The National Security Implications of Your Solar Rooftop

James Showalter presents a rather unusual yet concerning nightmare scenario: someone arrives at your location, cracks your Wi-Fi password, and then gains unauthorized access to the solar inverter positioned next to your garage. This unassuming gray box is responsible for converting the direct current from your rooftop panels into the alternating current that powers your home.

“You’ve got to have a solar stalker” for this to happen, remarks Showalter, describing an individual who would need to show up at your driveway, equipped with both the skills and motive to breach your home energy system.

As the CEO of EG4 Electronics, a company based in Sulphur Springs, Texas, Showalter does not consider this scenario to be particularly likely. Nevertheless, his firm attracted attention last week when the U.S. cybersecurity agency CISA issued an advisory pointing out security weaknesses in EG4’s solar inverters. According to CISA, these vulnerabilities could allow an intruder connected to the same network as a compromised inverter to intercept data, install harmful firmware, or take complete control of the system.

For the roughly 55,000 customers owning the impacted inverter model, this incident may serve as an unsettling introduction to a device they barely comprehend. They are beginning to realize that modern solar inverters are more than mere power converters; they now play a critical role in home energy solutions, monitoring performance, interacting with utility companies, and sending excess power back to the grid.

Much of this transformation has gone unnoticed. “Nobody knew what a solar inverter was five years ago,” states Justin Pascale, a principal consultant at Dragos, a cybersecurity firm specializing in industrial systems. “Now we’re discussing it at both national and international levels.”

Security challenges and customer concerns

Statistics indicate that individual homes in the U.S. increasingly operate as miniature power plants. The U.S. Energy Information Administration reports that small-scale solar installations—mainly residential—grew more than fivefold from 2014 to 2022. What used to be a niche reserved for climate advocates and early adopters has gained mainstream popularity due to falling costs, government incentives, and increasing awareness of climate change.

Each solar installation adds another link to a growing network of interconnected devices, enhancing energy independence while also creating potential entry points for malicious actors.

When asked about his company’s security measures, Showalter acknowledges some shortcomings but shifts the blame. “This is not an EG4 issue,” he insists. “It’s a challenge throughout the industry.” During a Zoom call and later in an email, he presented a 14-page report listing 88 solar energy vulnerability disclosures spanning both commercial and residential settings since 2019.

Not all of his clients—some of whom took to Reddit to voice their dissatisfaction—are forgiving, especially considering that CISA’s advisory revealed fundamental design flaws: unencrypted plain text communication between monitoring applications and inverters, firmware updates lacking integrity checks, and basic authentication failures.

“These were critical security oversights,” states one anonymous customer of the company. “To make matters worse,” this individual adds, “EG4 didn’t even notify me or suggest any mitigations.”

When asked why EG4 did not inform customers immediately following CISA’s outreach, Showalter referred to it as a “live and learn” moment.

“Since we were so close [to resolving CISA’s concerns] and had a good relationship with them, we aimed to get to the ‘done’ button and then inform people, to avoid disrupting the process,” Showalter explains.

TechCrunch reached out to CISA earlier this week for further information; the agency has yet to respond. In CISA’s advisory about EG4, it states that “no known public exploitation of these vulnerabilities has been reported to CISA at this time.”

Concerns about associations with China

Although unrelated, the timing of EG4’s public relations crisis coincides with broader worries regarding supply chain security for renewable energy devices.

Earlier this year, U.S. energy officials began to reconsider the risks associated with devices manufactured in China after discovering unexplained communication modules within several inverters and batteries. According to a Reuters investigation, undisclosed cellular radios and other communication devices were found in equipment from multiple Chinese suppliers—components that were not listed on official hardware documents.

This reported finding holds significant implications given China’s dominance in solar manufacturing. That same Reuters article noted that Huawei emerged as the largest global supplier of inverters, accounting for 29% of worldwide shipments in 2022, followed by Chinese companies Sungrow and Ginlong Solis. Approximately 200 GW of European solar power capacity is connected to inverters made in China, comparable to more than 200 nuclear power plants worth of electricity.

The geopolitical ramifications have not gone unnoticed. Last year, Lithuania passed a law prohibiting remote Chinese access to solar, wind, and battery installations exceeding 100 kilowatts, effectively limiting the use of Chinese-made inverters. Showalter mentions that his company is addressing customer worries by initiating a shift away from Chinese suppliers toward components manufactured by companies in other regions, including Germany.

However, the vulnerabilities identified by CISA in EG4’s systems raise questions that extend beyond the practices of a single company or the origins of its components. The U.S. standards agency NIST issues warnings that “if you remotely control a sufficiently large number of home solar inverters and enact something harmful simultaneously, the implications for the grid could be catastrophic and lengthy.”

The silver lining (if there is one) is that while such scenarios are theoretically possible, they face numerous practical challenges.

Pascale, who specializes in utility-scale solar installations, explains that residential inverters mainly serve two purposes: converting power from direct to alternating current and facilitating connection back to the grid. A mass attack would necessitate breaching a vast number of individual homes at once. (While such attacks are conceivable, they’re more likely to target manufacturers themselves, some of whom have remote access to their customers’ solar inverters, as shown by security researchers last year.)

The regulatory framework governing larger installations does not currently apply to residential systems. The North American Electric Reliability Corporation’s Critical Infrastructure Protection standards pertain only to larger facilities producing 75 megawatts or more, such as solar farms.

Since residential installations fall well below these thresholds, they operate within a regulatory gray area where cybersecurity standards remain suggestions rather than definitive requirements.

Consequently, the security of numerous small installations chiefly depends on the judgment of individual manufacturers operating in a regulatory void.

Regarding the issue of unencrypted data transmission—a primary reason EG4 faced CISA’s scrutiny—Pascale notes that in utility-scale operational environments, plain text transmission is often common and sometimes even encouraged for monitoring functions.

“When you evaluate encryption in an enterprise setting, it tends to be discouraged,” he clarifies. “However, in an operational context, many transmissions occur in plain text.”

In essence, the primary concern isn’t an immediate risk to individual homeowners. Rather, it pertains to the cumulative vulnerability of an expanding network. As the energy grid grows more decentralized, with power generated from millions of small sources rather than a limited number of larger ones, the potential attack surface increases dramatically. Each inverter represents a possible pressure point in a system not originally designed to handle this level of complexity.

Showalter views CISA’s involvement as a “trust upgrade”—an opportunity for his company to distinguish itself in a crowded marketplace. He asserts that since June, EG4 has collaborated with the agency to address the identified vulnerabilities, reducing an initial list of ten concerns to three remaining issues expected to be resolved by October. This process has involved updating firmware transmission protocols, improving identity verification for technical support calls, and overhauling authentication methods.

Yet for individuals like the anonymous EG4 customer who expressed irritation about the company’s response, this situation highlights the unusual position solar adopters find themselves in. They invested in what they believed to be eco-friendly technology only to realize they have unwittingly become players in a complex cybersecurity arena that remains largely opaque.