New research released March 27 by Forescout Research-Vedere Labs found 46 new vulnerabilities across three of the world’s 10 leading solar inverter vendors, flaws that could impact power grid stability, utility operations, and consumer data privacy.
The researchers found that 80% of vulnerabilities in solar power systems disclosed in the last three years were classified as high or critical severity, revealing severe systemic security weaknesses in the solar power ecosystem.
“The collective impact of residential solar systems on grid reliability is too significant to ignore – hospitals could lose access to critical equipment, families could go without heat in the winter or AC in a heatwave, and businesses could shut down,” said Barry Mainz, chief executive officer at Forescout. “Threat actors increasingly target critical infrastructure, making it essential to take them seriously and secure solar inverter systems before vulnerabilities lead to real-world disruptions.”
Forescout-Vedere’s leading findings in the recent report include the following:
Ken Dunham, director, cyber threat at the Qualys Threat Research Unit, pointed out that targeting and exploiting critical infrastructure has been an important part of cyber warfare operations among our adversaries for many years.
“Nation-state groups strategically compromise and then maintain command and control of critical infrastructure, including power, water, nuclear, and similar infrastructure, lying in wait for many years for the right time and place to launch an attack when it strategically best benefits the adversary,” Dunham said.
Dunham explained that a number of cyber threats have been seen of late related to the power system, which rely in part on public infrastructure for communications and load balancing, making them vulnerable to remote exploitation, remote command and control, denial of service, and other forms of cyberattacks.
Willy Leichter, chief marketing officer at AppSOC, explained that while we must take vulnerabilities in critical infrastructure seriously, there is a danger in sounding too alarmist about any single threat. Leichter said nation-states are clearly targeting our industrial systems, but these environments are often more resilient than assumed: that is largely because they aren't fully automated and typically maintain air-gapped separation between IT and OT systems.
“While not foolproof, most OT environments rely on a mix of automation, remote control, and older manual systems,” said Leichter. “Think of it like driving an old pickup truck: it has fewer digital features, but is also not at risk of your autopilot being hijacked. However, we can’t afford complacency—disruptions to power or industrial systems can have serious ripple effects.”
Leichter added that it is worth noting the most damaging industrial attack to date – Colonial Pipeline – did not compromise OT systems: it was a ransomware attack on business operations, not industrial controls, that caused the supply crisis.
“We’ll certainly see more attempts to disrupt infrastructure, and we’re not adequately prepared—especially with the Trump administration’s erratic cuts to cybersecurity,” said Leichter. “But focusing too heavily on worst-case ‘meltdown’ scenarios can distract from the more complex, systemic vulnerabilities that actually need our attention.”
