Cyber threats for PV: What are man-in-the-middle attacks and how do they work

Man-in-the-middle (MITM) cyberattacks are a special kind of cyber threat targeting a wide range of digital and cyber-physical systems where two parties communicate over a network, especially if the communication is not strongly authenticated or encrypted.

These attacks involve an attacker intercepting communication between a sender and a receiver by splitting the original channel into two: one between the sender and the attacker, and another between the attacker and the receiver. As a result, the receiver cannot directly access messages from the sender.

MITM attacks may also target PV systems and solar plants that are network-connected, allowing attackers to intercept, modify, or disrupt communications between controllers, inverters, and monitoring systems, potentially leading to operational failures.

These attacks may also physically damage inverters, transformers, or panels and accelerate equipment wear. Furthermore, they could lead to significant financial losses from reduced energy production and costly repairs, while also creating safety hazards for personnel. Additionally, stakeholders may lose trust in the system, and operators could face regulatory penalties for non-compliance.

Overall, such attacks combine operational, physical, financial, and cybersecurity risks, making network-connected solar plants vulnerable.

“A simple way to think about it is that the attacker becomes an invisible middleman. For a solar operator, imagine an O&M sending a software update command to a plant. The local SCADA appears to confirm it was received and executed, but in reality the middleman never delivers the command. It can also get worse, if the legitimate command is replaced with a malicious one which is sent to the inverters.” Uri Sadot, Managing Director of SolarDefend and the Chairman of SolarPower Europe's Digitalization workstream, told pv magazine.

Operational modes

MITM attacks can operate in eavesdropping mode, silently capturing sensitive data such as control commands, system configurations, and performance metrics without alerting operators. Alternatively, they can function in intercepting or altering mode, where the attacker not only monitors but also modifies communications, injecting false information or commands that can mislead automated systems or human operators. In smart grids, this dual capability allows attackers to manipulate energy flows, trigger unnecessary shutdowns, or mask faults, amplifying operational, financial, and safety consequences.

For PV systems, a MITM attack typically begins with the attacker positioning between critical components, such as inverters, the SCADA system, or the monitoring platform. This is usually achieved by gaining access to the plant network through a router, Wi-Fi link, or maintenance connection. Once in place, the attacker redirects communications so that data flows through their device rather than directly between systems. Common techniques in local PV networks include ARP spoofing and gateway impersonation. In ARP spoofing, the attacker sends falsified network messages to make devices believe they are communicating with the legitimate gateway, redirecting traffic to the attacker. Gateway impersonation involves pretending to be the network router, ensuring that all communications pass through the attacker’s system.

Once in this position, the attacker can begin monitoring or altering energy data and control commands, while analyzing communication patterns and identifying sensitive information. At this stage, the attack is usually passive before moving to active manipulation. At the next stage, the attacker can actively manipulate the traffic, alter data, inject false commands, or block legitimate messages, which enables them to control or disrupt system behavior. Finally, the attacker can exploit the system to achieve goals such as disruption or data theft.

“One good example of such disruption happened in Denmark, in the Spring of 2023,” said Sadot. “In just a few days, nearly two dozen solar plants and other energy assets all fell victim to an attack. The attackers found a common vulnerability in the firewall devices protecting these sites and managed to get into their internal networks.”

Once inside, the attackers significantly disrupted the operations of the facilities, as reported by Denmark's cybersecurity center SectorCERT. “Nobody likes to talk about it, but these types of attacks happen all the time. While some countries and companies take the high road and disclose cyber incidents openly, the vast majority opt not to report,” Sadot added.

Defense

A potential defense against MITM attacks in PV systems is to implement encrypted communications, robust authentication protocols, and continuous monitoring for unusual traffic or unauthorized devices. If these measures are applied, traditional tools like firewalls, which can easily be bypassed by novel MITM attacks, can become more effective in segmenting and controlling network traffic, enforcing strong authentication and access controls, encrypting all communications between components, and continuously monitoring the network for unusual or unauthorized activity.

Standard network segmentation can also help protect PV systems from MITMs by isolating critical components like inverters, SCADA systems, and monitoring platforms into separate zones. This limits the spread of attacks if one segment is compromised. However, essential communications often still cross segments, leaving opportunities for MITM attacks. Without encryption, strong authentication, and continuous monitoring, attackers can intercept or manipulate traffic within a segment.

Intrusion detection systems (IDSs) can also help detect MITM attacks in PV systems by monitoring network traffic for unusual patterns or protocol anomalies. They provide early warnings when communications are being intercepted or altered and can identify issues like duplicate ARP responses or unexpected routing changes. However, they cannot prevent attacks on their own, especially if traffic is encrypted or the IDS is not tailored to PV protocols. For best results, IDS should also be combined with encryption, strong authentication, and network segmentation as part of a layered defense.

“In the United States, intrusion detection systems (IDS) have recently become mandatory for large solar plants under the latest revision of NERC CIP (CIP-015),” Sadot further explained. “While this requirement has not yet been adopted in Europe, the EU’s NIS 2 directive requires solar operators to design and operate their assets in line with IEC 62443 principles and the Purdue model. As a result, both markets are moving in the same direction: prevent, detect, and respond to cyberattacks — with an increasing share of the responsibility placed on the asset owner.”

According to the cybersecurity expert asset owners should not get overwhelmed by all the technical requirements. “Cybersecurity isn’t that different from physical security,” he concluded. “If your plant has a solid fence, monitored cameras, and an alarm system, the plant will get insured and you will sleep well at night — without needing to be an expert in barbed wire or camera engineering. Cyber works similarly. Your plants need solid IT networks, properly configured firewalls, and someone watching them 24/7 — typically through a security operations center(SOC). If you have an IDS, that's better. Some O&Ms will offer you all of this as a turnkey service, or you can set it up yourself with a consultant. Get the basics right and you will have insurable assets, no compliance exposure, and you too will sleep great at night.”