A new class of internet-based attacks is turning solar power infrastructure into a high‑risk target, allowing hackers to disrupt energy production in minutes using nothing more than open ports and free tools.
Modern solar farms rely on networked operational technology, including SCADA controllers and string monitoring boxes, many of which still speak Modbus, a legacy protocol with no built‑in security.
When these devices are exposed online, attackers can remotely send control commands that cut power on clear, sunny days with a single packet.
.webp "Hackers Can Manipulate Internet-Based Solar Panel Systems to Execute Attacks in Minutes 2")
This shows how threat actors are logically integrated with PV modules, string monitoring boxes, and SCADA systems.
Cato Networks analysts noted large‑scale reconnaissance and exploitation attempts targeting Modbus‑enabled string-monitoring boxes that directly govern solar panel output.
By abusing Modbus over TCP, typically exposed on port 502, adversaries can read device status and then flip control bits that turn strings on or off.
There is no need for zero‑day exploits or complex payloads; the risk comes from default‑open services and insecure‑by‑design protocols. Once an attacker identifies a reachable device, the time from first probe to impactful power disruption can shrink from days to minutes.
Researchers at Cato Networks found that these attacks scale further when combined with agentic AI frameworks that automate scanning, fingerprinting, and command injection against OT assets.
AI‑driven tooling can sweep large IP ranges, discover exposed Modbus services, and test writable registers at machine-speed. This changes the threat model for solar operators, as human defenders struggle to keep pace with that pace in monitoring and response.
The source analysis highlights the weak point: the string monitoring box, which speaks Modbus and bridges PV strings to the SCADA “brain.” Once this box is compromised, the attacker effectively becomes a rogue SCADA operator.
They can use simple Modbus function codes to read holding registers for voltage and current, then write coil or register values that change system state. In many deployments, these boxes sit on flat networks, with no segmentation between IT and OT, making lateral movement even easier.
Command-Level Manipulation over Modbus
At the heart of this threat is direct register manipulation over Modbus/TCP. Attackers start with basic discovery using Nmap’s Modbus NSE scripts to confirm that a host is running Modbus on port 502 and to enumerate device IDs.
A typical Nmap command for OT recon looks like this:-
bashnmap -sV -p 502 --script modbus-discover
This step reveals which unit IDs respond and what function codes are supported. From there, adversaries pivot to tools such as mbpoll or modbus-cli to read and write registers.
For example, a malicious operator could attempt to switch off a PV string by writing a specific value to a control register:-
bashmbpoll -m tcp -t 0 -r 0xAC00 -0 1
# 0xAC00 mapped as SWITCH OFF
In documented cases, registers like 0xAC00 and 0xAC01 are mapped to “SWITCH OFF” and “SWITCH ON,” respectively.
By looping these commands, an attacker could rapidly toggle strings, stress inverters, or silently reduce production while leaving the plant online.
When wrapped in AI‑driven logic, scripts can continuously probe for acceptance, retry failed writes, and adapt to partial defenses, turning simple register tweaks into reliable, repeatable exploits.
.webp "Hackers Can Manipulate Internet-Based Solar Panel Systems to Execute Attacks in Minutes 4")
The Cato Networks report underscores the issue with a real‑world alert on exposed Modbus port 502, rated as high risk and tied to overly permissive firewall rules.
Together, these findings provide a comprehensive technical breakdown of how internet‑exposed Modbus services on solar assets can be exploited to cause rapid, high‑impact grid disruption.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
