Energy Hackers Can Attack Your Solar Panels—Change Your Passwords Now

Hackers are attracted to weak passwords like rats to garbage. Forget sophisticated infostealer malware campaigns, if your password is weak enough to be stolen using a brute-force attack or simply already known because you haven’t changed the factory admin default, all the better for those who would attack your stuff. But when that stuff is energy, and the access route is through the solar panels on your rooftop, the stakes get a lot higher as a Feb. 27 report has revealed.

ForbesGoogle Warns Of National Security Threat From Cybercrime AttacksBy Davey Winder

The Solar Panel Energy Hack Attack Surface

A report published by the German International broadcaster, Deutsche Welle, has warned that “hackers can easily access solar power plants due to weak passwords and vulnerable software, posing a significant threat to energy security,” and rooftop installations are at the heart of the concern. “The transition to renewable energy relies on digital networks that can be targeted by hackers,” Mathis Richtmann, reporting for Deutsche Welle, said, adding that DW had spoken to “hackers who’ve exposed security gaps in rooftop installations and solar power plants around the world.”

An October 2024 report from Secura that investigated cybersecurity threats to the solar power sector in the Netherlands, for example, revealed a total of 27 different scenarios in which a large-scale disruption of solar power could be achieved. The potential impact was described by those researchers as disastrous and involved “severe economic damage, physical damage and even damage to society itself – certainly if the secondary consequences of the cyberattacks are taken into consideration.” This report looked at everything from small domestic rooftop installations through to SME and large-scale including solar farms. Web portal attacks, hardware hacking and supply chain attacks were all investigated.

Forbes244 Million Passwords Stolen From Crime Forum—Are Yours On The List?By Davey Winder

The Solar Password Problem

Deutsche Welle interviewed a U.S. hacker, Aditya K Sood, who demonstrated how a solar power plant in India could be hacked, logging into a remote dashboard for one such organization in southern India’s Tamil Nadu region on video. “People deploy their devices and forget to actually change default passwords,” Sood said; “Or they have configured very weak passwords.” One German company responsible for the design of the solar control setup at that Indian plant told Richtmann that “while it is technically possible for a customer to assign a weak password and provide open access to their network on the internet, we do not recommend this.” Maybe not, but hackers will be relying upon it and, as the demonstration from Sood showed, not without good reason.

An August 2024 BitDefender report, as noted by Pierluigi Paganini at the Security Affairs onoine publication, found hard-coded credentials present in platforms “responsible for coordinating production operations of millions of solar installations worldwide generating a whopping output of approximately 195 GW of solar power.”

The takeaway here is simple: change your password and do it now. Don’t rely upon factory defaults, ensure your passwords are strong and don’t share them. You might think that your rooftop solar panels are just a small cog in a big machine, but if those cogs get attacked en masse the consequences could be unthinkable.

ForbesU.S. Government Supercharges Security VulnerabilitiesBy Davey Winder