Cybersecurity Risks in Solar Inverters: Firmware-Level Threats and Detection Gaps
Research led by Charalambos Konstantinou, associate professor at KAUST’s SENTRY Lab in Saudi Arabia, highlights growing cybersecurity vulnerabilities in solar inverters critical components that regulate power flow into electrical grids. His team has demonstrated that firmware-level attacks on inverters are technically detectable, though industry adoption of such safeguards remains limited.
Recent incidents underscore the urgency of the issue. In 2024, attackers exploited a known vulnerability to compromise 800 solar monitoring devices in Japan, while Lithuanian energy firm Ignitis Group reported unauthorized access to monitoring dashboards for 22 critical infrastructure clients. Later that year, Forescout’s Vedere Labs disclosed 46 vulnerabilities in inverters from Sungrow, Growatt, and SMA, warning that exploitation could enable device manipulation though these flaws targeted monitoring and communication layers rather than firmware itself.
Konstantinou’s team has developed a detection method using hardware performance counters (HPCs) to monitor inverter firmware behavior at the chip level. Unlike traditional signature-based antivirus, this approach does not rely on known threat databases. Early tests achieved 97% detection accuracy on a commercial microinverter, with later refinements reaching 100% using a single counter. The technique builds on prior work, including DARPA’s Radix program and Intel’s Threat Detection Technology, but adapting it to inverters presents unique challenges. Many inverters lack built-in HPCs, requiring purpose-built counters derived from firmware, and existing communication standards do not support firmware integrity checks.
The attack surface for inverters spans four layers:
- Communication protocols – IEEE 1547’s SunSpec Modbus, widely adopted but lacking encryption or authentication, allows attackers to manipulate control modes.
- Phase-locked loops (PLLs) – Compromising these algorithms can distort an inverter’s operational reference.
- Sensor false data injection – Corrupting voltage measurements can mislead an inverter’s decision-making.
- Firmware modification – The most difficult to detect without HPC-based methods.
While individual inverter compromises may cause localized disruptions, coordinated attacks on 5–10% of a feeder’s capacity could trigger voltage violations or broader grid instability. Regulatory frameworks like the EU’s NIS2 and Cyber Resilience Act aim to address these risks, but enforcement remains fragmented. NIS2, transposed by October 2024, imposes cybersecurity obligations on operators but was not designed to function in isolation. The Cyber Resilience Act, with full enforcement delayed until late 2027, introduces vulnerability reporting requirements starting in 2026.
A key obstacle is vendor engagement. Konstantinou noted that some manufacturers lack clear disclosure procedures, complicating efforts to report vulnerabilities. Global enforcement of standards also poses challenges, as regional regulations struggle to achieve universal compliance. Despite proven detection methods, integrating firmware validation into existing communication standards hinges on policy and commercial decisions rather than technical limitations.
Ignitis Group TPRM report: https://www.rankiteo.com/company/ignitis-grupe
Growatt TPRM report: https://www.rankiteo.com/company/sma-solar
Sungrow TPRM report: https://www.rankiteo.com/company/sungrow-power-supply-co-ltd
"id": "ignsmasun1777703479",
"linkid": "ignitis-grupe, sma-solar, sungrow-power-supply-co-ltd",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '22 critical infrastructure '
'clients',
'industry': 'Energy',
'location': 'Lithuania',
'name': 'Ignitis Group',
'type': 'Energy firm'},
{'customers_affected': '800 devices',
'industry': 'Energy',
'location': 'Japan',
'type': 'Solar monitoring devices'},
{'industry': 'Energy/Technology',
'name': ['Sungrow', 'Growatt', 'SMA'],
'type': 'Solar inverter manufacturers'}],
'attack_vector': ['Exploited known vulnerabilities',
'Unauthorized access to monitoring dashboards',
'Manipulation of communication protocols'],
'date_publicly_disclosed': '2024',
'description': 'Research highlights growing cybersecurity vulnerabilities in '
'solar inverters, demonstrating firmware-level attacks and '
'detection gaps. Recent incidents include exploitation of '
'vulnerabilities in solar monitoring devices and unauthorized '
'access to critical infrastructure dashboards. A detection '
'method using hardware performance counters (HPCs) has been '
'developed to monitor inverter firmware behavior, achieving '
'high accuracy but facing adoption challenges due to technical '
'and regulatory limitations.',
'impact': {'operational_impact': ['Localized disruptions',
'Potential grid instability from '
'coordinated attacks'],
'systems_affected': ['Solar inverters',
'Solar monitoring devices',
'Critical infrastructure monitoring '
'dashboards']},
'lessons_learned': 'Firmware-level attacks on solar inverters are technically '
'detectable but industry adoption of safeguards remains '
'limited. Regulatory frameworks like NIS2 and the Cyber '
'Resilience Act aim to address risks but face enforcement '
'challenges. Vendor engagement and global compliance are '
'key obstacles.',
'post_incident_analysis': {'corrective_actions': ['Develop purpose-built HPCs '
'for inverters',
'Integrate firmware '
'validation into '
'communication standards',
'Improve global compliance '
'with regulations like NIS2 '
'and Cyber Resilience Act'],
'root_causes': ['Lack of built-in HPCs in many '
'inverters',
'Absence of firmware integrity '
'checks in communication standards',
'Limited vendor engagement for '
'vulnerability disclosure',
'Fragmented regulatory '
'enforcement']},
'recommendations': ['Integrate HPC-based firmware validation into '
'communication standards',
'Improve vendor engagement for vulnerability disclosure',
'Enhance regulatory enforcement and global compliance',
'Adopt encryption and authentication in communication '
'protocols like SunSpec Modbus'],
'references': [{'source': 'Charalambos Konstantinou, KAUST SENTRY Lab'},
{'source': 'Forescout’s Vedere Labs'},
{'source': 'DARPA Radix Program'},
{'source': 'Intel Threat Detection Technology'}],
'regulatory_compliance': {'regulatory_notifications': ['EU NIS2 Directive',
'EU Cyber Resilience '
'Act']},
'response': {'enhanced_monitoring': 'Hardware performance counters (HPCs) for '
'firmware behavior monitoring'},
'title': 'Cybersecurity Risks in Solar Inverters: Firmware-Level Threats and '
'Detection Gaps',
'type': ['Firmware-level attack',
'Unauthorized access',
'Vulnerability exploitation'],
'vulnerability_exploited': ['Lack of encryption/authentication in SunSpec '
'Modbus',
'46 vulnerabilities in inverters from Sungrow, '
'Growatt, and SMA',
'Phase-locked loops (PLLs) compromise',
'Sensor false data injection']}