Threat Modeling in Solar Power Infrastructure

When renewable energy becomes a security risk

Some people are concerned about whether solar panels will operate after periods of cloudy weather, others are more concerned about whether they can be remotely accessed. This is where the IT/OT worlds collide, creating potential security issues for energy providers.

Recent research from Forescout has revealed that roughly 35,000 solar power systems are exposed to the internet, with researchers discovering 46 new vulnerabilities across three major manufacturers that could potentially destabilize power grids.

We know IoT can be insecure. In fact, years ago I gave a talk on the IoT insecurities, and it's still true today. However, this isn't just another IoT security story, as the impacts can have a ripple effect across critical infrastructure, putting teams on their heels.

Here is where threat modeling can be helpful in determining both the attack surface and identifying potential remediation and mitigation efforts. Let's take a look at proper threat modeling principles to understand more.

The solar IT/OT convergence problem 

Solar installations represent a perfect example of IT/OT convergence gone wrong from a security perspective. Unlike traditional power generation that relied on air-gapped systems, modern solar infrastructure is inherently connected to a broader "smart grid." Inverters, data loggers, monitors, gateways, and other communication equipment all require internet connectivity for monitoring, maintenance, and grid synchronization.

Those of us in the cybersecurity space know that this connectivity creates an attack surface that traditional power infrastructure didn't have to consider. When you combine internet-exposed management interfaces with manufacturers who prioritized functionality over security, you get an insecure ecosystem with impacts that can ripple through national security interests by allowing for:

• Modified power output that destabilizes the grid
• The shutdown of systems remotely
• False data injection into monitoring platforms
• Inclusion into botnets for distributed attacks

Applying the OWASP IoT Top 10 to solar infrastructure

Let's apply a threat modeling approach to a typical solar installation. Consider this simplified but representative architecture:

• Solar Inverters: Convert DC power to AC and communicate with grid operators
• Data Loggers/Monitors: Track performance and send data to cloud platforms
• Cloud Management Systems: Vendor-hosted platforms for remote monitoring
• Mobile/Web Applications: Allow owners to monitor and control systems
• Grid Connection Points: Where solar power integrates with the electrical grid

Using the OWASP IoT Top 10 framework, here are the critical threats we're now seeing in real-world attacks:

• TS1: (Critical) Default and Hardcoded Credentials
  The SolarView Compact product is affected by at least three vulnerabilities that have been exploited in the wild by botnets, with none of the observed devices running the latest firmware version. In Japan, attackers hijacked 800 SolarView Compact devices using known vulnerabilities to conduct banking fraud. Yes, you read that right. This attack shows how solar devices can become launching pads for broader criminal activity.
  Remediation: Implement unique, strong passwords per device. Disable default accounts entirely and require password changes during initial setup. Monitor for devices still using factory credentials.

• TS2: (Critical) Insecure Ecosystem Interfaces
  46 vulnerabilities across three of the world's top 10 solar inverter vendors include multiple flaws that could allow unauthenticated attackers to take control of devices remotely. These vulnerabilities enable attackers to manipulate power generation at scale.
  Remediation: Implement robust authentication and authorization for all ecosystem interfaces including web, mobile, cloud, and backend APIs. Validate and sanitize all input data, use proper session management, and regularly audit interface security. Disable unnecessary services and endpoints that don't require external access.

• TS3: (Medium) Lack of Physical Hardening
  Solar inverters and communication equipment are often deployed in remote, outdoor locations with minimal physical security. Attackers with physical access can connect directly to service ports, extract firmware, install malicious hardware modifications, or replace communication modules with compromised versions. This distributed nature of far flung devices like solar installations makes comprehensive physical monitoring challenging.
  Remediation: Implement tamper-evident seals and secure enclosures for all outdoor equipment. Use boot verification and firmware integrity checks to detect unauthorized modifications. Install physical intrusion detection where feasible and conduct regular site inspections to verify equipment integrity.

• TS4: (Critical) Supply Chain Vulnerabilities
  Over half of solar inverter manufacturers (53%) and storage system providers (58%) are based in China, raising concerns about the concentration of critical energy infrastructure components in foreign supply chains.
  Remediation: Implement supply chain risk assessments for all solar components. Require security attestations from manufacturers and conduct third-party security audits before deployment.

The grid-scale impact: beyond individual devices

What makes energy infrastructure threats particularly concerning is their ability to allow coordinated attacks that have an amplified impact. Attackers can take control or disrupt only small percentages of something like solar inverters in order to have an outsized impact potentially triggering emergency grid responses or load shedding procedures (think rolling blackouts but unplanned).

So while we're thinking about the individual devices and providing protection, we have to think about the broader impact and context to help us understand scope and adversaries. We have to consider that we are building controls that protect against coordinated attacks that could weaponize energy infrastructure against the very grids they're meant to support.

Real-world attack scenarios 

The threats aren't theoretical. In 2024 alone, we've seen multiple incidents, including:

• As mentioned previously, Arsenal Depository exploited 800 SolarView Compact devices in Japan for financial fraud.
• Chinese threat actor Flax Typhoon exploited similar devices for broader infrastructure infiltration.
• The number of exposed SolarView Compact devices grew by 350% in two years, from 600 in 2023 to close to 3,000 in 2025.

These attacks demonstrate how solar infrastructure can serve as both targets and launching platforms for broader cybercriminal activity.

Mobile and remote access considerations 

Solar installations often include mobile applications or interfaces like HMI (human-machine interfaces), as well as remote monitoring capabilities that introduce additional attack vectors that include:

• Adversary-in-the-Middle Attacks: Technicians accessing solar systems over public or insecure Wi-Fi can expose credentials.

• Insecure Apps: Mobile applications used for monitoring may lack proper input validation, encryption, and other application security controls.

• Cross-Domain Attacks: Compromised mobile devices can provide access to systems, which then become pivot points into broader facility networks.

The best part about performing a comprehensive threat model (or even a basic one like the one here) is that it can provide the basis for building a more secure system. After all, that's the goal, right? Based on both the findings and threat modeling best practices, security teams should:

• Audit all solar infrastructure for internet exposure using asset discovery tools like Shodan or Censys
• Implement network segmentation to isolate solar systems from corporate networks to limit the lateral movement
• Not expose inverter management interfaces to the internet. If remote management is needed, place devices behind a hardened VPN following CISA guidelines.
• Conduct regular risk assessments, ensure full network visibility into these devices, and segment them into sub-networks with continuous monitoring
• Follow NIST guidelines for the cybersecurity of smart inverters in residential and commercial installations
• Implement automated firmware update processes with proper testing procedures
• Require security certifications from solar equipment vendors
• Perform third-party security assessments before deploying new equipment
• Maintain an inventory of all solar infrastructure components and their security posture

The solar infrastructure security vulnerabilities illustrate a fundamental challenge in modern IT/OT environments. Converging operational technology (OT) with internet connectivity creates attack surfaces that traditional security models don't address neatly. That's where a simple threat model can go a long way!

As we continue to network-connect critical infrastructure in manufacturing, energy, or other sectors, security teams must be prepared to address these new realities through expanding their threat models to consider not just individual device security, but the systemic risks of coordinated attacks across entire fleets of connected devices.

The solar industry's security challenges today are tomorrow's lessons for every other sector that connects their critical assets to a broader network. And we know that the time to apply threat modeling is as early in the development and design process as possible, not after the first attack happens.

This article originally appeared on LinkedIn here.

For more insights on this topic, attend the SecureWorld Critical Infrastructure virtual conference on August 28, 2025. See the agenda and register here.