The US Department of Transportation’s FHA has issued a warning that hidden cellular radios have been found in unspecified foreign-made inverters and batteries used in PV highway infrastructure, according to a recent report by Reuters, which cited a four-page security note.
“US officials say solar-powered highway infrastructure including chargers, roadside weather stations, and traffic cameras should be scanned for the presence of rogue devices – such as hidden radios – secreted inside batteries and inverters,” the Reuters article stated, without providing details on the radios or the PV equipment.
“This internal advisory that was sent on Aug. 20 within the US Department of Transportation still does not provide clear direction as to what equipment exactly is suspect, and whether anything was found, which to me seems a matter of high public interest and not an issue with a logic to be classified,” cybersecurity expert Uri Sadot told pv magazine.
“The response of the Department of Transportation to Cybersecurity and Infrastructure Security Agency (CISA) is even more frustrating, as they are effectively answering to the severity of the leak instead of tackling the issue itself, which is whether taxpayers and citizens are at risk of stoplights and safety sign malfunctions as they drive their families on high-speed federal highways,” he said.
Sadot said that to remotely control large amounts of PV capacity, original equipment manufacturers do not need rogue devices because residential and light commercial inverters are already designed to be serviced remotely over the internet. He noted there are few regulatory measures addressing this in the United States or Europe, apart from actions in countries including Lithuania, Iran, China and Taiwan.
“China perhaps has taken the most effective and early measures, with its 2019 MLPS 2.0 regulations setting severe limitations on foreign parties seeking to install remotely controllable distributed energy resources onto its grid, including PV inverters, heat pumps and EV charger infrastructure, which must be separately managed by a Chinese-controlled entity to operate in China,” Sadot said. “India has also started taking dramatic, rapid steps with its recent government reporting requirements for inverters and distributed generation sites, but in the United States we’ve not yet seen much happen, while in Europe there’s now an accelerated PV risk assessment taking place, whose effectiveness is to be defined.”
Sadot described the Reuters article as “frustratingly vague.”
“It’s been nearly six months since the original Reuters article was published, and we’ve yet to see a ‘smoking gun’ in the form of a public, well-documented teardown of an inverter that contains illicit communication devices. So the burden of proof has not yet been met,” he said.
He referred to another Reuters article from May, in which unexplained communication devices were said to be found inside some Chinese-made inverters in the United States.
The agency reported at the time that US energy officials were reassessing the risk posed by Chinese-made devices, citing two unnamed sources. The number of devices investigated was not disclosed. Reuters also claimed one source revealed undocumented communication devices had been found in some batteries from multiple Chinese suppliers.
In late May, SolarPower Europe urged the European Union to implement strict cybersecurity regulations for solar infrastructure, following findings of undocumented components in energy equipment imported into Denmark.
This week, Czechia’s cybersecurity office said Chinese solar inverters in small power plants are a potential security threat. The country’s National Cyber and Information Security Agency’s briefing said there are risks regarding data protection and, in extreme cases, remote manipulation. It also said inverters can be vulnerable to cyber threats through the collection and misuse of user data, as well as the possibility of malicious applications or firmware updates.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.