and it’s such a positive relationship with CISA, we were going to get to the ‘done’ button, and then advise people, so we’re not in the middle of the cake being baked,” says Showalter.
TechCrunch reached out to CISA earlier this week for more information; the agency has not responded. In its advisory about EG4, CISA states that “no known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.”
Connections to China spark security concerns
While unrelated, the timing of EG4’s public relations crisis coincides with broader anxieties about the supply chain security of renewable energy equipment.
Earlier this year, U.S. energy officials reportedly began reassessing risks posed by devices made in China after discovering unexplained communication equipment inside some inverters and batteries. According to a Reuters investigation, undocumented cellular radios and other communication devices were found in equipment from multiple Chinese suppliers — components that hadn’t appeared on official hardware lists.
This reported discovery carries particular weight given China’s dominance in solar manufacturing. That same Reuters story noted that Huawei is the world’s largest supplier of inverters, accounting for 29% of shipments globally in 2022, followed by Chinese peers Sungrow and Ginlong Solis. Some 200 GW of European solar power capacity is linked to inverters made in China, which is roughly equivalent to more than 200 nuclear power plants.
The geopolitical implications haven’t escaped notice. Lithuania last year passed a law blocking remote Chinese access to solar, wind, and battery installations above 100 kilowatts, effectively restricting the use of Chinese inverters. Showalter says his company is responding to customer concerns by similarly starting to move away from Chinese suppliers and toward components made by companies elsewhere, including in Germany.
But the vulnerabilities CISA described in EG4’s systems raise questions that extend beyond any single company’s practices or where it sources its components. The U.S. standards agency NIST warns that “if you remotely control a large enough number of home solar inverters, and do something nefarious at once, that could have catastrophic implications to the grid for a prolonged period of time.”
The good news (if there is any), is that while theoretically possible, this scenario faces a lot of practical limitations.
Pascale, who works with utility-scale solar installations, notes that residential inverters serve primarily two functions: converting power from direct to alternating current, and facilitating the connection back to the grid. A mass attack would require compromising vast numbers of individual homes simultaneously. (Such attacks are not impossible but are more likely to involve targeting the manufacturers themselves, some of which have remote access to their customers’ solar inverters, as evidenced by security researchers last year.)
The regulatory framework that governs larger installations does not right now extend to residential systems. The North American Electric Reliability Corporation’s Critical Infrastructure Protection standards currently apply only to larger facilities producing 75 megawatts or more, like solar farms.
Because residential installations fall so far below these thresholds, they operate in a regulatory gray zone where cybersecurity standards remain suggestions rather than requirements.
But the end result is that the security of thousands of small installations depends largely on the discretion of individual manufacturers that are operating in a regulatory vacuum.
On the issue of unencrypted data transmission, for example, which is one reason EG4 received that slap on the hand from CISA, Pascale notes that in utility-scale operational environments, plain text transmission is common and sometimes encouraged for network-monitoring purposes.
“When you look at encryption in an enterprise environment, it is not allowed,” he explains. “But when you look at an operational environment, most things are transmitted in plain text.”
Put another way, the real concern isn’t an immediate threat to individual homeowners. Instead it ties to the aggregate vulnerability of a rapidly expanding network. As the energy grid becomes increasingly distributed, with power flowing from millions of small sources rather than dozens of large ones, the attack surface expands exponentially. Each inverter represents a potential pressure point in a system that was never designed to accommodate this level of complexity.
Showalter has embraced CISA’s intervention as what he calls a “trust upgrade” — an opportunity to differentiate his company in a crowded market. He says that since June, EG4 has worked with the agency to address the identified vulnerabilities, reducing an initial list of 10 concerns to three remaining items that the company expects to resolve by October. The process has involved updating firmware transmission protocols, implementing additional identity verification for technical support calls, and redesigning authentication procedures.
But for those like the anonymous EG4 customer who spoke with frustration about the company’s response, the episode highlights the odd position that solar adopters find themselves in. They purchased what they understood to be climate-friendly tech, only to discover they’d become unwitting participants in a knotty cybersecurity landscape that few seem to fully comprehend.
