Cybersecurity Risks in Solar Inverters: Firmware-Level Threats and Detection Gaps Research led by Charalambos Konstantinou, associate professor at KAUST’s SENTRY Lab in Saudi Arabia, highlights growing cybersecurity vulnerabilities in solar inverters critical components that regulate power flow into electrical grids. His team has demonstrated that firmware-level attacks on inverters are technically detectable, though industry adoption of such safeguards remains limited. Recent incidents underscore the urgency of the issue. In 2024, attackers exploited a known vulnerability to compromise 800 solar monitoring devices in Japan, while Lithuanian energy firm Ignitis Group reported unauthorized access to monitoring dashboards for 22 critical infrastructure clients. Later that year, Forescout’s Vedere Labs disclosed 46 vulnerabilities in inverters from Sungrow, Growatt, and SMA, warning that exploitation could enable device manipulation though these flaws targeted monitoring and communication layers rather than firmware itself. Konstantinou’s team has developed a detection method using hardware performance counters (HPCs) to monitor inverter firmware behavior at the chip level. Unlike traditional signature-based antivirus, this approach does not rely on known threat databases. Early tests achieved 97% detection accuracy on a commercial microinverter, with later refinements reaching 100% using a single counter. The technique builds on prior work, including DARPA’s Radix program and Intel’s Threat Detection Technology, but adapting it to inverters presents unique challenges. Many inverters lack built-in HPCs, requiring purpose-built counters derived from firmware, and existing communication standards do not support firmware integrity checks. The attack surface for inverters spans four layers: 1. Communication protocols – IEEE 1547’s SunSpec Modbus, widely adopted but lacking encryption or authentication, allows attackers to manipulate control modes. 2. Phase-locked loops (PLLs) – Compromising these algorithms can distort an inverter’s operational reference. 3. Sensor false data injection – Corrupting voltage measurements can mislead an inverter’s decision-making. 4. Firmware modification – The most difficult to detect without HPC-based methods. While individual inverter compromises may cause localized disruptions, coordinated attacks on 5–10% of a feeder’s capacity could trigger voltage violations or broader grid instability. Regulatory frameworks like the EU’s NIS2 and Cyber Resilience Act aim to address these risks, but enforcement remains fragmented. NIS2, transposed by October 2024, imposes cybersecurity obligations on operators but was not designed to function in isolation. The Cyber Resilience Act, with full enforcement delayed until late 2027, introduces vulnerability reporting requirements starting in 2026. A key obstacle is vendor engagement. Konstantinou noted that some manufacturers lack clear disclosure procedures, complicating efforts to report vulnerabilities. Global enforcement of standards also poses challenges, as regional regulations struggle to achieve universal compliance. Despite proven detection methods, integrating firmware validation into existing communication standards hinges on policy and commercial decisions rather than technical limitations.