[…]
Despite years of debate about supply chain resilience, more than 70 percent of world’s solar inverters come from Chinese manufacturers. The three biggest players – Huawei, Sungrow, and Ginlong Solis – are all Chinese. Here lies the first paradox: Huawei has been banned from a large portion of Europe’s 5G networks due to national security concerns, yet its technology is welcomed into the power grid […] Huawei has been banned from a large portion of Europe’s 5G networks due to national security concerns, yet its technology is welcomed into the power grid.
[…]
Only a few countries, such as Estonia and the United Kingdom, appear to recognize this inconsistency. After banning Huawei from its 5G infrastructure, Estonia is now sounding the alarm as the same company pivots aggressively into the energy domain. Britain faces a similar dilemma. As reported by the Telegraph, experts warn that allowing a company once deemed a national security threat in telecommunications to build the digital backbone of the UK’s clean energy transition is a dangerous contradiction. Lithuania has gone even a step further. In April 2024, it became the first EU country to act decisively, passing a law explicitly banning China from remotely accessing and controlling the digital systems of its renewable energy assets, treating Chinese remote access for what it really is: a national security vulnerability.
[…]
The timeline of incidents targeting electric energy infrastructure over the last decade tells a clear story: the two most persistent, well-resourced, and strategically focused actors are Russia and China.
Take Russia’s GRU-affiliated hacking group Sandworm, responsible for the 2015 and 2016 cyberattacks on Ukraine’s power grid. The 2015 attack caused widespread blackouts using relatively crude malware, but by 2016, Sandworm deployed Industroyer – first malware designed specifically to disrupt grid operations. These attacks caused severe blackouts, directly impacting civilian populations. In 2022, during Russia’s full-scale invasion of Ukraine, Sandworm resurfaced with Industroyer2, aimed at high-voltage substations. This time, however, Ukrainian defenders successfully neutralized the threat before it could trigger widespread outages.
[…]
Unlike Russia’s smash-and-break approach, China prioritizes stealth: it uses legitimate tools to move undetected, blending into normal operations, to hold leverage until the moment arises. For years, Chinese state-linked groups have methodically infiltrated foreign cyberspace. The recently exposed Volt, Salt, and Flax Typhoon threat actors were just the latest chapters of this long-term strategy.
[…]
Beijing fosters dependence on China-dominated supply chains, and then weaponizes these links. When political tensions rise, Beijing does not hesitate to act. Lithuania experienced this firsthand after strengthening ties with Taiwan, prompting China to block Lithuanian goods at customs and choke its exports. In Czechia, security concerns over Huawei’s role in 5G networks were met with direct economic threats, with Chinese officials warning that the exclusion of Huawei would lead to retaliation that would impact the country’s GDP growth.
[…]
The nightmare scenario is a coordinated remote shutdown. Tens or hundreds of thousands of inverters could be disabled by remote command. Within seconds, gigawatts of solar generation would vanish from the power grid. Europe’s transmission system can typically absorb a sudden 2-to-5-gigawatt loss without falling apart. Push beyond 10 gigawatts, and you risk cascading failures. Grid sections would start detaching themselves to survive, frequency would plummet, spinning reserves would struggle to keep up, resulting in fragmentation and rolling blackouts.
But crude shutdowns are not the only threat. Modern solar inverters can be remotely switched from supplying real power to injecting reactive power – a change that can destabilize voltage profiles across the grid. A sudden surge of reactive power could overload compensation systems, trigger protection relays, and knock sensitive generators offline – without any clear sign of sabotage. Thousands of inverters, acting in sync, could ripple distortions across Europe’s power grid and destabilize entire regions.
[…]
Defusing the hidden risks requires action in at least four areas:
- Recognize Solar as Critical Infrastructure: Solar inverters are active participants in grid stability. From a cybersecurity perspective, they must no longer be treated as low-risk consumer electronics; instead, strict cybersecurity standards must be applied by design.
- Rethink Power Grid Defense: Distributed solar assets are scattered across millions of rooftops, with no unified defense perimeter. Because of this, the same protection strategies used for centralized assets like nuclear power plants cannot be applied. The rise of distributed critical infrastructure demands a redefinition of what critical infrastructure means, as well as a new methodology for securing millions of interconnected, remotely accessible assets.
- Prohibit Remote Access from Adversarial Jurisdictions: Following Lithuania’s example, the EU must ban remote access from adversarial countries. Remote access must be restricted exclusively to trusted entities operating under European or allied partners’ legal frameworks.
- Diversify the Supply Chain: The EU must move beyond slogans and actively support European and allied manufacturers struggling to compete with China’s heavily subsidized, state-backed solar technology.
[…]
China has had the world by its balls for a long while through (consumer) electronics. But that’s largely because of low prices, not because of know-how.
An inverter is a relatively simple device. I understand it needs to be accessed remotely but not to make it work per se.
How about we let China make the hardware but not the firm/software? We have the know-how.
Once again it comes down to digital sovereignty.
You can always hide stuff in the hardware, a new paradigm would be needed, like who’s get access to these unsecured(it seems, how the hell are they shutting them down otherwise) inverters.
Industrial automation should be strictly firewalled (or even airgapped) anyways, no matter the manufacturer. Giving any kind of unmonitored remote access to anyone outside the company actually running the thing is asking for trouble.
If the power plant owner decides to trust Huawei (or any other entity) that’s on them. Obviously the grid management should also make rules about this stuff, but in general if you leave your SCADA/whatever system open to the internet you’re pretty much asking for someone to break your stuff. Maybe it’s the Chinese government, maybe it’s the neighbours kid, maybe it’s some IT student in Latvia, who knows.
And securing your stuff inside a private VLAN or whatever is not difficult nor expensive. Not in total euros spent and specially not compared to the damages and fines you’d need to pay after something goes wrong enough.
They are getting access through software. Just read the first sentence of the article.
The way I understand it is if you order a large enough batch they will produce whatever you want, from an actual plan of a circuit board etc.
Of course they could theoretically still install something there, but nobody has complained about it wrt iPhones, to give but one example. Or various alternative devices like Pine64 offers.
That’s what I mean with know-how: we don’t need them to design the stuff for us. We mostly depend on the cheap prices of manufacture.
Sure, designed in Europe and built in China would still be more expensive but not prohibitively so, as opposed to designed AND built in Europe, from scratch.
We read the article. Snark is offensive and unnecessary. As long as they control the hardware, they can put back doors in there if they lose access to the software.
70 percent of world’s solar inverters come from Chinese manufacturers.
It’s pretty easy to disconnect them from the internet though. So if you suspect they might shut you off, just don’t connect it to internet.
Or use some proper firewall and allow access only to whoever actually needs it.
SolarPower Europe (the association for the European PV sector) has just published a report on solutions to mitigate critical cybersecurity risks.
TLDR: The report suggests to mandate solar-specific cybersecurity controls for securing remote-controlled solar PV infrastructure, and to limit remote access and control of EU solar PV systems from outside the EU via the inverter. On the latter, the report recommends following an approach similar to GDPR rules, where control of distributed devices, like small-scale rooftop solar systems, should only take place in regions judged equivalent in security to the EU.
