A news report highlighted that U.S. energy officials are re-evaluating the potential risks associated with Chinese-made devices that are integral to renewable energy infrastructure, following the discovery of unexplained communication equipment within some of these devices, according to two sources familiar with the situation. Power inverters, which are primarily manufactured in China, are essential for connecting solar panels and wind turbines to electricity grids worldwide. These devices are also used in batteries, heat pumps, and electric vehicle chargers.
Although inverters are designed for remote access to facilitate updates and maintenance, utility companies typically implement firewalls to block direct communication with China and safeguard their systems.
Reuters was unable to determine how many solar power inverters and batteries they have looked at. However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by U.S. experts who strip down equipment hooked up to grids to check for security issues, the two people said.
Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, one of them said.
U.S. experts have allegedly found rogue communication devices, including cellular radios, in Chinese-made solar inverters and batteries over the past nine months. These undocumented devices create additional communication channels that could bypass firewalls remotely, posing significant security risks.
The exact number of affected devices has not been determined, and the sources remained anonymous due to media restrictions. They also chose not to disclose the names of the Chinese manufacturers responsible for the inverters and batteries equipped with additional communication devices, nor would they reveal the total number of such devices discovered. The U.S. government has yet to make a public statement regarding the findings.
In remarks to Reuters, the U.S. Department of Energy (DOE) said it continually assesses risk associated with emerging technologies and that there were significant challenges with manufacturers disclosing and documenting functionalities.
“While this functionality may not have malicious intent, it is critical for those procuring to have a full understanding of the capabilities of the products received,” a spokesperson said.
Work is ongoing to address any gaps in disclosures through Software Bill of Materials (SBOMs)– or inventories of all the components that make up a software application – and other contractual requirements, the spokesperson said.
Industrial Cyber has reached out to the DOE and will provide an update.
The disclosure comes as the U.S. critical infrastructure sector is increasingly vulnerable to sophisticated cyber threats, with recent attacks like Salt and Volt Typhoon highlighting the growing risks.
The Salt Typhoon group, believed to be linked to state-sponsored actors, is behind a hacking campaign dubbed ‘Salt Typhoon’ by investigators. These cyber adversaries, allegedly connected to China, infiltrated America’s broadband networks. The group’s tactics involve deploying malware that allows unauthorized access to vital infrastructure, such as energy grids and water treatment facilities, often leading to data theft or system disruptions. These attacks can have severe consequences, affecting both the operations and the broader public.
Volt Typhoon, another advanced persistent threat (APT) group, has been observed infiltrating critical infrastructure by exploiting weaknesses in both IT and OT (operational technology) environments. Their attacks are particularly concerning because they can target both the digital networks and physical components of critical systems. Volt Typhoon’s ability to adapt and move laterally within compromised networks underscores the complexity of modern cyber threats, especially in sectors where operational continuity is essential.
In March, researchers from Forescout Research’s Vedere Labs uncovered vulnerabilities in solar power systems after analyzing six major inverter manufacturers, including Huawei, Sungrow, and SMA Solar Technology.
The study, called SUN:DOWN, revealed that Sungrow, SMA, and Growatt had nearly 50 vulnerabilities that could potentially disrupt the power grid and cause blackouts. In total, 93 known vulnerabilities were identified, with 80 percent classified as high or critical severity, scoring between 9.8 and 10 on the CVSS scale. These vulnerabilities pose significant risks, allowing for potential attacks on power grids and smart-home devices.
