Here is the original study: Restrict Remote Access of PV Inverters from High-Risk Vendors
The European Solar Manufacturing Council (ESMC) has issued a stark warning, highlighting a critical threat to Europe’s energy autonomy stemming from the unregulated remote access capabilities of PV inverters produced by non-European, high-risk manufacturers—particularly those from China. A recent study by DNV substantiates these concerns.
As solar power becomes increasingly integral to Europe’s clean energy goals and energy security, a major vulnerability looms: software-enabled remote access to PV inverters—the essential control units of solar power systems.
[…]
The threat is real, not hypothetical. Internet connectivity is essential for modern inverters to perform grid support functions and participate in power markets. However, this connectivity also enables remote software updates, allowing manufacturers to potentially modify device performance from afar. This poses serious cybersecurity risks, including the danger of intentional disruption or large-scale shutdowns. A recent DNV report, commissioned by SolarPower Europe, highlights the credible risk of cascading blackouts due to coordinated or malicious manipulation of inverters.
Yeah when we got our panels years ago I was told to download an app for them. The app was very suspicious, asking so many questions when registering. So I didn’t register and deleted the app. Then I removed the external WiFi module from the inverter. The panel installers contacted me and asked to install it back. I told them no. The panels have worked fine.
Can this be solved in a technological way? Like, a FOSS custom firmware for PV inverters without backdoors?
This can be solved by not connecting your solar panels to the Internet, or putting them behind a secure VPN if you really need remote access for some reason.
(Or perhaps if things need to connect to some kind of grid management services, a firewall with appropriate rules — i.e. ones that do not allow connections to or from random addresses in China. Or some combination of both. Depends on the requirements but it’s not that complicated. Consult your local IT security expert.)
Is this (links to Github) a solution?
No, not that, i’m talking about reverse-engineering the inverter’s firmware to code a new, alternative one with guarantee of no backdoors.
Why inverters are even connected to the internet…
Some people can let inverters sell on peak demand and if you have a battery, buy on low. You need internet to see the prices.
Very simple - convenience.
Most people want to check how much power their PV produces from their phone. Yes, a proper solution like a openDTU that stays local only would be better - but it requires setup which most people simply lack.
No comment.
What’s this US backdoor story?
The US cloud act and the US Patriot Act
Especially with just about every comsumer electronic regularly sending all your data to their servers, these laws are nothing but a backdoor with extra steps.
Yeah ok. Thanks for clearing that up, I thought I missed something else. Yeah that’s pretty bad and it’s mind blowing how nobody cares in Europe and every new PC/Laptop is sold with Windoz and every big Company has all its assets in Micråsoft infrastructures…
We should rely on neither of them.
Exactly. But some EU politicians apparently have trumps micropenis stuck up their ass so far that it seems to interfere with their logical thinking.
says the ignorant tankie while Chinese troops are in Ukraine. there’s no credible threat of US invasion so leave your whataboutisms at the door of your instance
there’s no credible threat of US invasion
Let’s just ignore the threats of taking Greenland, Canada and Panama… and whoever else will get added to that list.
I mean, it’s not like the US has invaded a bunch of other countries in the past decades, right?But accusing others of being a tankie. Quite ironic.
we’re on a European board talking about Chinese attacks on European infrastructure. I’m not aware of US invasion threats to EU countries (which Greenland isn’t a part of).
I’m aware of the Snowden leaks and the CIA worldwide spying networks. those are valid concerns, however I don’t think the risk to privacy can be compared to the yearly cyber attacks perpetuated by China against the EU. Only one of these will be used in a potential war against us since the US is a NATO ally.
who cares who the US invaded in the past? I never said they didn’t, you’re bordering on whataboutism.
The same principle of strategic independence though can and should be applied to everyone, including China and the US. It’s clear that US is not a reliable ally, it was very clear when they shut down F-16s remotely in Ukraine to bully them into submission. Nothing is stopping them from shutting down power grids if these are in their hands to push EU to do whatever is not in its interests.
It’s not like the risk of invasion is the only criteria to use for deciding to be independent on core technologies.
i agree, if I had to choose I’d definitely want an economic/cyber war with the US over the much more likely conventional war with China
I think you are greatly underestimating what someone controlling the tech (note: here you don’t need cyber attacks) for critical infrastructure can do. Shut down power and water and the war finishes before it even starts. Let alone communications, payment systems, banking systems, government websites and all the other services that depend on cloud (i.e., mostly US companies).
The new directive (DORA I think? In get confused with the names) does include for a reason the mandatory exit plan for cloud providers ready.
The only whataboutism is coming from your comment.
- I was not saying that we should just let China do its thing. I was saying that instead of just focusing on China, we should be banning the companies which have are by law obligated to provide backdoors too.
- the US is a fashist state, and if you somehow really think its not threat enough that trump is arresting children and sentencing them without lawyers, as well as sending immigrants to KZs, you should really see a doctor.
to point number 2, China is also a fascist state. your meme is whataboutism because it’s implying we should leave China alone while at the same time China is committing the same abuses that the US does. I’m a FOSS advocate in software and hardware, most Chinese tech doesn’t meet the standards of respecting human rights
it’s implying we should leave China alone
It just implies that we should treat the US and Chinese more similarly. Whether this means avoiding the US more or working more closely with China is completely up to interpretation.
most Chinese tech doesn’t meet the standards of respecting human rights
Is that a problem with Chinese tech, or just proprietary tech? Because apart from privacy, I can’t tell which human rights tech is supposed to respect, and lack of privacy is an issue not limited to Chinese tech.
Is that a problem with Chinese tech, or just proprietary tech? Because apart from privacy, I can’t tell which human rights tech is supposed to respect
not using Uyghur slave labor in East Turkestan would be a bare minimum for example. I’m not implying that China is alone in this, it’s a problem in all the other capitalist countries.
even if they made their tech open source, I highly doubt they’d stop exploiting the populace
So you’re talking about the tech industry, not the tech itself.
Assuming that the “Uyghur forced labor” claim isn’t just American propaganda: Do you really think forced labor is used for the tech industry? Skilled workers, who are needed for the tech industry, are a bit harder to exploit and it seems like the main concern with forced labor of Uyghurs is cotton. To my knowledge, the whole tech industry is located mostly in eastern China.
And how do you know that “most of Chinese tech doesn’t respect human rights”, when referring to forced labor? Do you track down the production chain of Chinese products? Or was there some investigation that I missed? These seem like absurd claims to me, so I’d really like a few sources.
gonna assume you aren’t just a genocide denier and you’re asking for sources in good faith:
https://www.antislavery.org/reports/uyghur-forced-labour-green-technology/
