Cybercriminals Can Hijack Networked Solar Power Systems and Trigger Rapid Infrastructure Attacks

As solar power adoption grows worldwide, the technology powering this renewable revolution is facing a serious cybersecurity threat.

Across millions of solar farms, hospitals, and businesses, critical devices called string monitoring boxes rely on an outdated industrial protocol Modbus which lacks both authentication and encryption.

This gap leaves solar infrastructure vulnerable to remote exploitation, allowing attackers to issue commands such as SWITCH OFF, disabling entire sections of renewable energy production.

The widespread use of government-backed green programs like the U.S. Inflation Reduction Act (IRA), EU Renewable Energy Directive (RED II), and Australia’s SRES has accelerated solar deployments.

However, the operational technology (OT) systems managing these installations often run on legacy architectures not designed for security. Many of these devices expose Modbus over TCP on port 502, a common configuration flaw that gives threat actors direct control.

Legacy Protocol, Modern Attack Surface

Security researchers from Cato Networks’ CTRL and MDR teams have observed large-scale reconnaissance campaigns against Modbus-enabled devices globally.

Attackers use publicly available tools like Nmap with Modbus NSE scripts, mbpoll, and modbus-cli to discover, read, and manipulate device registers remotely.

The process is alarmingly simple once connected, attackers can modify registers controlling power output or disable monitoring modules.

For instance, specific register values such as 0xAC00 (SWITCH OFF) and 0xAC01 (SWITCH ON) can be remotely toggled without authentication. This allows adversaries to mimic a legitimate SCADA operator, cutting production or destabilizing grid performance.

AI-driven offensive frameworks like HexStrike AI further amplify the threat. These tools use autonomous agents to scan vast IP ranges, fingerprint devices, and orchestrate exploitation attempts at machine speed.

What previously required days of manual probing can now be completed in minutes. Such automation transforms solar farms into potential targets for large-scale, synchronized attacks capable of disrupting clean energy supply and causing financial and operational damage.

To mitigate risks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urges organizations to isolate OT from IT networks, avoid exposing port 502 externally, and continuously monitor Modbus traffic.

Cato Networks’ SASE platform adds multiple safeguards, including open-port alerts, real-time Modbus event tracking, and microsegmentation to block lateral movement.

As renewable energy infrastructure becomes increasingly connected, security by design is critical. Modbus’s reliability made it the backbone of industrial automation, but its lack of security now poses systemic risks.

Without proactive protection, attackers could turn the very systems powering the clean-energy future into the next cyber battleground.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cybercriminals Can Hijack Networked Solar Power Systems and Trigger Rapid Infrastructure Attacks appeared first on Cyber Security News.