Here is the original study: Restrict Remote Access of PV Inverters from High-Risk Vendors
The European Solar Manufacturing Council (ESMC) has issued a stark warning, highlighting a critical threat to Europe’s energy autonomy stemming from the unregulated remote access capabilities of PV inverters produced by non-European, high-risk manufacturers—particularly those from China. A recent study by DNV substantiates these concerns.
As solar power becomes increasingly integral to Europe’s clean energy goals and energy security, a major vulnerability looms: software-enabled remote access to PV inverters—the essential control units of solar power systems.
[…]
The threat is real, not hypothetical. Internet connectivity is essential for modern inverters to perform grid support functions and participate in power markets. However, this connectivity also enables remote software updates, allowing manufacturers to potentially modify device performance from afar. This poses serious cybersecurity risks, including the danger of intentional disruption or large-scale shutdowns. A recent DNV report, commissioned by SolarPower Europe, highlights the credible risk of cascading blackouts due to coordinated or malicious manipulation of inverters.
Yeah when we got our panels years ago I was told to download an app for them. The app was very suspicious, asking so many questions when registering. So I didn’t register and deleted the app. Then I removed the external WiFi module from the inverter. The panel installers contacted me and asked to install it back. I told them no. The panels have worked fine.
Can this be solved in a technological way? Like, a FOSS custom firmware for PV inverters without backdoors?
Is this (links to Github) a solution?
No, not that, i’m talking about reverse-engineering the inverter’s firmware to code a new, alternative one with guarantee of no backdoors.
Just firewall it, that’ll save you the effort of reverse engineering.
This can be solved by not connecting your solar panels to the Internet, or putting them behind a secure VPN if you really need remote access for some reason.
(Or perhaps if things need to connect to some kind of grid management services, a firewall with appropriate rules — i.e. ones that do not allow connections to or from random addresses in China. Or some combination of both. Depends on the requirements but it’s not that complicated. Consult your local IT security expert.)
Yeah, excellent suggestion. There’s no reason for a device to accept incoming requests from Chinese IP addresses for any reason. In fact, I’d keep them on the WAN and block anything incoming from the internet-- you can do a secure tunnel to your WAN if you really want remote access. I’d alert on outgoing requests and block them unless you confirm them. If the device is phoning home to Winnie, then consider blocking outgoing entirely.
I’m not a security expert either, but the systems I build always pass security audits with no major findings, so I think my rules of thumb are good.
It’s not like it was the literal job of some people to deal with that
Why inverters are even connected to the internet…
Very simple - convenience.
Most people want to check how much power their PV produces from their phone. Yes, a proper solution like a openDTU that stays local only would be better - but it requires setup which most people simply lack.
Some people can let inverters sell on peak demand and if you have a battery, buy on low. You need internet to see the prices.
You don’t need to put your inverter in the internet for that, just a external controller like a raspberry pi
Not everyone is tech savy enough to do this. Always ask could your mother or father do it without your guidence? Mine couldnt, so they connected theyr inverter to the internet.
No comment.
What’s this US backdoor story?
It’s bullshit. But elements within the EU have been relentlessly pushing for backdoors for at least a decade, and the UK and the Australians have tried it on as well.
The US cloud act and the US Patriot Act
Especially with just about every comsumer electronic regularly sending all your data to their servers, these laws are nothing but a backdoor with extra steps.
The CLOUD Act is to allow data stored outside the US by US-based cloud providers to be accessed by selected foreign countries that have issued subpoenas and have requested US government assistance. It’s not a backdoor per se, and anyone with any sense encrypts their data before uploading it to the cloud instead of relying on cloud provider encryption services. Even if the US government weren’t snooping, there’s the risk that a cloud provider could be compromised by other hostile actors. Though it’s not all that wise to assume that cloud providers’ encryption services don’t have backdoors, unless that’s been confirmed by an impartial third-party audit. I know of no such audits.
The PATRIOT Act is a human-rights nightmare for many reasons, but doesn’t grant the US government anti-privacy powers that the CLOUD Act doesn’t. It’s just more vaguely worded.
And if you really want some worse Kafkaeque misery, FISA warrants will give you plenty if your or your firm’s name is on one.
Yeah ok. Thanks for clearing that up, I thought I missed something else. Yeah that’s pretty bad and it’s mind blowing how nobody cares in Europe and every new PC/Laptop is sold with Windoz and every big Company has all its assets in Micråsoft infrastructures…
We should rely on neither of them.
Exactly. But some EU politicians apparently have trumps micropenis stuck up their ass so far that it seems to interfere with their logical thinking.
The EU (and UK, and AU, and more) have their own power-mad authoritarians among their leadership, regardless of what the US might want. Of course, now, the US leadership is so erratic and dictatorial that they pose a major risk to anyone’s privacy who does anything even remotely within reach of US jurisdiction.
says the ignorant tankie while Chinese troops are in Ukraine. there’s no credible threat of US invasion so leave your whataboutisms at the door of your instance
The only whataboutism is coming from your comment.
- I was not saying that we should just let China do its thing. I was saying that instead of just focusing on China, we should be banning the companies which have are by law obligated to provide backdoors too.
- the US is a fashist state, and if you somehow really think its not threat enough that trump is arresting children and sentencing them without lawyers, as well as sending immigrants to KZs, you should really see a doctor.
to point number 2, China is also a fascist state. your meme is whataboutism because it’s implying we should leave China alone while at the same time China is committing the same abuses that the US does. I’m a FOSS advocate in software and hardware, most Chinese tech doesn’t meet the standards of respecting human rights
it’s implying we should leave China alone
It just implies that we should treat the US and Chinese more similarly. Whether this means avoiding the US more or working more closely with China is completely up to interpretation.
most Chinese tech doesn’t meet the standards of respecting human rights
Is that a problem with Chinese tech, or just proprietary tech? Because apart from privacy, I can’t tell which human rights tech is supposed to respect, and lack of privacy is an issue not limited to Chinese tech.
FOSS is certainly easier to audit, though there’s still a risk of malicious contributors introducing backdoors or other exploits.
And just to be clear, there are groups within China who are relentlessly executing cyber-attacks against European and US assets. China’s not the only source, but it’s the biggest (at least based on what we’re seeing at my workplace, which includes a high-volume website). And nothing happens in China for long without the CCP’s approval. So, at least de facto, assume that’s in line with Chinese government policy.
The best course of action is to never assume any third party is going to protect your data unless someone credible has independently confirmed it. Don’t buy internet-connected devices unless there’s a damned good reason for them to be connected, and even then, firewall the hell out of them and make sure there’s no path from such a device to your sensitive data. If you have a home LAN for your various connected devices, keep that stuff logically (and ideally physically) separate from your personal data.
Is that a problem with Chinese tech, or just proprietary tech? Because apart from privacy, I can’t tell which human rights tech is supposed to respect
not using Uyghur slave labor in East Turkestan would be a bare minimum for example. I’m not implying that China is alone in this, it’s a problem in all the other capitalist countries.
even if they made their tech open source, I highly doubt they’d stop exploiting the populace
So you’re talking about the tech industry, not the tech itself.
Assuming that the “Uyghur forced labor” claim isn’t just American propaganda: Do you really think forced labor is used for the tech industry? Skilled workers, who are needed for the tech industry, are a bit harder to exploit and it seems like the main concern with forced labor of Uyghurs is cotton. To my knowledge, the whole tech industry is located mostly in eastern China.
And how do you know that “most of Chinese tech doesn’t respect human rights”, when referring to forced labor? Do you track down the production chain of Chinese products? Or was there some investigation that I missed? These seem like absurd claims to me, so I’d really like a few sources.
gonna assume you aren’t just a genocide denier and you’re asking for sources in good faith:
https://www.antislavery.org/reports/uyghur-forced-labour-green-technology/
there’s no credible threat of US invasion
Let’s just ignore the threats of taking Greenland, Canada and Panama… and whoever else will get added to that list.
I mean, it’s not like the US has invaded a bunch of other countries in the past decades, right?But accusing others of being a tankie. Quite ironic.
we’re on a European board talking about Chinese attacks on European infrastructure. I’m not aware of US invasion threats to EU countries (which Greenland isn’t a part of).
I’m aware of the Snowden leaks and the CIA worldwide spying networks. those are valid concerns, however I don’t think the risk to privacy can be compared to the yearly cyber attacks perpetuated by China against the EU. Only one of these will be used in a potential war against us since the US is a NATO ally.
who cares who the US invaded in the past? I never said they didn’t, you’re bordering on whataboutism.
the US is a NATO ally
Are they still? They’re not behaving like allies.
I’m not aware of US invasion threats to EU countries
And I’m not aware of Chinese invasion threats to EU countries, now what? While not a full member, Greenland is an OCT member of the EEA.
we’re on a European board talking about Chinese attacks on European infrastructure
I’m aware. But we have many security flaws that don’t just involve China, yet nobody seems to care about. That’s what the meme is criticising. It doesn’t mean we should let China do what it wants, in fact I’m also in favor of eliminating such risks, but it’s only ever “China this, China that”, while ignoring things like e.g. networking infrastructure provided by the US. It’s the one-sided reporting, i.e. red scare, that’s annoying.
Only one of these will be used in a potential war against us since the US is a NATO ally.
For how long though? And spying on politicians and high-ranking army officials is most definitely going to be used against us in a potential war. This already happened, despite us being NATO allies. It wasn’t just EU citizens, they fucking spied on Angela Merkel and other EU officials. But yeah, nothing to worry about, they’re our allies after all…
Keep in mind: “It may be dangerous to be America’s enemy, but to be America’s friend is fatal”
who cares who the US invaded in the past?
I do, and you should too, if you don’t blindly trust your “allies”. Accusing us of whataboutism, while you were writing about “Chinese troops in Ukraine” in response to a meme criticising the one sided reporting on security risks… absolutely wild.
The same principle of strategic independence though can and should be applied to everyone, including China and the US. It’s clear that US is not a reliable ally, it was very clear when they shut down F-16s remotely in Ukraine to bully them into submission. Nothing is stopping them from shutting down power grids if these are in their hands to push EU to do whatever is not in its interests.
It’s not like the risk of invasion is the only criteria to use for deciding to be independent on core technologies.
i agree, if I had to choose I’d definitely want an economic/cyber war with the US over the much more likely conventional war with China
I think you are greatly underestimating what someone controlling the tech (note: here you don’t need cyber attacks) for critical infrastructure can do. Shut down power and water and the war finishes before it even starts. Let alone communications, payment systems, banking systems, government websites and all the other services that depend on cloud (i.e., mostly US companies).
The new directive (DORA I think? In get confused with the names) does include for a reason the mandatory exit plan for cloud providers ready.
