converting solar energy for household use.

The "Solar Stalker" Threat

Showalter, CEO of EG4 Electronics, emphasizes that such an event would require a dedicated attacker. This individual would need both the technical expertise to exploit vulnerabilities and the motivation to target a specific home energy system.

Despite considering this sequence of events improbable, EG4 Electronics recently faced scrutiny following a security advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

EG4 Inverter Vulnerabilities Detailed by CISA

The CISA advisory highlighted security flaws within EG4’s solar inverters. These vulnerabilities could potentially allow an attacker, gaining network access and possessing the inverter’s serial number, to intercept sensitive data.

Furthermore, malicious firmware could be installed, or complete control of the system could be seized by a malicious actor.

A Growing Awareness of Inverter Complexity

Approximately 55,000 customers utilizing the affected EG4 inverter model are now becoming aware of the potential risks. Many are realizing that modern solar inverters are far more sophisticated than simple power converters.

These devices now function as central hubs for home energy systems, monitoring performance metrics, facilitating communication with utility providers, and managing the flow of excess energy back to the power grid.

The Rapid Evolution of Inverter Security Concerns

This shift in functionality has largely occurred without widespread public awareness. Justin Pascale, a principal consultant at Dragos, a firm specializing in industrial cybersecurity, notes that public understanding of solar inverters was minimal just five years ago.

However, the issue is now receiving attention at both national and international levels, reflecting the increasing importance of securing these critical components of modern energy infrastructure.

Concerns Regarding Security and Customer Feedback

Recent data underscores the increasing prevalence of homes functioning as small-scale power generation facilities within the United States. The U.S. Energy Information Administration reports that small-scale solar installations, largely residential, experienced a growth exceeding five times the rate between 2014 and 2022.

This shift, driven by decreasing costs, governmental support, and heightened climate change awareness, has transformed solar energy from a niche interest to a widespread practice.

However, each new solar installation introduces another connection point within a growing network of interconnected devices. While contributing to greater energy independence, these devices simultaneously present potential avenues for malicious actors.

Acknowledged Shortcomings and Industry-Wide Issues

When questioned regarding his company’s security protocols, Showalter readily admits to existing vulnerabilities. He frames these issues not as isolated to his organization, but as a broader challenge facing the entire industry.

Showalter presented a comprehensive 14-page report detailing 88 documented security vulnerabilities in both commercial and residential solar energy systems discovered since 2019, during a Zoom conference and subsequent email correspondence.

Despite this, many customers – some of whom voiced their concerns on Reddit – remain dissatisfied. This dissatisfaction stems from the fact that CISA’s advisory highlighted fundamental design flaws.

These flaws included unencrypted communication between monitoring applications and inverters, a lack of integrity checks during firmware updates, and weak authentication processes.

Customer Dissatisfaction and Lack of Communication

“These were basic security failures,” stated one customer who requested anonymity. Furthermore, this individual expressed frustration that “EG4 did not even inform me of these issues or suggest any protective measures.”

When asked about the delay in notifying customers after CISA contacted the company, Showalter described it as a learning experience.

“We anticipated a swift resolution to CISA’s concerns and preferred to communicate updates once the process was complete,” Showalter explained. “We didn’t want to share information while the solution was still under development.”

CISA’s Response and Current Exploitation Status

TechCrunch contacted CISA for further clarification earlier this week, but has yet to receive a response. CISA’s advisory concerning EG4 specifically notes that “currently, there have been no publicly reported instances of these vulnerabilities being actively exploited.”

It is important to note that while no active exploitation has been reported, the potential for security breaches remains a significant concern.

Concerns Arise Regarding Chinese Connections and Security

Coincidentally, EG4’s recent public relations challenges have emerged alongside growing worries concerning the security of the renewable energy supply chain.

Earlier this year, U.S. energy authorities reportedly initiated a reevaluation of risks associated with equipment manufactured in China, following the discovery of unexplained communication devices within certain inverters and battery systems. A Reuters investigation revealed the presence of undocumented cellular radios and other communication components in products from several Chinese vendors – devices not listed on official hardware documentation.

This finding is particularly significant considering China’s leading position in solar panel production. The Reuters report also indicated that Huawei holds the largest share of the inverter market, accounting for 29% of global shipments in 2022, with Chinese companies Sungrow and Ginlong Solis following closely behind. Approximately 200 GW of solar power capacity in Europe utilizes inverters produced in China, a figure comparable to over 200 nuclear power plants.

The geopolitical ramifications have not been overlooked. Last year, Lithuania enacted legislation prohibiting remote access from China to solar, wind, and battery installations exceeding 100 kilowatts, effectively limiting the use of Chinese-made inverters. Showalter states that his firm is addressing customer anxieties by transitioning away from Chinese suppliers and towards components from manufacturers in other regions, including Germany.

However, the vulnerabilities outlined by CISA in EG4’s systems raise broader questions that extend beyond the practices of a single company or its sourcing of components. The U.S. National Institute of Standards and Technology (NIST) cautions that controlling a substantial number of residential solar inverters remotely and executing a malicious action simultaneously could have severe and prolonged consequences for the power grid.

Fortunately, while theoretically feasible, such a scenario faces numerous practical obstacles.

Pascale, specializing in utility-scale solar projects, explains that residential inverters primarily perform two functions: converting direct current to alternating current and enabling power to flow back to the grid. A widespread attack would necessitate compromising a vast number of individual homes concurrently. (While not impossible, such attacks are more likely to target manufacturers directly, some of whom possess remote access to customer inverters, as demonstrated by security research conducted last year.)

Currently, the regulatory framework governing larger installations does not extend to residential systems. The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection standards apply only to facilities generating 75 megawatts or more, such as solar farms.

Due to residential installations falling below these thresholds, they operate within a regulatory gap where cybersecurity standards are recommendations rather than mandates.

Consequently, the security of numerous small installations largely relies on the judgment of individual manufacturers operating without comprehensive regulatory oversight.

Regarding the issue of unencrypted data transmission – a factor contributing to CISA’s concerns regarding EG4 – Pascale points out that plain text transmission is common and sometimes encouraged in utility-scale operational settings for network monitoring.

“Encryption is often prohibited in enterprise environments,” he clarifies, “but it’s frequently used in operational environments where most data is transmitted in plain text.”

In essence, the primary concern isn’t an immediate threat to individual homeowners, but rather the collective vulnerability of a rapidly expanding network. As the energy grid becomes increasingly decentralized, with power originating from millions of smaller sources instead of a few large ones, the potential attack surface expands exponentially. Each inverter represents a possible weak point in a system not originally designed for such complexity.

Showalter views CISA’s intervention as a “trust upgrade,” providing an opportunity to distinguish his company in a competitive market. He reports that since June, EG4 has collaborated with the agency to address the identified vulnerabilities, reducing an initial list of 10 concerns to three remaining items expected to be resolved by October. This process has involved updating firmware transmission protocols, enhancing identity verification for technical support interactions, and revising authentication procedures.

However, for individuals like the anonymous EG4 customer who expressed frustration with the company’s response, the incident underscores the challenging position of solar adopters. They invested in technology they believed to be environmentally responsible, only to find themselves unintentionally involved in a complex cybersecurity landscape that remains poorly understood by many.