latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/former-us-homeland-chief-warns-chinese-solar-inverters-pose-cyber-threat-47589890 content esgSubNav
Discover more about S&P Global’s offerings
In This List

Former US Homeland chief warns Chinese solar inverters pose cyber threat
Case Study

A Leading Renewable Energy Financing Bank Gains Important Insights on U.S.- based Opportunities

Blog

Exploring the Energy Dynamics of AI Datacenters: A Dual-Edged Sword

Blog

Despite turmoil, project finance remains keen on offshore wind

Case Study

An Energy Company Assesses Datacenter Demand for Renewable Energy


Former US Homeland chief warns Chinese solar inverters pose cyber threat

Foreign-made solar farm inverters are a threat to the U.S. power grid, warned a new report by a former U.S. Homeland Security secretary.

To prevent the exploitation of a supply chain vulnerability by U.S. adversaries such as China and Russia, industrywide cybersecurity and manufacturing standards for inverters and scrutiny of foreign government-controlled or -owned manufacturers of those inverters are needed, recommended a report by risk analyst firm Ridge Global LLC, led by former U.S. Secretary of Homeland Security Tom Ridge.

"There's a digital war going on right now but we haven't had an act of Congress [to declare it]," Ridge said. "It's no secret that China and Russia … [have repeatedly attacked] our critical infrastructure."

Inverters play a significant role in distributed energy systems by converting photovoltaic solar panels' variable direct current output into a utility-frequency alternating current to feed into power grids. Ridge is particularly worried that overseas companies make most of the inverters used in the U.S., with communist China dominating about 47% of the world's inverter market.

Smart meters are increasingly connected to the internet and help utilities manage the grid by offering remote monitoring and control of solar PV systems. However, instead of potential hackers attacking those systems, Ridge said foreign-controlled manufacturers could more easily embed malicious software or hardware in smart inverters for U.S. solar PV systems. Foreign actors could also compromise solar PV inverters by tampering with equipment while in transit and during or after their installation, though Ridge said such action is far less likely.

The whole point of the smart inverter is to provide two-way communications "and therein lies the potential threat," said Richard Mroz, the former president of the New Jersey Board of Public Utilities and now senior government relations adviser for Protect Our Power, which commissioned the report. Mroz said the report is meant to prompt the crafting of manufacturing security standards for devices being integrated with the power grid at the distribution level and the development of a standard "seal of approval."

According to the report, a breached inverter could not only disrupt the use of a distributed energy resource but could be used to hack the distribution electric company or even access industrial control systems and the larger power grid. Control of multiple inverters could allow an attacker to reduce power, control power flows or create a power surge, the report said.

The report urged the U.S. government to "closely monitor" products made by foreign manufacturers for the American solar PV market and expand an existing congressional investigation focused on Chinese manufacturers. It also said the U.S. government, and particularly the U.S. Department of Defense, should not include foreign-made equipment and components in microgrids or other energy installations designed to ensure grid reliability or independence.

In addition, the report said federal and state authorities should work with private-sector entities to develop compliance requirements and best practices for photovoltaic systems, including physical- and cyber-security measures and a supply chain security program for foreign companies. Finally, the report urged the U.S. solar industry to adopt a supply chain certification program.

The world's largest inverter maker — China's Huawei Technologies Co. Ltd. — has been a security concern for Western countries because of the company's close ties to the ruling Chinese Communist Party. In August, U.S. President Donald Trump signed legislation barring government agencies and contractors from using Huawei's telecommunications products. The same month, Australia banned the company from the country's future 5G network.

Solar Energy Industries Association spokesperson Dan Whitten in an email acknowledged that the cybersecurity of inverters is a concern but said the energy sector has much bigger vulnerabilities. "While inverters are increasingly connected to the internet, most solar inverters in the field today cannot be cyber attacked because they don't have the ability to receive commands," he said. "There are also dozens of different models of inverters, making a concerted attack difficult."

Chris Sistrunk, a consultant at cybersecurity firm FireEye Inc.'s Mandiant Corp. subsidiary, discounted the possibility that Trojans would be installed in inverters during the manufacturing process. Much more likely is someone misconfiguring an inverter during installation and connecting it directly to the internet. However, reflecting one of the report's recommendation, Sistrunk said he would also be worried about Chinese hardware backdoors and Trojans being hidden in solar inverters at U.S. government and military installations.

In addition to ongoing industry and government efforts to address cybersecurity risks of inverters, the North American Electric Reliability Corp. is developing its first tech-specific reliability standard to address reliability risks of inverter-based resource controls. That issue first arose when inverter-based resource controls caused transmission fault-induced losses of solar PV generation when they tripped and disconnected from the bulk power system during California's wildfires in 2016 and 2017.