A new class of internet-based attacks is transforming solar power infrastructure into a critical vulnerability, enabling malicious actors to disrupt energy production swiftly using readily available tools and open ports. Modern solar farms commonly employ networked operational technology, such as SCADA controllers and string monitoring boxes, many of which still utilize Modbus, a legacy industrial protocol that lacks built-in security features. When these devices are accessible online, attackers can remotely issue control commands to shut down power, even on clear, sunny days, through a single strategically crafted data packet.
Researchers at Cato Networks have identified significant reconnaissance and exploitation attempts targeting Modbus-enabled string-monitoring boxes, which directly regulate the output of solar panels. By exploiting Modbus over TCP, typically found on port 502, adversaries can not only ascertain device status but also manipulate control bits to activate or deactivate power strings. This threat does not rely on sophisticated zero-day exploits; instead, it stems from the inherent insecurity of default-open services and protocols designed without robust security in mind. Once an attacker locates an accessible device, the transition from initial probing to causing a meaningful power disruption can be reduced from days to mere minutes.
Deep Dive: Command-Level Manipulation over Modbus
The fundamental mechanism behind these internet-based attacks involves direct manipulation of registers via Modbus/TCP. Attackers typically commence with discovery phases using tools like Nmap’s Modbus NSE scripts to confirm the presence of Modbus on port 502 and to identify device IDs. A common Nmap command for operational technology (OT) reconnaissance is:
nmap -sV -p 502 --script modbus-discover <target-ip>
This initial step helps attackers determine which unit IDs are responding and which function codes are supported. Subsequently, adversaries can employ tools such as mbpoll or modbus-cli to read and write specific registers. For instance, a malicious operator might attempt to shut down a solar panel string by writing a prescribed value to a control register. An example command could be:
mbpoll -m tcp -t 0 -r 0xAC00 -0 1 <target-ip>
# 0xAC00 mapped as SWITCH OFF
In documented instances, registers like 0xAC00 and 0xAC01 are designated for “SWITCH OFF” and “SWITCH ON” functions, respectively. By automating these commands, attackers can rapidly cycle power strings on and off, potentially stressing inverters or clandestinely reducing energy production while maintaining the appearance of normal operation. When integrated with agentic AI frameworks, these scripts can continuously test for successful command execution, automatically retry failed writes, and adapt to partial defensive measures, transforming simple register manipulation into reliable and repeatable exploits. This AI-driven approach accelerates the threat, making it difficult for human defenders to match the speed of monitoring and response.
The Cato Networks analysis also highlights the critical role of the string monitoring box, which acts as a bridge between solar panel strings and the SCADA system. Compromising this unit effectively grants the attacker the privileges of a rogue SCADA operator. They can then leverage simple Modbus function codes to read voltage and current registers and subsequently write values to coil or register settings to alter the system’s state. In many solar farm deployments, these monitoring boxes reside on flat networks with no segmentation between IT and OT environments, which further facilitates the ease of lateral movement for attackers.
The Cato Networks report emphasizes the severity of this issue with a real-world alert concerning exposed Modbus port 502, categorized as high risk due to overly permissive firewall rules. These findings offer a detailed technical understanding of how internet-exposed Modbus services on solar infrastructure can be exploited to induce rapid and significant grid disruptions. The ongoing research in this area suggests that solar energy providers and cybersecurity professionals must prioritize network segmentation and secure configuration practices to mitigate these evolving threats. The next steps likely involve industry-wide adoption of updated protocols and more robust security architectures for OT environments.