Inverter-based resources (IBRs), including solar photovoltaics and battery energy storage systems, present distinct cybersecurity challenges due to their dependence on networked monitoring and control. Their rapid deployment across residential, commercial and industrial settings creates a highly distributed footprint. Combined with remote connectivity requirements, this expansion introduces new attack surfaces and amplifies system vulnerabilities.
In solar power systems, panels generate direct current (DC) that is converted to alternating current (AC) by photovoltaic (PV) inverters before being fed into the grid. In residential and commercial installations, these inverters often connect to the internet through serial communication dongles using Wi-Fi, general packet radio service (GPRS), 4G or wired connections. Data is transmitted to cloud services via protocols such as MQTT, enabling remote monitoring, visualization and management of millions of distributed devices. Some inverter models bypass dongles entirely, connecting directly to the cloud. Owners typically interact with these platforms through mobile or web applications, often using HTTP during setup and configuration.
By contrast, utility-scale inverters are usually integrated into local supervisory control and data acquisition (SCADA) or energy management systems. They operate over secure, private networks using industrial protocols such as Modbus, DNP3 or IEC 61850, with data managed on-site. While this architecture reduces exposure to internet-based threats, it is not immune. Risks persist from misconfigured firewall rules, insufficient network segmentation, insecure remote access pathways and unpatched protocol vulnerabilities. Emerging practices such as the adoption of cloud-based analytics and digital twin technologies further complicate the landscape. If not properly segmented from operational networks, these tools can reintroduce external attack vectors into systems otherwise designed for isolation.
There are three primary categories of solar power system installations:
- Residential: Typically consist of 6 to 20 rooftop panels, producing between 5 and 15 kilowatts (kW) of electricity, which is generally sufficient to power a single home.
- Commercial: Larger systems that generate approximately 100 kW or more, designed to meet the energy demands of businesses ranging from small retail operations to large industrial facilities.
- Utility-scale: Comprise hundreds to thousands of ground-mounted panels in expansive solar farms, producing at least 1 megawatt (MW) of power. These systems are commonly owned and operated by electric utility companies.
A significant share of residential and commercial string inverters are equipped with wireless connectivity to cloud platforms, many of which are operated by Chinese companies. Six of the world’s top 10 solar power system vendors, including inverter manufacturers, are headquartered in China. As a result, more than half of all inverters are both owned and manufactured in China, while another 30% are produced in Chinese facilities on behalf of U.S. or other international companies. This concentrated supply chain raises serious cybersecurity concerns. Risks include remote firmware updates routed through foreign-controlled infrastructure, as well as persistent internet connectivity that enlarges the attack surface and the possibility of hardware-level compromises such as embedded rogue communication devices. Equally concerning is the potential for deliberate actions by the manufacturer, or for the exploitation of vulnerabilities, that push malicious firmware at scale and jeopardize the security and reliability of deployed systems.
Although utility-scale inverters are not typically connected to public cloud services, they remain exposed to similar risks. Utilities often enforce strict network segmentation and prohibit direct internet-based remote access to inverter equipment. Even so, investigations have revealed instances of inverters and batteries, particularly those manufactured in China, containing undocumented communication hardware, such as embedded cellular radios. These components create covert communication channels that can bypass firewalls and monitoring systems. In parallel, utilities continue to depend on vendor-supplied firmware and update packages. If compromised in the supply chain, these updates could deliver malicious code into critical infrastructure. The SolarWinds breach demonstrated how trusted update mechanisms can be exploited to insert backdoors at scale. A comparable compromise within the inverter supply chain could have severe implications for grid stability and national energy security.
Commercial and residential inverters represent a critical intersection of high likelihood and high impact. These systems often operate with weaker security controls, creating a broad and vulnerable attack surface. The risk is amplified by the growing aggregate generation capacity of distributed solar resources, which now supply a substantial share of daytime demand in many regions. This makes them both more attractive targets and more capable of leading to large-scale disruption. Potential threats include unauthorized configuration changes, remote shutdowns and tampering with safety mechanisms, any of which could result in localized or neighborhood-scale outages. More severe risks arise if attackers disable anti-islanding protections or override export limits, as the resulting grid imbalances could escalate into transmission-level instability, undermining overall grid reliability. Figure 5 illustrates how vulnerabilities in string inverters can be exploited to trigger these types of outcomes.