Solar power systems show critical cybersecurity vulnerabilities
Solar infrastructure has a security problem. And it’s growing fast.
Forescout researchers, Daniel dos Santos, Francesco La Spina, and Stanislav Dashevskyi, just found 46 new cybersecurity vulnerabilities across products made by some of the industry’s biggest players: Growatt, Sungrow, and SMA. These aren’t obscure backdoor issues buried in complex codebases. They hit core components that run household and industrial solar systems: inverters, mobile apps, cloud platforms, and network interfaces.
Now, what does this mean for you as a decision-maker running a business or government agency? These bugs aren’t just about someone flipping off your solar panels. They allow attackers to remotely hijack the entire system. They could control power flows, steal user data, and run botnets that manipulate electricity generation on a massive scale. Disruption becomes easy. Scaling it to affect real grid performance, also very possible.
Here’s one example if you’re curious. Growatt inverters had flaws that made it possible to take full control via the cloud, no physical access needed. Sungrow devices had serial numbers and login fragments embedded in the firmware, making remote code execution and complete system takeover trivial for anyone with internet access and average skills.
These vulnerabilities affect every level of the solar tech stack. Not just one access point. Not just one brand. And that’s the real issue. It means the problem is systemic. Yet, these are affordable systems being installed at speed worldwide, with minimal attention given to locking the digital doors. That’s not sustainable.
The scale of solar matters. In 2024, the global solar power market hit $70 billion. That’s a lot of nodes. A lot of interconnected systems. Any flaw in the supply chain could be exploited at scale, with real consequences for energy resilience and business continuity.
You don’t need to pause progress, just match it with security.
Forescout’s finding is clear: cybersecurity has to scale with clean energy innovation. Every connected solar device is an edge node on your network. If you don’t control its security, someone else might.
The chronic lack of basic cybersecurity practices in the renewable energy sector.
What’s more concerning than finding new bugs? Finding the same old ones, again and again.
Over 30 of the 46 vulnerabilities uncovered by Forescout fall into one well-documented category: insecure direct object references (IDORs). These are widely known issues. They’re already featured in every top 10 list of critical web vulnerabilities maintained by security experts globally. Which means they should have been addressed long before these systems went to market.
That didn’t happen.
The team, Daniel dos Santos, Francesco La Spina, and Stanislav Dashevskyi, wasn’t surprised by the volume of issues. They’ve seen this before across other industries. What caught them off guard is how elementary these security gaps are. Logging into systems with hardcoded credentials found in public firmware? Sending unauthenticated HTTP requests to gain control?
For C-suite leaders, the takeaway here is practical. Security isn’t keeping pace with innovation in renewable energy. Vendors are pushing products to market without embedding even minimal safeguards. That exposes your energy infrastructure to real-world threats, from loss of data to loss of power continuity. This is operational risk in plain view.
And it’s industry-wide. Vulnerabilities were seen across products, from consumer-level solar inverters to industrial monitoring software. This isn’t an isolated case of one vendor cutting corners. It’s a widespread absence of secure development cycles.
Addressing this doesn’t require breakthrough technology. It requires applying existing principles consistently, access control, proper credential management, secure firmware updates, and real-time vulnerability monitoring.
The lack of attention to fundamentals indicates a larger issue: security still isn’t part of the core product mindset in much of the renewable sector. And that needs to change, especially as solar installations become embedded in government facilities, hospitals, and industrial networks.
Vulnerabilities pose risks, capable of triggering large-scale disruptions
When solar tech is compromised, the damage isn’t limited to a single device or home. It affects the grid.
That’s one of the clearest warnings from the Forescout team. Once attackers gain access to solar inverters through weak points like insecure APIs or hardcoded credentials, they can manipulate energy flows in real-time. That includes altering power output, switching inverters off and on, or linking multiple compromised systems into a coordinated botnet. The impact is cumulative and can quickly overwhelm local grid balances.
This is within reach for attackers today, using exploits revealed in mainstream security frameworks. If 10,000 devices respond to the same malicious trigger, you have sudden load fluctuation across a critical energy grid. Depending on the grid’s emergency generation capacity and latency, that could cause shutdowns, grid imbalances, or force disconnection from external networks.
The risk amplifies with scale. Solar adoption isn’t limited to smart homes, it’s expanding into hospitals, public sector infrastructure, airports, and manufacturing hubs. The moment solar systems become operational assets within critical infrastructure, these vulnerabilities carry more weight. They create new entry points into places that were never designed to handle high-volume cyber attacks.
Executives leading industrial operations, facility management, or national infrastructure should be focused on two things: how deeply solar tech is embedded across their endpoints, and how effectively those endpoints are isolated, patched, and monitored.
The reality is that this threat is no longer hypothetical. And for leaders responsible for uptime, safety, or national service delivery, it’s not acceptable to passively depend on vendors to fix it first. The exposure is yours to manage.
The latest report from Forescout confirms the trend: over ten new vulnerabilities per year have been disclosed in solar power systems over the past three years, 80% ranking high or critical. One-third of them score a 9.8 or 10 on the CVSS scale. That means complete system takeover is possible.
When the parts you install increase the vulnerability of your whole operation, you need to make changes fast, before attackers notice the same patterns the researchers already have.
The urgent need for secure-by-design practices and immediate risk mitigation actions
The problem is that these vulnerabilities keep recurring every year in more products, with more risk. This reflects a broader failure to build cybersecurity into the architecture of solar systems from the start.
Forescout’s analysts have compiled data showing more than 90 publicly disclosed solar system vulnerabilities to date. Over the last three years, an average of 10+ new ones are found annually. Eight out of ten are considered either high or critical risk. And 32% carry a CVSS score close to the maximum: 9.8 or 10.
For leaders overseeing infrastructure, this is the time to shift posture. Relying on retrofit solutions after systems are deployed isn’t scalable. The smarter approach is to harden the system before it connects to your operations.
That starts with design, procurement, and deployment strategy. Devices like inverters need to be treated as part of your core infrastructure, not consumer accessories. Security shouldn’t be left to device makers alone. You have to enforce standards across your supply chain, require security certifications during procurement, and structure networks so that solar assets are isolated and monitored as if they were OT systems, because they now are.
Forescout recommends strict segmentation of solar components on dedicated subnetworks, visibility tools for real-time monitoring, and early integration of frameworks like those from NIST or the U.S. Department of Energy. For European deployments, aligning with the Cyber Resilience Act, ETSI EN 303 645, and Radio Equipment Directive moves you ahead of the curve.
On the vendor side, expectations must change. Secure software development cycles, penetration testing, and third-party audits should be non-negotiable. Security can’t remain an afterthought.
Daniel dos Santos, Head of Security Research at Forescout, put it plainly: “It’s for businesses to worry about securing them as well… and making sure they are isolated in the network and that they are updated.”
You don’t have to slow down deployment. But you do need to rebuild the process to include security. Any organization not doing this is welcoming operational risk into its own grid.
Main highlights
- Solar systems introduce growing grid-level cyber risk: Vulnerabilities in mainstream solar devices from vendors like Growatt, Sungrow, and SMA expose core energy infrastructure to potential remote attacks. Leaders should ensure solar assets are treated as critical systems with dedicated security protocols.
- Basic security failures indicate systemic industry gaps: Over 30 of the 46 identified threats were preventable flaws like IDORs, signaling that vendors are not following basic cybersecurity hygiene. Executives must require security-by-default in solar procurement and verify practices upfront.
- Vulnerabilities can trigger large-scale service disruptions: Compromised solar inverters can be exploited to manipulate grid output in real time, risking blackouts and emergency load responses. Operational leaders should prioritize segmenting and monitoring solar networks to contain system-level threats.
- Secure-by-design must become standard for energy tech: With over 90 security flaws identified in recent years, most ranked high or critical, leaders can no longer afford reactive fixes. Organizations should embed cybersecurity into the design, procurement, and lifecycle management of all solar implementations.
