35,000 Internet-Exposed Solar Power Systems Susceptible to Cyberattacks

The Shodan search engine found that these devices, which range from inverters to data loggers and communication gateways, are mostly found throughout Europe and Asia and are made by 42 different manufacturers.

Nearly 35,000 solar power systems worldwide have been identified with exposed management interfaces accessible from the public internet, placing critical energy infrastructure at significant risk of cyberattack.

Global Survey Reveals Widespread Risks

Security researchers report that Europe alone accounts for 76% of the exposed devices, with Germany and Greece each representing around 20% of the global total. Asia follows with 17%, while the rest of the world constitutes the remaining 8%.

The widespread exposure is attributed to misconfigurations such as port forwarding, a practice discouraged by equipment manufacturers but still frequently implemented by operators seeking ease of remote access.

Technical investigations reveal that all top ten vendors with internet-exposed products have previously disclosed vulnerabilities, many of which remain unpatched in deployed systems.

A notable case is the SMA Sunny WebBox, which, despite the product’s discontinuation in 2015, still has over 10,000 units accessible online.

Similarly, CONTEC’s SolarView Compact has seen a 350% increase in exposed devices within two years an alarming trend underscored by a 2023 incident in which 800 devices in Japan were hijacked and leveraged for bank account theft.

According to ForeScout, the risk is exacerbated by known active exploitation of these devices.

Multiple CVEs, including CVE-2022-29303, CVE-2022-40881, CVE-2023-23333, and CVE-2023-29919, target command injection and insecure permissions, particularly within the SolarView Compact ecosystem.

Analysis of device firmware versions indicates a concerning backlog in updates, with no surveyed devices running the latest available firmware.

Misconfigurations Lead to Major Exposure

Recent global incidents have further highlighted the vulnerabilities inherent in the power grid’s evolving technical architecture.

Following reports of rogue communication modules in Chinese-manufactured inverters and major power outages in the EU, governments are scrutinizing the cybersecurity posture of renewable installations.

Experts point out that the increasing integration of “grid-following” inverters devices that lack the mechanical inertia provided by traditional fossil and nuclear plant turbines presents new grid-stability challenges that adversaries might exploit.

Threat intelligence aggregation has identified at least 43 IP addresses associated with scanning, botnet activity, and active exploitation attempts against these internet-exposed assets.

Many of these originate from actors with infrastructure in Singapore, Germany, and the Netherlands, with a notable subset linked to Tor exit nodes.

This suggests that attackers value the anonymity provided by such networks when probing and compromising power infrastructure.

Mitigation of these risks remains a pressing concern. Primary recommendations include never exposing inverter management interfaces directly to the internet, promptly patching devices, and retiring those that cannot be secured.

Where remote management is essential, the use of VPN tunneling in accordance with CISA and NIST guidelines is strongly advised.

Vendors continue to emphasize the necessity of keeping such systems “behind the fence” to minimize exposure.

As renewable energy assets become more critical to national grids, the failure to address these security lapses not only jeopardizes local operations but also risks broader grid instability, as evidenced by recent large-scale incidents.

Security teams are urged to review the latest vulnerability disclosures, update device firmware, and monitor for compromise using current threat intelligence.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates