As the world increasingly shifts toward sustainable energy, solar power has surged in popularity—now representing a $70 billion global market in 2024. However, with this growth comes a hidden threat: cybersecurity vulnerabilities that could undermine grid stability and user privacy.
At Black Hat Asia in Singapore, researchers from Forescout—Daniel dos Santos, Francesco La Spina, and Stanislav Dashevskyi—unveiled nearly 50 security flaws affecting major solar vendors: Sungrow, Growatt, and SMA. Their findings exposed weaknesses throughout the solar ecosystem, from power inverters and connectivity dongles to mobile apps and backend cloud platforms.
Among the 46 newly discovered vulnerabilities, many stemmed from insecure direct object references (IDORs), weak credentials, and poor access controls—basic issues still plaguing the industry. For instance, Growatt inverters were vulnerable to remote hijacking through the cloud, giving attackers unauthorized access to solar systems. Meanwhile, Sungrow devices could be fully compromised using hardcoded credentials and easily exposed serial numbers.
The risks are serious: attackers could form botnets using compromised inverters to manipulate power generation, disable systems, or trigger coordinated load spikes—potentially destabilizing the power grid and causing blackouts.
Forescout emphasized that 80% of past vulnerabilities in solar systems have high or critical severity, with many scoring a near-perfect 9.8 or 10 on the CVSS scale.
Though vendors have since patched the reported flaws, experts warn that a fundamental shift toward security-by-design is essential—especially as commercial solar installations become common in hospitals, factories, and government buildings.
To mitigate risks, researchers recommend adopting NIST and Department of Energy guidelines, segmenting networks, using secure development practices, and conducting third-party audits.
As solar energy becomes a key pillar of modern infrastructure, safeguarding it from cyber threats must become a top priority.
