In recent years, researchers have increasingly focused on cyber-physical systems, where hardware and software interact in complex ways, and the vulnerabilities that can cascade through multiple layers of these systems. A recent area of interest is sensors, the ubiquitous devices embedded in everything from industrial control systems to inverter used in PV systems, whose security has long been overlooked.
With the explosion of Internet-of-Things (IoT) devices and connected infrastructure, sensors have become critical yet surprisingly vulnerable components. Many of the sensors used in energy systems are built on old technology, but security considerations have historically been minimal. Recently, however, researchers have begun probing these sensors for potential weaknesses, revealing surprising vulnerabilities.
“Sensors can be easily perturbed by creating electrical, magnetic, and acoustic fields,” Mohammad Al Faruque, Director of the University of California's Center for Resilient Autonomous Systems and Conexant-Broadcom Endowed Chair Professor of the Department of Electrical Engineering and Computer Science, told pv magazine. “You don't need to really go inside the system because you can create a magnetic field around the system that can lead to the control layer very carefully. Inverters in PV systems have current and voltage sensors that are directly connected to the controller running the system. It's so easy to create a magnetic field and perturb these sensors.”
According to Al Faruque, potential attackers could generate a controlled magnetic field that directly influenced the inverter’s sensors. The resulting perturbation could affect the control system, all without touching the inverter itself. “By manipulating the surrounding environment, attackers can subtly alter sensor readings, which in turn can cascade into the control layer of the system,” he explained. “We tested this with a simple setup: a magnet combined with inexpensive electronics about $45 worth. This included a Arduino Uno, a few MOSFETs, a Zigbee RF module, an Ultrasonic Sensor, and batteries. Basically, it was a straightforward combination of signal processing and electronic control.”
Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned Industry experts will explore real-world cyberattack scenarios, highlight potential vulnerabilities in solar and storage systems, and share practical, actionable strategies to protect your energy assets. Attendees will gain valuable knowledge on how to anticipate, prevent, and respond to cyber threats in the rapidly evolving solar energy sector. Al Faruque and his team built a compact controller and embedded it inside a coffee mug, making it easy to place in everyday objects or even in environmental trash for testing. The circuit had a radio module, so it could connect to a computer and this allowed the researchers to turn it on remotely and control the magnetic field it generated. “By carefully adjusting the controller, we could even regulate the strength of this magnetic field,” the cybersecurity expert said. “These controlled magnetic field changes, in turn, influenced nearby current and voltage sensors. Essentially, this setup lets us see how electromagnetic perturbations interact with electronic systems in a measurable way.” Image: University of California “This is easier than most people imagine,” he went on to say. “You don’t need to physically open the remote terminal unit (RTU) or other controllers. Just having a device nearby, properly designed, can manipulate the sensor readings remotely via wireless communication. Every energy infrastructure needs to be physically protected. We can’t be naive enough to assume that anything left behind is harmless; it could very well be malicious.” Image: University of California “Someone could intentionally leave a coffee mug near an inverter as a form of camouflage,” Al Faruque stated. “At first, it seems harmless, but the device inside the mug could contain a radio or communication module, allowing remote access from anywhere in the world. This is why physical protection of PV plants is so important. An attacker could place seemingly innocuous items, like environmental trash, which are actually embedded with technology capable of generating magnetic fields or other perturbations. In the future, such attacks might even be carried out remotely using drones, without a person needing to be physically present.” Image: University of California Securing inverter sensors requires both physical protections, such as access controls and environmental monitoring, and technological innovation. Solutions include the development of secure sensors capable of detecting or resisting external interference, though these come with higher costs. The research team began developing secured sensors, including specialized Hall sensors, that are resistant to magnetic or environmental interference. However, these solutions are more expensive, and the question is whether the industry is ready to invest in security preemptively. Many organizations are reluctant to spend money unless a clear vulnerability or incident occurs. Moreover, most incidents involving these types of attacks likely go unreported unless they reach a national-level issue. “I am not aware of any reported cases so far,” the scientist said. “These vulnerabilities are mostly potential risks for now, which is why I emphasize that sensors in PV plants are a critical vulnerability. Every PV plant should be considered part of critical infrastructure, and their environment must be protected accordingly. Of course, implementing this level of protection is not easy or cheap. But given geopolitical tensions and the growing need for security, I believe this will become increasingly necessary.” In the short term, raising awareness among plant operators, implementing physical security measures, and conducting regular inspections are essential. In the long term, the industry must push for technological improvements in sensors, controllers, and secure design practices to safeguard critical infrastructure. “As our energy systems become increasingly complex and connected, the humble sensor, once taken for granted, emerges as a pivotal point of vulnerability. Addressing these risks now is not just about preventing theft or downtime; it’s about protecting the integrity of the energy grid itself,” Al Faruque concluded. This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.