U.S. government analysis of Chinese-made inverters has found “no definitive evidence” of malicious wireless functions, according to a report seen by pv magazine examining the scope of wireless communications in inverters and the risks they pose.
The US Department of Energy (DOE) has shared its analysis with energy sector partners following media reports that indicated the presence of undocumented wireless communications in Chinese-made inverters, first broken by Reuters in May 2025.
The DOE’s National Laboratories inspected “approximately 30 inverters” and found two cases where observed communications differed from official documentation, but these were deemed “non-malicious” and “non-intentional”.
In its analysis, the DOE noted “as built” documentation often reflects only activated communications features, meaning owners and operators of inverters should verify the communication protocols on their device and disable those that are not needed. The analysis notes manufacturers could maintain access for warranty or safety purposes, but this is often specified in contract terms “as required.”
The DOE did warn that supply chain threats persist, and the “complexity of inverter supply chains” could create opportunities for cybersecurity breaches and malicious components. The department noted that undocumented or implanted communications in a single inverter would be “unlikely” to have grid-wide impacts, but coordinated manipulation across multiple sites could have larger effects, although such an attack would be more difficult to execute.
Managing supply chain risk was described by the DOE as a responsibility shared among engineers, manufacturers, integrators, service providers and system operators. The department highlighted its Supply Chain Cybersecurity Principles for suppliers and suggested operators adopt these for security and resilience activities.
DOE risk management recommendations for handling undocumented wireless communications in inverters include adopting a tiered approach for components manufactured in countries deemed “foreign entities of concern.” These are tiered based on whether there are foreign ownership, control, and influence concerns with the manufacturers and integrators associated with producing and installing the inverters. Mitigations strategies for the US industry put forward by the DOE include carrying out detailed firmware analysis and using US-based companies to perform operations and maintenance work.
In the article published in May, Reuters reported that US energy officials were reassessing the risk posed by Chinese-made devices, citing two unnamed sources. The number of devices investigated was not disclosed. Reuters also claimed one source revealed undocumented communication devices had been found in some batteries from multiple Chinese suppliers.
A few days later, European trade body SolarPower Europe urged the European Union to implement strict cybersecurity regulations for solar infrastructure, following findings of undocumented components in energy equipment imported into Denmark.
In early June, Danish trade group Green Power Denmark ruled out any link between suspicious components found in local energy equipment and reports of compromised solar inverters in the United States, narrowing the scope of an ongoing cybersecurity investigation. Green Power Denmark said the investigation the incident involves broader energy supply technology, not the solar sector.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.