Over the past years, building and servicing solar farms across eleven European countries, I’ve learned one fundamental truth: the greatest threat to our installations doesn’t come from the sky in the form of hail, doesn’t come from the ground in the form of cable theft. It comes through the ethernet cable connected to our inverter controllers.

Table of contents

1. Europe under siege – the scale of threat to renewable infrastructure
2. Chinese dominance – 200 GW under remote control
3. Concrete incidents – this is already happening
4. What this means for farm operator and epc firms
5. What we can do – concrete actions
6. Conclusion

 

Today we’ll have a tough conversation. I’ll discuss numbers that most of the solar industry prefers to ignore. Intelligence reports documenting systematic attacks on renewable energy infrastructure across Europe. And why every solar farm you manage could be remotely shut down tomorrow by foreign intelligence services.

This isn’t conspiracy theory. These are facts from NATO reports, European intelligence agencies, and incidents that have already occurred. Let’s begin.

Europe under siege – the scale of threat to renewable infrastructure

Let me start with the most aggressively targeted country to illustrate the scale of what’s happening across Europe. Poland’s Minister of Digital Affairs, Krzysztof Gawkowski, revealed in October numbers that should wake up the entire renewable energy industry: Poland experiences between two and four thousand cyberattacks daily on its critical infrastructure. About one thousand of these incidents are serious enough to require immediate response from cybersecurity teams.

By the end of September two thousand twenty-five, one hundred seventy thousand cyber incidents had been identified in Poland. And crucially for us as solar farm operators – Deputy Minister Dariusz Standerski told the Financial Times directly: foreign operations have expanded their focus to the energy sector. He’s not talking about traditional power plants with military-grade security. He’s talking about distributed renewable sources – solar farms, wind farms, installations that we build and operate every day.

Russian military intelligence, according to Gawkowski, has tripled its resources dedicated to hostile operations against Poland this year alone. Poland’s cybersecurity budget increased from six hundred million euros in two thousand twenty-four to one billion euros this year. Think about the scale of this problem – one billion euros annually just to defend against cyberattacks.

But Poland is not an isolated case – it’s simply the most intensely targeted. The European Union Agency for Cybersecurity, ENISA, reports that in two thousand twenty-three, the energy sector in Europe experienced over two hundred reported cyber incidents, with more than half specifically targeted against Europe. Thierry Breton, the former EU Commissioner for Internal Market, said during his visit to ENISA: “In two thousand twenty-three alone, over two hundred cyber incidents targeted the energy sector, with more than half aimed at Europe. Threats in critical sectors can impact the daily lives of citizens and business.”

But here’s where it gets truly alarming. A TrustWave report from January this year shows an eighty percent increase in ransomware attacks on the energy sector in two thousand twenty-four. Eighty percent year-over-year growth. This isn’t a slow trend – it’s an explosion of threats.

Sophos conducted a detailed survey among two hundred seventy-five cybersecurity and IT leaders in the energy, oil, and gas sectors across fourteen countries. The result: sixty-seven percent admitted their organizations experienced a ransomware attack in the past year. Two-thirds of energy companies were attacked. If you manage a portfolio of solar farms, statistically you’ve either already been attacked or will be within the next twelve months.

Dragonfly Intelligence, a firm specializing in energy sector threat analysis, published an assessment in October two thousand twenty-four warning: “Cybercriminals and Russian state-backed hacking groups will almost certainly try to disrupt energy infrastructure, including renewables, in the coming year.” They use the phrase “almost certainly” – that’s the highest confidence level in intelligence analysis.

And this threat is particularly serious for solar and wind farms because, as the FBI noted in their July two thousand twenty-four warning: “Structural shifts in the reduced cost of implementation of renewable energy and incentives for development of clean energy have created new targets and opportunities for cyber threat actors.”

Why are renewable installations so vulnerable? Unlike traditional power plants, solar and wind farms are by design distributed, remote, and digitally managed. Every farm represents hundreds of attack points – every inverter with an IP address, every data logger with remote access, every camera with cloud connectivity. Deloitte estimated that seventy percent of Internet of Things devices have very simple default passwords, and most users never change them.

The U.S. Cybersecurity and Infrastructure Security Agency, CISA, issued a warning on September twenty-fifth, two thousand twenty-four, that hostile cyber actors globally are actively exploiting operational technology connected to the internet using elementary methods: password guessing, using default factory credentials that were never changed. These aren’t sophisticated zero-day exploits. This is checking whether the doors are locked. And in most solar farms, the doors are wide open.

In the United Kingdom alone, one thousand cyberattack attempts per day were recorded against renewable energy infrastructure in two thousand twenty-four. If you have a portfolio of ten farms across Europe, statistically you can expect approximately fifty attack attempts daily. Ninety-nine percent will be blocked by basic firewalls. But one percent will get through.

Seventy-one percent of cybersecurity professionals admit their organizations are more vulnerable to attacks than ever before. Why? Because renewable infrastructure is growing faster than our ability to secure it. Every year we add gigawatts of new capacity. Every new project means hundreds of new IoT devices. The attack surface is growing exponentially.

Chinese dominance – 200 GW under remote control

Now let’s move to a topic that’s even more controversial and far more suppressed in the industry: Chinese control over European solar farms.

In May two thousand twenty-five, Reuters revealed a discovery that should fundamentally change how we think about solar farm security. Hidden cellular radios were found in Chinese inverters at American solar farms – undocumented communication modules capable of remotely shutting down equipment. These components, described as “kill switches,” weren’t listed in any technical specifications. There wasn’t a word about them in the documentation. They were simply there, hidden.

This isn’t theoretical. In November two thousand twenty-four, Chinese company Deye actually remotely shut down solar systems in the United States, United Kingdom, and Pakistan. Messages appeared on inverter screens: “This inverter is not allowed use at Pakistan/USA/UK. Please return to your supplier.” The company explained this as export restrictions. But for us as solar farm operators, the message is clear: they have the physical capability to remotely shut down any installation they want, whenever they want.

Now let’s talk about the scale of this problem. The European Solar Manufacturing Council, ESMC, published an estimate that should stop every energy company board in Europe: over two hundred gigawatts of European solar capacity – equivalent to two hundred nuclear power plants – relies on inverters manufactured in China. Christoph Podewils, ESMC’s Secretary General, said directly: “This means Europe has effectively surrendered remote control of a vast portion of its electricity infrastructure.”

According to Wood Mackenzie research, Chinese firms account for fifty percent of all solar inverters worldwide. Two companies – Huawei and Sungrow – together controlled more than half of the global market in two thousand twenty-three. Huawei Solar has one hundred fifteen gigawatts of market share in European inverters. The six largest Chinese suppliers collectively control two hundred nineteen gigawatts of installed capacity in Europe.

Ninety-five percent of solar panels in the European Union come from China. Over eighty percent of inverters too. When you’re preparing specifications for a new EPC project, Chinese inverters are probably the default option because they’re cheapest, have good efficiency, and everyone uses them. Clients look at CAPEX and choose the option that’s twenty, thirty percent cheaper.

But there’s a fundamental legal problem that few in the industry know about. China’s National Intelligence Law from two thousand seventeen, Article Seven, states unequivocally: “Any organization and citizen shall support, assist, and cooperate with state intelligence work.” This isn’t optional. It’s a legal obligation for every Chinese company. Huawei, Sungrow, LONGi, Trina Solar, JinkoSolar, JA Solar – all these companies, if China’s Ministry of State Security in Beijing demands access to data from your farms, access to your inverters, the ability to remotely shut down installations – they must comply. This is a legal requirement under threat of imprisonment for management.

Mike Rogers, former director of the U.S. National Security Agency, warned: “China views Western energy grids as vulnerable targets and is betting on widespread use of Chinese-made inverters to limit the West’s options for securing its infrastructure.”

Huawei is the same company that was banned from U.S. telecommunications networks on national security grounds. The argument was simple: Huawei must legally cooperate with Chinese intelligence, so it cannot be in critical telecommunications infrastructure. The same logic, the same legal problem, applies to energy infrastructure. But Europe, in pursuit of low installation costs, ignored this warning.

Only one country in the European Union decided to act radically. Lithuania in April two thousand twenty-four passed a law explicitly banning China from remotely accessing and controlling the digital systems of its renewable energy assets. The law prohibits the use of Chinese inverters above one hundred kilowatts in critical installations. The Czech Republic, through its cybersecurity agency NÚKIB, issued an official warning about cybersecurity threats posed by Chinese components. The rest of Europe? Business as usual. We keep installing gigawatts with Chinese inverters because they’re cheaper.

Let me paint an operational scenario, a real possibility based on existing technology. Imagine Wednesday, three PM, middle of summer, peak solar production. Your ten-megawatt farm in central Europe is generating nine point five megawatts. Beautiful day, SCADA system shows everything normal.

Three PM three fifteen – all Chinese inverters receive an encrypted remote signal and execute emergency shutdown. Three PM three twenty – ten megawatts disappear from the grid in five seconds. Your alarm system goes crazy. SCADA shows “communication error” on all inverters simultaneously. You call the service team, they drive to site. Three forty-five PM – technicians on location, all inverters showing identical error codes that aren’t in the technical documentation. They cannot restore operation. Four thirty PM – you call the Chinese manufacturer, technical hotline says “investigating.” Six PM – still no response, you’ve lost three hours of peak generation, that’s approximately twenty-five megawatt-hours of losses, at one hundred euros per megawatt-hour that’s two and a half thousand euros of direct revenue loss in one day.

Next day: manufacturer comes back with “software update required,” but the update can only be done remotely through their servers in China, you need to give them VPN access to your SCADA system. Do you give them access? Do you have a choice? This is loss of operational control over your own installation.

Spain and Portugal experienced a massive blackout on April twenty-eighth, two thousand twenty-five. Tens of millions without power. Generation loss: fifteen gigawatts in five seconds, sixty percent of supply. At the moment of the blackout, fifty-nine percent of Spain’s energy came from solar installations. The official report ruled out cyberattack, blamed voltage management problems in conventional power plants. But the incident showed the fundamental fragility of a system dependent on thousands of distributed inverters.

Philipp Schröder, CEO of German solar company 1Komma5, said: “Ten years ago, switching off Chinese inverters wouldn’t have caused a dramatic effect because capacity was small. Now, with gigawatts of solar power, the risk is exponentially greater.” His company consciously avoids Huawei equipment despite it being more expensive. And as an EPC firm that wants long-term reputation, you should do the same.

The Spanish blackout showed that loss of just two gigawatts can trigger cascading failures. Control of three, four gigawatts has the potential to create chaos across the continent. How many solar farms need to be shut down simultaneously to lose three gigawatts? At an average utility-scale farm size of ten megawatts – only three hundred farms. There are tens of thousands of solar farms across Europe. Finding three hundred with Chinese inverters that could be shut down in a coordinated attack isn’t difficult. It’s trivial.

Concrete incidents – this is already happening

Let’s move to specific incidents, because these aren’t abstract future threats. These are attacks that have already occurred on renewable energy infrastructure in Europe.

In two thousand twenty-two, five thousand eight hundred wind turbines in Germany were shut down by a cyberattack. Attackers exploited a vulnerability in the remote management system of a service provider. Five thousand eight hundred turbines. If they can shut down that many wind turbines simultaneously, the question isn’t “can they attack solar farms” but “when will they do it.”

In two thousand twenty-four, Lithuania experienced cyberattacks attributed to Russian group JustEvil, which allegedly disrupted operations of solar power systems. Finnish energy company Fortum reported in October two thousand twenty-four an increase in cyberattacks and surveillance targeting their renewable energy assets.

In May two thousand twenty-four, more than a dozen Danish energy companies were hacked through an exploit targeting a vulnerability in a popular industrial firewall. The incident also affected companies in renewable energy. It was only revealed in November, six months after the attack, showing how long attackers can operate in systems without detection.

The International Institute for Strategic Studies, IISS, documented over fifty sabotage incidents targeting critical infrastructure in Europe between two thousand twenty-two and two thousand twenty-five. The report describes a systematic campaign conducted by Russian intelligence services.

The European Union Institute for Security Studies, EUISS, published a report this year warning that Russia’s shadow fleet – over one thousand vessels according to June data – is increasingly used not just for oil transport but for spying on and attacking European energy infrastructure. In December two thousand twenty-four, tanker Eagle S, part of this fleet, severed the Estlink-2 cable connecting Finland and Estonia. Finnish authorities found surveillance equipment on board “atypical for such a vessel.” The repair cost of Estlink-2: fifty to sixty million euros, but that figure doesn’t include the near-doubling of electricity prices over six months while the cable was out of service.

NATO Deputy Secretary General Mircea Geoană stated in two thousand twenty-four that allies have “communicated red lines” to Russian authorities regarding sabotage. At the NATO summit in Vilnius in June two thousand twenty-three, member states agreed to treat certain hybrid attacks, particularly cyberattacks on infrastructure, with the same seriousness as armed attack, potentially invoking Article Five collective defense.

What does this mean practically? If a coordinated Russian cyberattack shuts down fifty gigawatts of solar and wind farms across Europe, causes a cascading blackout that kills people in hospitals – NATO may consider this an attack requiring collective military response. This shows how seriously they take this threat at the highest levels.

Across Europe, we’re seeing different levels of preparedness and threat intensity. Germany experienced significant attacks on offshore wind farms in two thousand twenty-two linked to Russian threat actors. France has seen intimidation incidents and surveillance of energy infrastructure. The Netherlands and Nordic countries report regular probing attempts against their wind and solar installations. Italy and Spain, despite massive renewable capacity, show lower cybersecurity awareness among operators compared to northern Europe.

The UK’s National Cyber Security Centre has repeatedly warned about threats to renewable infrastructure, noting that as renewable generation becomes a larger portion of the grid, it becomes a more attractive target for hostile state actors. In two thousand twenty-four alone, UK renewables faced one thousand attack attempts daily.

What this means for farm operator and epc firms

Now let’s discuss specifically what all this means for you as solar farm operators, O&M managers, EPC firms building new projects across Europe.

Standard O&M contracts guarantee availability above ninety-eight percent, response time below four hours for critical alarms, uptime targets with bonus and penalty systems. But a coordinated cyberattack can shut down an entire portfolio simultaneously – availability drops to zero. It can block alarm systems so you don’t receive alerts. It can encrypt access credentials so you cannot respond even if you know about the problem.

And there’s a fundamental legal problem: your O&M contract probably doesn’t have a clause about state-sponsored cyberattacks. Force majeure typically covers extreme weather, fires, floods, wars in the traditional sense. But “coordinated cyberattack by state-sponsored actors”? No. So who bears the cost of downtime? You, as the O&M operator. Availability penalties will be assessed even if it was Russian GRU that hacked you.

Industrial Cyber warns that potential losses from operational technology incidents could reach three hundred twenty-nine point five billion dollars globally. But let’s focus on your portfolio. Assume you manage fifty megawatts of solar farms across Europe. Typical production day in July: fifty megawatts times six peak hours times eighty euros per megawatt-hour equals twenty-four thousand euros revenue. Cyberattack shuts down farms for three days: seventy-two thousand euros direct revenue loss. Additionally, cybersecurity forensics cost twenty thousand, system restoration cost fifteen thousand, O&M contract penalties thirty thousand, reputational damage unquantifiable. Total: one hundred thirty-seven thousand euros plus for one incident. And according to Sophos statistics, sixty-seven percent of firms were attacked in the past year.

Let me describe a typical ransomware attack scenario on a solar farm, because this isn’t abstract – an exactly similar incident happened to an O&M firm in Denmark in two thousand twenty-three. Day zero, infiltration, undetected: office employee clicks phishing email impersonating inverter supplier, “urgent firmware update required.” Link downloads malware. Malware scans network, finds VPN connection to farm SCADA systems. Days one to thirty, lateral movement, undetected: attackers explore your network, map all farms, all inverters, backup systems, seek most valuable targets.

Day thirty-one, Saturday two AM, attack: ransomware activates simultaneously on all SCADA systems across portfolio. Encrypts all inverter configurations, all historical logs, all setting parameters, monitoring system, backup servers if they were on the same network. Message on screen: “Your solar portfolio has been encrypted. Pay fifty Bitcoin, two million dollars, within seventy-two hours or data will be destroyed.”

Saturday six AM: on-call O&M team receives alarms, all farms show “no communication.” Local technicians drive to sites, see ransomware message on screens. Saturday eight AM to Sunday eleven fifty-nine PM: asset manager panicking calls, how long to restore? You can’t answer because you don’t know if you have configuration backups. SCADA vendor weekend, nobody answers. Client screaming because losing fifty thousand euros daily. O&M contract has penalties for availability below ninety-eight percent.

Monday: you must make a decision. Pay ransom? No guarantee you’ll get data back and you’re financing terrorism. Restore from backup? If you even have backups, and if they weren’t on the same network that got encrypted. Rebuild from factory settings? One to two weeks of work, hundreds of thousands of euros production loss. This really happened.

Dragonfly Intelligence warns that Russia will probably remain the main state actor conducting hostile cyber operations against Europe’s energy sector. Seventy-one percent of cybersecurity professionals admit their organizations are more vulnerable than ever. Why? Because renewable infrastructure is growing faster than our ability to secure it. Every year we add gigawatts of new capacity. Every new project means hundreds of new IoT devices. Attack surface grows exponentially.

What we can do – concrete actions

So what can we do as an industry, as operators, as EPC firms building new installations across Europe?

First, portfolio audit. You need to know exactly what inverters are installed in all your farms. What percentage are Chinese brands? Which have remote internet access capability? How is that access configured? This is fundamental – you can’t secure what you don’t know.

Second, network segmentation. Every solar farm must implement proper architecture: internet, firewall one, DMZ for monitoring systems, firewall two, SCADA and operational technology network. Never connect inverters directly to internet. Never give inverter manufacturers direct VPN access to your OT network. If manufacturer must do firmware update: download file offline, test on one inverter, install locally through technician. Yes, it’s more expensive and slower, but it’s secure.

Third, for new EPC projects, you must start offering alternative suppliers. SMA Solar from Germany, twenty-five percent more expensive but no Chinese backdoor. Fronius from Austria, premium quality plus thirty percent in price but trusted European manufacturer. Power Electronics from Spain, growing utility-scale market share. Fimer-ABB, Italian-Swiss brand. How to sell this to clients? “We can give you Chinese inverters at fifty thousand euros per megawatt or European at sixty-five thousand. Difference is fifteen thousand per megawatt more. But if Chinese inverters are remotely shut down and you lose one week of summer production, that’s one hundred fifty megawatt-hours times eighty euros, twelve thousand euros loss, plus contractual penalties for unavailability. European inverters pay for themselves after the first avoided incident.”

Fourth, twenty-four-seven monitoring. Every farm above one megawatt should have twenty-four-seven SCADA monitoring, alert on any unplanned inverter configuration change, alert on any remote access attempt outside IP whitelist, log all communications between inverters and external servers. Practical tools: Splunk or Elastic Stack for log aggregation, Nozomi Networks or Claroty for OT security monitoring. Cost: ten to fifty thousand euros annually depending on portfolio size. Return: one avoided major incident.

Fifth, incident response plan. Must be documented, tested. Step one detection, zero to fifteen minutes: who gets alert, how you verify attack versus failure, who makes decisions. Step two containment, fifteen to sixty minutes: disconnecting infected systems, isolating critical components, communicating with client and grid operator. Step three recovery, one to twenty-four hours: restoration procedure, integrity verification, controlled restart. Step four post-incident, one to seven days: forensics what happened, client report, procedure updates. Conduct tabletop exercise with team every six months.

Sixth, contracts and insurance. In EPC contracts add clause: “Cyberattack by equipment manufacturer or foreign intelligence services is not covered by performance guarantee if installation met NIS2 cybersecurity standards, operator acted according to procedures, incident was reported within twenty-four hours.” In O&M contracts: “Force majeure includes coordinated cyberattacks by state actors on equipment manufacturers.” Consider cyber insurance for portfolio, cost half to one percent of insured value annually, coverage for downtime losses, forensics costs, contractual penalties.

Seventh, NIS2 compliance. The NIS2 Directive is being enforced across Europe now. Requirements for solar farm operators above ten megawatts: risk assessment once yearly, incident reporting within twenty-four hours, documented cybersecurity procedures, personnel training, external audits. Hire consultant for three to five days to conduct gap analysis and help prepare documentation. Cost five to fifteen thousand euros. Cost of non-compliance: penalties up to ten million euros or two percent of global turnover.

Eighth, supply chain due diligence. For every new project add to vendor evaluation: Where are inverters manufactured, not where HQ is but where actual production? Is company subject to China’s National Intelligence Law? Do inverters have remote access capability, through whose servers? Can remote access be completely disabled? Red flags: “Remote access is mandatory for warranty,” “cannot disable cloud connectivity,” “firmware updates only through our servers in China.”

Ninth, team training. Seventy percent of IoT devices have default passwords never changed. Basic hygiene for every technician: change default passwords on every device, unique passwords per installation, disable unused ports, update firmware to latest versions after testing. Team training: recognizing phishing, secure SCADA connection, suspicious activity response procedures.

Tenth, physical protection. Russian sabotage isn’t only cyberattacks. Transformer arson, physical inverter damage, drones with explosive payloads happen in Ukraine daily. Security measures: thermal cameras on substation transformers, acoustic or radar drone detection is available technology, fencing around inverter containers, security patrols for farms above five megawatts in high-risk areas.

Eleventh, backups and redundancy. If your farm is shut down, how quickly can you restore? Must have backup of all inverter configurations offline on USB, backup of SCADA configuration, spare parts on-site, spare inverter, spare PLC, factory reset and restore procedure. Test restore every six months: take one inverter offline, do factory reset, restore from backup, measure time. Goal restore single inverter under two hours.

And twelfth, networking with other operators. The European solar industry must unite on security. Consider creating informal security working groups with other O&M operators, sharing anonymized threat intelligence, joint training, joint procurement of security tools with volume discounts.

Conclusion

In conclusion: the energy transformation cannot be a risk transformation. It must be a transformation toward true energy security for Europe.

Lighthief will continue building solar farms across eleven European countries. We’ll continue providing O&M. We’ll continue expansion. But we will not ignore threats that are real, documented, growing every day.

I’ll repeat the key numbers: two to four thousand cyberattacks daily targeting critical infrastructure in the most attacked EU country, one hundred seventy thousand incidents in three quarters of two thousand twenty-five, two hundred gigawatts of solar capacity controlled by Chinese inverters, eighty percent increase in ransomware attacks on energy. These aren’t statistics. These are warnings.

The question isn’t whether you’ll be attacked. The question is whether you’ll be prepared when it happens. Thank you for listening. If this episode opened your eyes, share it across the industry. Solar and wind farm security is everyone’s concern. They attack everyone, so we all must defend together.

Tune is and listen to our next opisode of Mega Watts on Your Mind. See you soon.