Can the Chinese Hack Into My Solar System?

Solar
Written By Ling & Bert

Recently, a slew of articles like this one have been getting attention. The gist is that Chinese solar equipment used by US solar farms comes “pre-hacked” with rogue communication devices and malware. They allow hostile entities to attack our critical energy infrastructure and trigger widespread blackouts.

Should you be worried? Let’s get real. 

(This is a long article — Bert makes battery software for the military, and Ling writes about B2B cybersecurity for a living. We drop nerd terms in casual conversations over dinner. We can go on and on. If the nerd thing makes your head hurt, scroll to the end for a TL;DR.)

Can the Chinese hack into my solar? 

If you’re on-grid (i.e., an SCE customer feeding solar power to the grid), yes. It’s virtually certain that your equipment has exploitable weaknesses, which are either put in there by design or left there by accident. 

Additionally, grid-tied solar systems don’t work when SCE turns off the power. That means you don’t get power when the grid goes down for whatever reason, including a cyberattack (but we’ve made a thing to address that).

To understand how and why you’ll be affected, let’s take a step back and look at cybersecurity for critical infrastructure. 

Cybersecurity for critical infrastructure in a nutshell

Like all utility implementations, including water, sewage, power plants, the electric grid, air traffic control, oil and gas pipelines, rail, internet, and cell networks, utility-scale solar is instrumented and automated. 

Instrumented means a network has gazillion sensors for measuring flow, pressure, voltage, temperature, bandwidth, and other critical parameters so operators can centralize monitoring and control. Meanwhile, automation ensures a system can autonomously react to a condition in real time, like keeping a stoplight green for longer based on increased traffic flow.

Instrumentation and automation mean there are two exploitable critical components: The link between what’s measured and automated (the network), and the brain that makes the decisions (the controller). Both are attack vectors.

Our public infrastructure is fragile and vulnerable. However, unlike what the media wants you to believe, it’s not a matter of poor design, faulty products, or contaminated Chinese equipment.

It is more a matter of the scale: Millions of miles of wires connecting billions of sensors to billions of computers running trillions of lines of code. Weaknesses are inevitable. As thieves know, if you jiggle the door handle of every car in the Walmart parking lot, you’ll eventually find one that isn’t locked. Many attackers play the numbers game to exploit human oversight. 

In addition to scale, age is a factor. Many utility installations are decades old. A water treatment plant built in the seventies may work perfectly fine, but its instrumentation was designed in an era when “cybersecurity” and “hacker” were not even words yet.

Applying this logic to our vast infrastructure means all large-scale implementations have bad actors inside. That’s the uncomfortable truth, but that’s not news. 

And it’s not just the Chinese. Criminals break into networks and hold the owner ransom under the threat of wiping medical data, disabling a power plant, and more, all the time. What makes the news is just the tip of the iceberg.

If we consider geopolitical conflicts, a cyberattack on our infrastructure is not only possible — it’s a virtual certainty. Russian, North Korean, and Belarusian state-sponsored hackers try to take out our water, electrical, and fuel supply, or anything that makes news and advances their objectives.

A utility company running thousands of acres of solar in the Mojave Desert is definitely in the crosshairs of threat actors. The infrastructure, including inverters, is heavily instrumented and automated with numerous entry points that adversaries can exploit.

A solar farm with thousands of pieces of equipment allows threat actors to take operations down in one fell swoop. Moreover, crippling a giant solar field offers a much bigger bang for the buck for achieving geopolitical ends (i.e., making a statement with high-visibility attacks) than taking down a rural Oklahoma gas station.

Beware of sensational news

What about the reported “backdoor devices” and “cellular modems” in Chinese inverters? That's just baloney written for sensationalist reasons. Of course, the equipment has communication capabilities because utility buyers demand this feature to manage thousands of acres of solar farms. Our critical infrastructure won't even work if equipment and devices can’t communicate with the centralized command.

The key issue is the software. Software has vulnerabilities, like the unlocked car in the Walmart parking lot. They don’t have to be designed into the code because no matter how hard software engineers try, bugs are a fact of life in complex applications, presenting hackers with opportunities. 

Critical infrastructure has been hacked — in the US, on US-made equipment, with US software, and supervised by US operators. The truth is that we’re vulnerable to exploitable weaknesses simply by using technology or just participating in a society that runs on technology.

So, yes. Threat actors can potentially hack and cripple the US power grid through solar hardware connected to the internet.

What about off-grid solar? Should our clients be worried?

Can hackers get into our off-grid solar solutions?

It depends on how the system is implemented, and this is where we're intentional about the tradeoffs.

For clients who want remote monitoring (which we offer and actively recommend for larger systems), their inverters are online. That means we can diagnose, monitor performance, and catch issues remotely and promptly. It's a real operational advantage, but it does introduce a network attack surface. This means we treat it like any networked system: we harden the configuration, limit external exposure, and don't use equipment with known backdoor vulnerabilities.

For clients who prefer maximum isolation, we can implement fully air-gapped systems with no network connectivity whatsoever. They’re physically incapable of being reached over the air. The tradeoff is that diagnostics require an on-site visit.

If you don’t have an airgap, you must be diligent about installing software updates. For clients in our proactive remote monitoring program, they can rest assured that we get all the software patches and update ducks in a row promptly and correctly.

Either way, the calculus is different from a utility-scale solar farm. A state-sponsored attacker isn't burning resources on a rural off-grid inverter when there are Mojave Desert solar fields to target.

The more realistic threat is opportunistic ransomware attacks from small-time hackers. That's why we implement internet-connected equipment intentionally, not left accessible by default.

TL; DR

Can the Chinese Communist Party get into the SCE Mojave Desert solar field? Yes, and they’re probably already in there waiting for orders. 

Can threat actors get into your off-grid solar inverter if it is connected to the internet? Theoretically, yes — which is why we set up access carefully. But realistically, it’s probably not worth their time.

Can they get into a fully air-gapped system? No. But the tradeoff is that diagnoses and troubleshooting must be done on-site.

Ling & Bert
Previous

4 Things That Drive Up Off-Grid Solar Costs (and How To Lower Yours)
Next

Client Success Story: A Journey to Energy Independence