Can the Chinese Hack Into My Solar System?
Recently, a slew of articles like this one have been getting attention. The gist is that Chinese solar equipment used by US solar farms comes “pre-hacked” with rogue communication devices and malware. They allow hostile entities to attack our critical energy infrastructure and trigger widespread blackouts.
Should you be worried? Let’s get real.
(This is a long article — Bert makes battery software for the military, and Ling writes about B2B cybersecurity for a living. We drop nerd terms in casual conversations over dinner. We can go on and on. If the nerd thing makes your head hurt, scroll to the end for a TL;DR.)
Can the Chinese hack into my solar?
If you’re on-grid (i.e., an SCE customer feeding solar power to the grid), yes. It’s virtually certain that your equipment has exploitable weaknesses, which are either put in there by design or left there by accident.
Additionally, grid-tied solar systems don’t work when SCE turns off the power. That means you don’t get power when the grid goes down for whatever reason, including a cyberattack (but we’ve made a thing to address that).
To understand how and why you’ll be affected, let’s take a step back and look at cybersecurity for critical infrastructure.
Cybersecurity for critical infrastructure in a nutshell
Like all utility implementations, including water, sewage, power plants, the electric grid, air traffic control, oil and gas pipelines, rail, internet, and cell networks, utility-scale solar is instrumented and automated.
Instrumented means a network has gazillion sensors for measuring flow, pressure, voltage, temperature, bandwidth, and other critical parameters so operators can centralize monitoring and control. Meanwhile, automation ensures a system can autonomously react to a condition in real time, like keeping a stoplight green for longer based on increased traffic flow.
Instrumentation and automation mean there are two exploitable critical components: The link between what’s measured and automated (the network), and the brain that makes the decisions (the controller). Both are attack vectors.
Our public infrastructure is fragile and vulnerable. However, unlike what the media wants you to believe, it’s not a matter of poor design, faulty products, or contaminated Chinese equipment.
It is more a matter of the scale: Millions of miles of wires connecting billions of sensors to billions of computers running trillions of lines of code. Weaknesses are inevitable. As thieves know, if you jiggle the door handle of every car in the Walmart parking lot, you’ll eventually find one that isn’t locked. Many attackers play the numbers game to exploit human oversight.
In addition to scale, age is a factor. Many utility installations are decades old. A water treatment plant built in the seventies may work perfectly fine, but its instrumentation was designed in an era when “cybersecurity” and “hacker” were not even words yet.
Applying this logic to our vast infrastructure means all large-scale implementations have bad actors inside. That’s the uncomfortable truth, but that’s not news.
And it’s not just the Chinese. Criminals break into networks and hold the owner ransom under the threat of wiping medical data, disabling a power plant, and more, all the time. What makes the news is just the tip of the iceberg.
If we consider geopolitical conflicts, a cyberattack on our infrastructure is not only possible — it’s a virtual certainty. Russian, North Korean, and Belarusian state-sponsored hackers try to take out our water, electrical, and fuel supply, or anything that makes news and advances their objectives.
A utility company running thousands of acres of solar in the Mojave Desert is definitely in the crosshairs of threat actors. The infrastructure, including inverters, is heavily instrumented and automated with numerous entry points that adversaries can exploit.
A solar farm with thousands of pieces of equipment allows threat actors to take operations down in one fell swoop. Moreover, crippling a giant solar field offers a much bigger bang for the buck for achieving geopolitical ends (i.e., making a statement with high visibility attacks) than taking down a rural Oklahoma gas station.
Beware of sensational news
What about the reported “backdoor devices” and “cellular modems” in Chinese inverters? That's just baloney written for sensationalist reasons. Of course, the equipment has communication capabilities because utility buyers demand this feature to manage thousands of acres of solar farms. Our critical infrastructure won't even work if equipment and devices can’t communicate with the centralized command.
The key issue is the software. Software has vulnerabilities, like the unlocked car in the Walmart parking lot. They don’t have to be designed into the code because no matter how hard software engineers try, bugs are a fact of life in complex applications, presenting hackers with opportunities.
Critical infrastructure has been hacked — in the US, on US-made equipment, with US software, and supervised by US operators. The truth is that we’re vulnerable to exploitable weaknesses by using technology, or just participating in a society that runs on technology.
So, yes. Threat actors can potentially hack and cripple the US power grid through solar hardware connected to the internet.
What about off-grid solar? Should our clients be worried?
Can hackers get into our off-grid solar solutions?
No. We go one step above air-gapping systems (what the military does to isolate devices from the internet). We disable network connectivity in the equipment altogether, making our solutions physically incapable of receiving new software or commands over the air.
The downside is that we can’t remotely diagnose a system. We have to drive to a client site and connect to the equipment to get the data. But it’s well worth the added work.
But what about the cellular modems in those news stories? First of all, our equipment does not have cellular modems and is therefore physically incapable of communicating with an external entity. Even if an adversary could slip one in through a supply chain attack… when was the last time you got a reliable cell signal in most of Caliente?
Plus, there is a substantial cost associated with cellular modem connectivity. Will a hacker pay at least several dollars per month per device to hopefully hack into an inverter that will be worth their while someday? The business case is simply not there.
Caliente is like the geopolitical equivalent of that rural Oklahoma gas station. We may make the Tehachapi newspaper with a “hackers shut down cabin solar system in Twin Oaks” headline, but attacking rural areas is not worth a geopolitically motivated hacker’s time, as the payoff does not justify the effort.
Yet, there is still a good reason why we go fully offline with our solar solutions, and that is AI.
AI tools make it trivial to write exploit code to scan the internet for “long tail” devices used by small companies and private individuals. Criminals set the robot loose on the internet to find solar equipment, identify a vulnerability, and write code to exploit it.
So, a realistic scenario would be that one day, a hacker in their underpants brick a connected solar equipment, asking for $100 in some memecoin to unlock it. Skilled lone wolf ransomware hackers leveraging LLMs to terrorize individuals for peanuts is a real threat in modern society, and that’s why we don’t implement internet-connected systems.
TL; DR
Can the Chinese Communist Party get into the SCE Mojave Desert solar field? Yes, and they’re probably already in there waiting for orders.
Can the Chinese get into your off-grid solar inverter? Not if we build it.
Can anyone get into your solar inverter through cellular modems? No.
Can threat actors get into your off-grid solar inverter if it is connected to the internet? Yes, theoretically. But it is probably not worth their time.
Can a bored hacker named Bronislav get into your solar inverter if it is connected to the internet, brick it, and pilfer you for memecoin? Yes. That’s why we don’t let our solar equipment go online. No TikTok for you.
