Charalambos Konstantinou, affiliate professor and principal investigator of the SENTRY Lab at KAUST in Saudi Arabia, has spent years simulating assaults on photo voltaic inverters and constructing strategies to detect them. His lab’s work sits at a layer beneath the monitoring-system compromises which have made headlines – at the firmware itself, the code that governs how a lot present an inverter injects into the grid and at what part.
“The takeaway message is that this firmware-level detection on solar inverters is technically viable,” Konstantinou instructed pv magazine. “What is missing is not the science. It’s just a connecting tissue between the inverters and the operators.”
The threat environment around inverter-connected systems has grown extra concrete. In 2024, roughly 800 photo voltaic monitoring units made by Contec had been compromised in Japan by way of a identified vulnerability, with attackers gaining unauthorized entry. The similar yr, attackers accessed monitoring dashboards for 22 important infrastructure shoppers of Lithuanian vitality firm Ignitis Group, in keeping with commerce press reviews.
In 2025, safety agency Forescout’s Vedere Labs disclosed 46 vulnerabilities across inverters from Sungrow, Growatt, and SMA. The advisory warned that exploitation might permit attackers to govern machine performance. All three circumstances concerned monitoring or communication layers slightly than direct firmware modification.
Konstantinou’s group makes use of {hardware} efficiency counters, initially designed for software program efficiency evaluation, to fingerprint what respectable inverter firmware does at the chip degree and detect whether or not it’s behaving as anticipated. Unlike signature-based antivirus, the strategy doesn’t require a database of identified threats. Earlier work achieved 97% detection accuracy on a industrial photo voltaic microinverter. “Later on, we had another work that shows that this can go up to 100% using just a single counter,” Konstantinou stated.
The conceptual lineage of the strategy is established in adjoining industries. Konstantinou stated DARPA had an early program referred to as Radix that proposed the underlying concept, that Intel productized it in 2021 as Threat Detection Technology, and that Microsoft Defender included it for ransomware detection.
“The template exists,” he stated. Applying it to photo voltaic inverters is tougher on two fronts. Inverters are embedded microcontrollers, not general-purpose computer systems, and should lack built-in efficiency counters – his lab has proposed purpose-built counters derived from the firmware itself to handle the silicon constraints. The deeper impediment is structural.
“The asset owner of the inverter, whether this is a utility or the independent power producer, has no way to see this signal coming out of the inverter, even if it’s being computed,” Konstantinou stated. “Because the standards that we use today, they don’t carry this firmware integrity check.”
Konstantinou described the inverter assault floor throughout 4 layers. The first is the communication protocol. He stated that when IEEE 1547 was up to date in 2018, “it had a mandatory policy that inverters would expose grid support functions through a protocol called SunSpec Modbus.” Konstantinou’s group has published research in IEEE Transactions on Industrial Informatics demonstrating how an attacker can attain this protocol, shift register values, and push an inverter outdoors its meant management mode. “By changing these control modes, you can do the opposite and make the situation even worse,” he stated.
Sandia National Laboratories has documented individually that SunSpec Modbus lacks over-the-wire encryption, node authentication, or key administration, and that the protocol is a extensively adopted interoperability profile slightly than a normative requirement of IEEE 1547.
The second layer is the phase-locked loop, the algorithm that offers the inverter its operational reference. “If you can manipulate the PLL, you can manipulate the inverter’s whole sense of, let’s say, reality,” Konstantinou stated. The third is sensor false information injection – corrupting voltage measurements at the level of widespread coupling, which corrupts the inverter’s whole reference body. The fourth, and hardest to detect with out HPC-based strategies, is firmware modification itself.
Scale is what converts particular person compromises into systemic occasions. “Single inverter compromise, maybe get some economic harm or maybe some localized power quality issues,” Konstantinou stated. “Things get interesting when the compromise is, let’s say, 5% or 10% of the feeder capacity, where you start seeing voltage violation limits.” A coordinated assault throughout a producer’s set up base, he added, is the place system stability occasions grow to be potential.
The regulatory image is incomplete. NIS2, whose transposition deadline throughout EU member states was October 2024 – with enforcement depending on nationwide implementation – locations obligations on giant photo voltaic operators, unbiased energy producers, and aggregators to handle cybersecurity threat throughout each IT and operational know-how. Konstantinou stated NIS2 alone is inadequate.
“NIS2 in isolation cannot fit the purpose of controlling and securing things,” he stated. “But I think it was never designed to stand alone.” The EU’s Cyber Resilience Act addresses the manufacturing aspect. Konstantinou stated the act is “not applicable until the end of the next year.”
Regulation EU 2024/2847 units vulnerability reporting necessities from September 2026 and full enforcement from December 2027. “It’s a shared responsibility between manufacturers, legislation, policy, operators and utilities,” stated Konstantinou. “The question is about enforcement.”
Vendor disclosure stays a direct hole. “Some vendors have proper disclosure procedures, but others are very difficult to reach,” Konstantinou stated. He famous that many individuals who’ve recognized vulnerabilities in inverters have been unable to succeed in producers to report them. Globalization constrains enforcement. “Maybe the EU is able to do that, the US or any other countries or regions, but it’s very difficult to enforce a universal standard,” he stated.
“The proof is there,” Konstantinou stated. “I think it’s about a matter of act upon it in order to integrate these firmware validation checks as part of the communication standards that exist today.”
Whether that occurs, he stated, is a coverage and industrial query slightly than a scientific one.
This content material is protected by copyright and might not be reused. If you need to cooperate with us and wish to reuse a few of our content material, please contact: [email protected].
Popular content material
