Mögliches Sicherheitsrisiko durch chinesische Komponenten in Solaranlagen

The increasing spread of solar installations not only brings opportunities for the transition towards renewable energy, but also poses new risks to security of supply. In particular, the discovery of suspicious radio modules in solar system inverters, as reported by the Reuters news agency, raises serious questions about cyber security.

In recent months, US authorities and independent experts have discovered undocumented communication devices in several Chinese inverters and battery storage systems. These components, including mobile radio modules, were not listed in the technical documentation or in the software bill of materials for the products.

Inverters are important components in solar power systems. They connect the solar modules to the power grid and control the feed-in. Modern devices have remote access options for maintenance and updates. As a rule, operators protect these interfaces with firewalls to prevent unauthorized access, especially from abroad.

The discovered modules open up additional, previously unknown communication interfaces. Threat actors could use these to bypass established firewalls, manipulate settings or switch off devices in a targeted manner. Experts warn that, in extreme cases, this could lead to widespread power outages, damage to the energy infrastructure or even the physical destruction of parts of the power grid.

The security risk is therefore particularly high, as Chinese companies are legally obliged to cooperate with their own intelligence services, according to experts - which means that Chinese state actors could exert influence on foreign power grids if they gain access to these components.

The US government has not yet officially confirmed the findings, but says it is continuously reviewing the risks of new technologies and is calling for more transparency in manufacturer information. In addition, the US published the Decoupling from Foreign Adversarial Battery Dependence Act in February, which prohibits the Department of Homeland Security from purchasing batteries from Chinese manufacturers from October 2027.

There is also growing concern in Germany and Europe about an increased security risk. The German Federal Office for Information Security (BSI) sees the danger that internet-enabled components in solar installations could provide a gateway for attacks on critical infrastructure. At the same time, the industry association European Solar Manufacturing Council (EMSC) is calling on the EU to develop and introduce a European security toolkit for inverters.

In Lithuania and Estonia, the dangers of Chinese influence on energy security have already been recognized and addressed. Lithuania has passed a law restricting Chinese remote access to larger solar, wind and battery systems, limiting the use of Chinese inverters. Estonia is also considering a ban on Chinese technology in critical economic sectors. The UK is currently investigating whether Chinese technology poses a risk to the energy system.

In order to ensure the security of energy networks in the future, operators should observe the following in addition to implementing Operational Technology (OT) security recommendations (e.g. from CISA):

Transparent supply chain: Operators should only purchase systems from suppliers who offer complete transparency about their components and their origin.

Independent security checks: The procured, critical systems should be checked by independent experts for hidden modules or vulnerabilities.

Diversification of suppliers: Operators should consider switching to European or otherwise certified products in the medium term.

The discovery of undocumented communication modules in Chinese solar components is a wake-up call for the entire energy sector. IT security must become a central requirement when selecting and operating components for renewable energies. This is the only way to guarantee security of supply and the independence of critical infrastructures in the long term.

Author: Jan Philipsen