“You know, people deploy their devices and forget to change default passwords. Or they have configured very weak passwords,” Sood says as he points to the system open in front of him on the screen. “I would say it’s a complete control of the device if you ask me.”
German company Solar-Log, which has designed the control setup used at the Indian plant, told DW later that in some configurations of their software users can change settings on how much power the system feeds into the grid. So it was possible in the past to “assign weak passwords,” the company said in an emailed statement.
“While it is technically possible for a customer to assign a weak password and provide open access to their network on the Internet, we do not recommend this,” Solar-Log added.
For this story, DW spoke to three different cybersecurity experts who all said they’d been able to access millions of units at once. They claim that had they manipulated the power those plants feed into the European power grid, they could have caused blackouts — a real threat amid the hybrid warfare against the West launched by Russia and others.
Solar power the weak spot of energy security?
At the RWTH technical university in Aachen, Germany, Andreas Ulbig and his team have been studying threats to interconnected energy systems for years.
On the university campus, a huge hall resembling a warehouse houses old-fashioned, man-sized transistor stations right next to modern inverters — devices that convert energy from photovoltaic systems.
Ulbig says the digitization of Europe’s power grid is essential as the bloc attempts to shift from “providing power with a few hundred large thermal power plants to several million wind turbines, photovoltaic inverters, and battery storage units.”
The transition to millions of renewable energy units cannot be “operated in a manual way,” he told DW.
But the specialist for active energy distribution grids also said that so-called smart-grid systems could invite hackers to tinker with, for example, solar power installations across Europe, forcing them to overload electricity grids and potentially causing power blackouts. However, he said that it would be “tricky” for an attacker to coordinate access to enough plants at once to trigger automatic emergency shutdowns.
Large grids vulnerable to attack
In most photovoltaic installations, remote monitoring and maintenance is bundled into a cloud infrastructure provided by vendors. One such system is operated by the Chinese company Solarman PV.
Solarman PV had advertised on its website that it monitors solar plants with a total capacity of 195 gigawatts (GW) in 190 countries — nearly 10% of all solar capacity installed around the world.
But in August 2024, Romanian cybersecurity firm Bitdefender discovered a major bug in the Chinese software code exposing all of the company’s PV connections to clients.
“These vulnerabilities were addressed and the updates were pushed to all customers before Bitdefender made them public,” Solarman said in response to a query from DW, adding that so far they had “found no evidence indicating that the vulnerabilities were exploited by malicious actors, and there has been no real damage to our customers.”
Critical EU infrastructure in the focus of China, Russia
The revelations about how vulnerable Europe’s energy systems are to cyberattacks come as several EU member states have reported alleged attacks on their critical infrastructures.
Swedish and Latvian investigators are looking into the severing of an underwater cable under the Baltic Sea, and Germany is probing the sighting of drones at military bases throughout the country. Germany’s interior ministry has linked the sightings to Russia’s war in Ukraine.
In September 2024, a cyberattack against a solar park in Lithuania was carried out which US-based cybersecurity firm Cybel linked to hacking groups affiliated with Russia.
While Chinese companies dominate the global market for solar power technology, several cybersecurity experts told DW that weaknesses have also occurred in the systems developed by US and German companies.
But Samantha Hoffman, an independent security consultant working at the National Bureau of Asian Research, told DW that in China the Communist government “involves itself heavily in the R&D process in a way that isn’t necessarily true elsewhere.”
US government agencies believe Chinese hackers have advanced on critical infrastructure in the United States, planting code in networks that control power grids. And there are reports that China has been targeting Indian energy systems.
China denies both allegations.
EU draft bill a blueprint for safer tech?
Meanwhile, the European Union is attempting to curb cybersecurity threats with new regulation. While new regulation requires operators of larger solar installations to have response mechanisms to attacks, the so-called EU Cyber Resilience Act, adopted in October 2024, targets production of smart devices. Manufacturers of digital devices with a connection to the internet must ensure that their products have lifetime access to software updates and can disclose possible vulnerabilities with regard to cybersecurity.
The EU draft bill for enhancing cybersecurity, which is scheduled to come into force in 2027, could serve as a blueprint for similar legislation around the world, some experts say.
Edited by: Uwe Hessler
