One Hack, Millions in the Dark: What Threatens Europe?

The vulnerability of “smart” technologies is becoming an increasingly urgent issue. Dutch hacker Witse Boonstra recently demonstrated the seriousness of these threats by discovering a way to disable 4 million solar energy systems in 150 countries with the push of a button. This finding confirms Hypponen’s Law: “If it’s smart, it’s vulnerable.”

The scale of the threat is striking. Solar panels in the Netherlands can generate as much energy as forty Borssele-type nuclear power plants. However, many manufacturers fail to provide adequate protection against hackers.

Boonstra, a security researcher at the Judicial IT Organization (JIO), found a major flaw in systems made by Enphase. In recent months, he focused on devices that connect solar panels to the power grid.

While the basic principle of solar panels is simple—they generate direct current, which is then converted to alternating current for the grid—this process relies on an inverter. In Enphase systems, each panel is equipped with its own microinverter.

Enphase customers can configure and manage their systems through personal accounts, with the option to delegate control to others. Boonstra discovered a critical vulnerability: a software bug allowed him to gain administrator rights over other users’ accounts. Testing his theory, he created two admin accounts and found that the first could control the second without permission. For further verification, he created twenty more accounts and successfully managed them all through the first account.

Together with his colleague Hidde Smit, Boonstra examined the firmware of Enphase devices and found six vulnerabilities that could be used to infect millions of solar systems with malware.

This situation is comparable to Tolkien’s “One Ring to rule them all” from The Lord of the Rings: just as one ring controlled the others, the discovered vulnerability allows one account to control millions of systems, posing a threat to global energy security.

Growing Risks for the Power Grid

The Netherlands’ vulnerability to power grid sabotage is increasing. The interconnectedness of solar energy systems, charging stations, and batteries—often managed centrally—makes the country more susceptible to such threats. Experts warn that responsibility for stability can no longer rest solely with grid operators.

Solar panels in the Netherlands generate about twenty gigawatts of energy, equivalent to forty nuclear power plants. The sudden loss of even a few gigawatts could seriously destabilize the grid.

Representatives of the National Digital Infrastructure Service (RDI) confirm that such a scenario threatens stability not only in the Netherlands but across Europe, given the synchronization of power grids.

Researchers at Secura described a scenario where an attacker could turn solar panels on and off every few seconds. This approach could destabilize the grid if applied to panels producing 3 gigawatts. Gaining control over such a volume of energy is difficult, but experts believe it is possible.

Another possible attack scenario involves changing inverter settings. Modern power grids operate between 240 and 253 volts. When the upper limit is reached, inverters automatically shut down. An attacker could alter these settings, leading to grid overload.

Dependence on Foreign Suppliers and Geopolitical Risks

An additional threat comes from the fact that a significant portion of these systems is controlled by Chinese companies. Huawei and Sungrow, the largest suppliers of solar systems, each deliver over 3 gigawatts to the Dutch grid daily. Every year, about 4 gigawatts of solar capacity are added in the country, increasing dependence on foreign components.

Experts warn of growing dependence on Chinese companies and potential political risks. In the event of a conflict, Beijing could require manufacturers to make changes to systems, allowing manipulation of solar panels in other countries.

State actors could shut down electricity in the Netherlands through inverter software. While such actions would be seen as hostile, the responsible country could deny involvement. Amid rising tensions and more frequent cyberattacks, experts consider this scenario realistic.

Who Is Responsible for Security?

Representatives of TenneT, the high-voltage grid operator, emphasize that the main responsibility for preventing such attacks lies with energy suppliers like Essent. However, TenneT is ultimately responsible for resolving major incidents in the Netherlands.

Experts say that across Europe, it is possible to compensate for the loss of up to 3 gigawatts using fast-reacting resources such as batteries, hydroelectric, and gas power plants. But shutting down more than 3 gigawatts of solar panels could have unpredictable consequences.

Eliminating the risk at its source is nearly impossible. Existing mechanisms only allow for responses to emerging threats, creating a dangerous scenario for society.

Calls for Stricter Regulation

Specialists are calling for stricter regulation and oversight in the industry. New legislative initiatives, such as the Cyber Resilience Act (CRA), RED 3.3 directive, and NIS2 directive, could help increase software developers’ responsibility and limit the entry of unsafe products into the Dutch market.

Regulatory authorities confirm that new laws will help more effectively combat unsafe equipment, including apps and cloud services. Similar measures are planned for operators of electric vehicle charging stations.

Experts stress the need for clear distribution of responsibilities among all market participants. The work of ethical hackers who identify vulnerabilities is certainly commendable, but relying solely on their goodwill for cybersecurity is unacceptable.