Charalambos Konstantinou, associate professor and principal investigator of the SENTRY Lab at KAUST in Saudi Arabia, has spent years simulating attacks on solar inverters and building methods to detect them. His lab’s work sits at a layer below the monitoring-system compromises that have made headlines – at the firmware itself, the code that governs how much current an inverter injects into the grid and at what phase.

“The takeaway message is that this firmware-level detection on solar inverters is technically viable,” Konstantinou told pv magazine. “What is missing is not the science. It’s just a connecting tissue between the inverters and the operators.”

The threat environment around inverter-connected systems has grown more concrete. In 2024, approximately 800 solar monitoring devices made by Contec were compromised in Japan via a known vulnerability, with attackers gaining unauthorized access. The same year, attackers accessed monitoring dashboards for 22 critical infrastructure clients of Lithuanian energy company Ignitis Group, according to trade press reports.

In 2025, security firm Forescout’s Vedere Labs disclosed 46 vulnerabilities across inverters from Sungrow, Growatt, and SMA. The advisory warned that exploitation could allow attackers to manipulate device functionality. All three cases involved monitoring or communication layers rather than direct firmware modification.

Konstantinou’s group uses hardware performance counters, originally designed for software performance analysis, to fingerprint what legitimate inverter firmware does at the chip level and detect whether it is behaving as expected. Unlike signature-based antivirus, the approach does not require a database of known threats. Earlier work achieved 97% detection accuracy on a commercial solar microinverter. “Later on, we had another work that shows that this can go up to 100% using just a single counter,” Konstantinou said.

The conceptual lineage of the approach is established in adjacent industries. Konstantinou said DARPA had an early program called Radix that proposed the underlying idea, that Intel productized it in 2021 as Threat Detection Technology, and that Microsoft Defender included it for ransomware detection.

“The template exists,” he said. Applying it to solar inverters is harder on two fronts. Inverters are embedded microcontrollers, not general-purpose computers, and may lack built-in performance counters – his lab has proposed purpose-built counters derived from the firmware itself to address the silicon constraints. The deeper obstacle is structural.

“The asset owner of the inverter, whether this is a utility or the independent power producer, has no way to see this signal coming out of the inverter, even if it’s being computed,” Konstantinou said. “Because the standards that we use today, they don’t carry this firmware integrity check.”

Konstantinou described the inverter attack surface across four layers. The first is the communication protocol. He said that when IEEE 1547 was updated in 2018, “it had a mandatory policy that inverters would expose grid support functions through a protocol called SunSpec Modbus.” Konstantinou’s group has published research in IEEE Transactions on Industrial Informatics demonstrating how an attacker can reach this protocol, shift register values, and push an inverter outside its intended control mode. “By changing these control modes, you can do the opposite and make the situation even worse,” he said.

Sandia National Laboratories has documented separately that SunSpec Modbus lacks over-the-wire encryption, node authentication, or key management, and that the protocol is a widely adopted interoperability profile rather than a normative requirement of IEEE 1547.

The second layer is the phase-locked loop, the algorithm that gives the inverter its operational reference. “If you can manipulate the PLL, you can manipulate the inverter’s whole sense of, let’s say, reality,” Konstantinou said. The third is sensor false data injection – corrupting voltage measurements at the point of common coupling, which corrupts the inverter’s entire reference frame. The fourth, and hardest to detect without HPC-based methods, is firmware modification itself.

Scale is what converts individual compromises into systemic events. “Single inverter compromise, maybe get some economic harm or maybe some localized power quality issues,” Konstantinou said. “Things get interesting when the compromise is, let’s say, 5% or 10% of the feeder capacity, where you start seeing voltage violation limits.” A coordinated attack across a manufacturer’s install base, he added, is where system stability events become possible.

The regulatory picture is incomplete. NIS2, whose transposition deadline across EU member states was October 2024 – with enforcement dependent on national implementation – places obligations on large solar operators, independent power producers, and aggregators to manage cybersecurity risk across both IT and operational technology. Konstantinou said NIS2 alone is insufficient.

“NIS2 in isolation cannot fit the purpose of controlling and securing things,” he said. “But I think it was never designed to stand alone.” The EU’s Cyber Resilience Act addresses the manufacturing side. Konstantinou said the act is “not applicable until the end of the next year.”

Regulation EU 2024/2847 sets vulnerability reporting requirements from September 2026 and full enforcement from December 2027. “It’s a shared responsibility between manufacturers, legislation, policy, operators and utilities,” said Konstantinou. “The question is about enforcement.”

Vendor disclosure remains an immediate gap. “Some vendors have proper disclosure procedures, but others are very difficult to reach,” Konstantinou said. He noted that many people who have identified vulnerabilities in inverters have been unable to reach manufacturers to report them. Globalization constrains enforcement. “Maybe the EU is able to do that, the US or any other countries or regions, but it’s very difficult to enforce a universal standard,” he said.

“The proof is there,” Konstantinou said. “I think it’s about a matter of act upon it in order to integrate these firmware validation checks as part of the communication standards that exist today.”

Whether that happens, he said, is a policy and commercial question rather than a scientific one.

Popular content