The world is rapidly transitioning towards renewable energy sources, a critical shift for combating climate change and ensuring a sustainable future. However, as the renewable energy sector grows exponentially, so too do the cybersecurity threats it faces. Recent warnings from the U.S. FBI have sounded the alarm on major threats affecting solar energy infrastructure, as have cybersecurity experts such as Vangelis Stykas of pen testing firm Atropos, who recently sat down with InCyber News to underscore the urgency of addressing these vulnerabilities before they lead to catastrophic consequences.

A Stark Warning from the FBI

In a recent Private Industry Notification (PIN), the FBI highlighted the increasing cyber threats to the renewable energy sector. The bureau specifically flagged the risk of unauthorized access through solar panel inverters, which convert direct current (DC) energy into alternating current (AC) electricity. The integration of these systems with the internet, while beneficial for monitoring and management, significantly heightens their risk profile, making them susceptible to serious threats, including power disruptions, hardware damage, or ransomware attacks.

Until now, these kinds of attacks have been relatively rare, but the FBI clearly believes that, as the green transition accelerates and components like solar inverters are ever-more interconnected, the frequency and severity of these attacks will increase, with the potential that successful attacks could lead to widespread grid destabilization.

Vangelis Stykas: Research Uncovers Alarming Vulnerabilities

The FBI's warning only confirms what leading security experts have uncovered. Vangelis Stykas, the Chief Technology Officer and co-founder of cybersecurity firm Atropos addressed the OWASP conference in Lisbon in June to present a comprehensive analysis of vulnerabilities in EV chargers and solar panel components, revealing a disturbing lack of security preparedness among a wide range of manufacturers.

"I was able to gain administrator level access on several platforms," Stykas explained to InCyber News, shedding additional insight on the concerning findings he presented at OWASP. "With this access, I could remotely push firmware updates, potentially 'breaking' photovoltaic chargers and EVs and, in some cases, causing them to catch fire."

The vulnerabilities that Stykas identified did not surprise him, he told InCyber—but "what was unexpected was the ease with which these vulnerabilities were found and the general ignorance about them."

While Stykas did identify a number of vulnerabilities in EV charging equipment, he noted that the manufacturers of the flawed infrastructure (China-based SHENZHEN; China-based GROWATT; Netherlands-based EVBOX; Spain-based WALLBOX; UK-based EOHUB; California-based CHARGEPOINT) all responded at some point to his disclosures and, more or less promptly, resolved the vulnerabilities.

Stykas's more alarming findings concerned inherent weaknesses in the APIs used by leading solar technology manufacturers. Stykas identified several critical vulnerabilities in components, specifically PV inverters, which were predominantly manufactured by Chinese companies, such as SOLARMAN, SOLAX, SUNSYNK, and GROWATT. These vulnerabilities include Insecure Direct Object References (IDOR), broken authentication and authorization mechanisms, and remote command execution (RCE) capabilities—flaws that could allow attackers to gain full admin-level control of solar systems on people's homes, manipulate their settings and potentially disrupt entire power grids.

IDOR vulnerabilities, for example, arise when user-controlled values allow access to objects or functions directly and could permit attackers to access user accounts on a solar inverter without proper authorization and alter the system's configuration. In several cases, Stykas found that these vulnerabilities allowed full access to the inverter and its administrative accounts, offering cybercriminals the chance to manipulate and even brick the device.

Stykas also managed to obtain Remote Command Execution (RCE) on these inverters, which is a particularly dangerous achievement. The ability to execute commands remotely basically means a hacker can take full control of a device remotely. Given the increasingly important role that renewable energy plays in the overall energy mix, such vulnerabilities pose a major risk to power grids.

Are leading manufacturers concerningly slow to take action?

One of the most troubling aspects of Stykas's findings was the relatively indifferent response from the companies he notified about these vulnerabilities. "Vulnerabilities will always appear. What matters is how one reacts and how quickly they are fixed. That's what makes a good, reliable provider," Stykas underscored. "Two of the five photovoltaic manufacturers responded and fixed the vulnerabilities after my interventions. The others ignored me. All acknowledged receiving my email, but only two acted. [...] Most vulnerabilities are still present, and unfortunately, someone will exploit them at some point."

This kind of attitude toward critical cybersecurity vulnerabilities is certainly concerning—and dangerous. The rush to market and cost-cutting measures may have led to the widespread adoption of insecure components, creating a large-scale vulnerability that could easily be exploited by state-sponsored actors or criminal organizations, with major deleterious consequences. The fact that many of the components in which researchers like Stykas have identified vulnerabilities are manufactured by companies in China, given the country's long history of cyber espionage—including in the energy sector—adds an additional layer of national security concern to the issue.

A Threat with Wide-Ranging Potential Consequences

Indeed, repeated discoveries of serious vulnerabilities in renewable energy infrastructure components manufactured by a wide range of companies raise the very real fear that bad actors could exploit these flaws to disrupt critical infrastructure in countries around the world. This threat is compounded by the interconnected nature of power grids, where an attack on one part of the system can have cascading effects across entire regions.

"There's a thorough study called the Horus scenario," Stykas explained to InCyber. "Willem Westerhof provided theoretical proof that if enough photovoltaic systems are attacked, it could severely destabilize the grid. In Europe, national grids are so interconnected that an attack could black out an entire continent. It's theoretical, but it could happen before other non-renewable energies like nuclear or coal take over to stabilize the grid."

A wide range of actors carry their own share of the responsibility to prevent such a catastrophic scenario. "Suppliers should always check their own security, do penetration tests, and follow security checklists," Stykas emphasized. "Unfortunately, governments and other regulatory bodies are lagging. Regulation must start requiring suppliers to have proper security protocols. Regulators, especially in Europe, are good at regulating; that's not the problem. The problem is there's no regulation yet for photovoltaics. [... ] NIS 2 is a good starting point, but we need stricter regulations specific to photovoltaics and EV chargers."

As Stykas underlined, the transition to renewable energy is vital for our planet's future but must not come at the expense of security. The continued warnings from law enforcement authorities and researchers alike serve as a stark reminder that the flaws in our renewable energy infrastructure are real and potentially devastating. Addressing these vulnerabilities head-on is essential to building a sustainable and secure future.