James Showalter paints a chilling but not entirely implausible scenario: someone drives up to your home, cracks your Wi-Fi password, and tampers with the gray box mounted beside your garage — the solar inverter that converts rooftop solar energy into the alternating current powering your house.

“You’ve got to have a solar stalker” for such an incident to occur, Showalter explains, describing the kind of individual who would need both technical expertise and motivation to hack into a residential energy system.

Showalter, CEO of EG4 Electronics, a Sulphur Springs, Texas-based company, insists such events are unlikely. Yet his company came under intense scrutiny last week when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory highlighting vulnerabilities in EG4’s solar inverters.

According to CISA, attackers with access to the same network as the affected inverter — and its serial number — could intercept data, install malicious firmware, or take complete control of the system.

For the estimated 55,000 customers using EG4’s inverters, the revelation was unsettling. Many homeowners have little understanding of these devices, which have evolved beyond simple power converters into critical components of modern energy systems. Inverters now monitor performance, communicate with utilities, and even feed excess power back into the grid.

“Five years ago, nobody knew what a solar inverter was,” says Justin Pascale, principal consultant at Dragos, a cybersecurity firm. “Now we’re talking about them at national and international levels.”

Rising Security Concerns

Residential solar adoption has surged in recent years. According to the U.S. Energy Information Administration, small-scale solar installations grew more than fivefold between 2014 and 2022. Once limited to climate advocates, solar power is now mainstream thanks to lower costs, government incentives, and climate awareness.

But every installation adds another node to a growing web of interconnected devices, expanding the potential attack surface for hackers.
Pressed about security gaps, Showalter admits to industry-wide shortcomings. He cited a report cataloguing 88 solar energy vulnerabilities disclosed since 2019 across both residential and commercial applications.

However, CISA’s advisory pointed to fundamental design flaws in EG4’s products, including unencrypted communications between monitoring apps and inverters, firmware updates lacking integrity checks, and weak authentication procedures. Some customers, expressing frustration on online forums, criticized EG4 for failing to notify them promptly.

“These were fundamental security lapses,” said one anonymous customer. “Adding insult to injury, EG4 didn’t even bother to notify me or offer mitigations.”

Showalter defended the company’s handling of the advisory, calling it a “live and learn” moment. He explained that EG4 intended to resolve the vulnerabilities before notifying customers.

Links to China Raise Alarms

The controversy comes amid wider concerns over foreign-made energy equipment. Earlier this year, U.S. officials began reassessing Chinese-made solar devices after uncovering undocumented communication components inside inverters and batteries. A Reuters investigation revealed hidden cellular radios and other devices not listed on official hardware documentation.

China’s dominance in solar manufacturing amplifies the concern. Huawei remains the world’s largest supplier of inverters, accounting for nearly 29 percent of global shipments in 2022, followed by Sungrow and Ginlong Solis. In Europe, more than 200 gigawatts of solar capacity rely on Chinese-made inverters — the equivalent of over 200 nuclear power plants.

In response, some nations are taking precautions. Lithuania, for example, passed a law preventing remote Chinese access to renewable installations above 100 kilowatts. Showalter says EG4 is similarly moving away from Chinese suppliers in favor of German-made components.

Growing Vulnerability

Experts warn the risks extend beyond any single company. The National Institute of Standards and Technology (NIST) cautions that if enough home inverters were remotely controlled simultaneously, the consequences for the U.S. power grid could be catastrophic.

Yet Pascale notes that launching a mass attack would be challenging. Residential inverters primarily convert current and connect homes to the grid. Attacks are more likely to target manufacturers with remote access to customer devices.

Currently, regulatory protections are limited. The North American Electric Reliability Corporation (NERC) enforces cybersecurity standards only for large facilities producing over 75 megawatts. Residential systems fall into a regulatory gray area, where cybersecurity standards remain optional.

“Most operational environments still transmit data in plain text,” Pascale notes. “It’s not unusual, but it does create risks when scaled across thousands of installations.”

Moving Forward

Showalter has embraced CISA’s intervention, calling it a “trust upgrade.” EG4 has worked with the agency to address vulnerabilities, reducing ten initial concerns to three, with plans to resolve them by October. The company is updating firmware protocols, adding identity verification for support calls, and redesigning authentication procedures.

Still, for customers, the episode underscores an uncomfortable reality: in adopting climate-friendly technology, they have also stepped into a complex cybersecurity landscape. Their homes are not just powered by solar panels — they are now part of a national security conversation.

Source: TechCrunch