India is undergoing a solar boom, especially with the government’s PM Surya Ghar Muft Bijli Yojana, targeting 10 million rooftop installations. But while panels are visible symbols of self-reliance, the technology buried under them tells a different story. More than 80% of inverters—the brain of a rooftop solar system—are foreign-made, overwhelmingly from Chinese firms.
These inverters do more than just converting DC to AC. They connect to the grid, send data back to manufacturer servers, and often come with undisclosed communication hardware. This is not just an engineering oversight. It’s a systemic backdoor. A recent report by ISGF (India Smart Grid Forum) highlights all of these points and urges immediate policy action to mandate India-based data servers, trusted vendors, and secure inverter standards.
Inverters as infrastructure saboteurs
Solar inverters have now, finally, entered the national security discourse. Recently, as per reports in Reuters and Economic Times, engineers in the U.S. and Denmark discovered “rogue communication devices” and “kill switches” embedded in Chinese-made inverters. These unauthorised elements could enable remote shutdowns, sabotage firmware, and even overload transformers, crippling national grids in seconds. From Lithuania to Japan, countries including the Netherlands, Australia, and Taiwan have raised red flags over cybersecurity threats from foreign-made solar inverters—ranging from remote access bans and hacking incidents to malware infections and calls for stricter national regulations.
Imagine a coordinated command disabling thousands of rooftop inverters across a city. Substations sag. Feeders trip. Grid stability collapses.
Or worse: during a grid failure, anti-islanding protection is disabled remotely. Linemen working on supposedly de-energised lines are electrocuted. The consequences are not just theoretical—they’re life-threatening.
The hidden flow of power and information
The cybersecurity risk is equally grave. Most of these foreign inverters are equipped with IoT modules that transmit user-level consumption and generation data back to the OEM’s servers in China. Apps like Solarman, embedded in over 90% of Indian rooftop inverters, funnel real-time telemetry across borders (as per the ISGF report). Suppose telemetry data is sent to foreign servers. In that case, it exposes household-level energy behavior, enables remote monitoring or control of the device, and bypasses national oversight, thereby creating a cybersecurity loophole.
This is akin to embedding foreign surveillance tools inside Indian homes. It’s not just a breach of privacy – it’s a breach of national energy sovereignty.
Real-world cases: Warning shots already fired
In 2024, blasts linked to Hezbollah operatives using walkie-talkies, mobile phones, laptops, and even solar power systems, triggered global alarm. While India hasn’t seen such incidents yet, ignoring this precedent is reckless. The DER Security Corp found over 129 vulnerabilities in solar PV systems globally, with exploit chains that could affect up to 45% of the world’s installed capacity—including India’s 105 GW solar base (ISGF Report).
Utilities in the U.S. and Europe are already phasing out such inverters. India cannot afford to lag behind.
Policy blind spots and misplaced optimism
To its credit, India has made strides in power sector localisation, particularly in smart meters. The Smart Meter National Programme (SMNP) mandates 50% local value addition in hardware and software. Yet, solar inverters—arguably more sensitive—remain in a regulatory grey zone.
There is no Trusted Vendor Policy for the solar sector, no mandatory domestic data server linkage, and no ban on telemetry going offshore.
What must be done
The solution isn’t complicated. It’s common sense:
- Mandate that all rooftop inverters communicate only with India-based servers. MNRE or a designated public entity should manage this telemetry.
- Adopt the IEEE 1547-2018 (IS 18968-2025) standard for smart inverters with secure, bidirectional communication protocols.
- Introduce a Trusted Vendor policy, akin to the one in telecom, to vet and certify inverter OEMs.
- Accelerate indigenous innovation. Indian companies already exist with proprietary software stacks, grid-tested hardware, and IEC compliance. They need scale and policy support—not skepticism.
- Buying raw materials or components from China is acceptable for now—and to be clear, this isn’t an accusation of deliberate sabotage—but relying on foreign-built software, telemetry systems, or control servers is a strategic risk. We must insulate our grid by owning the technology stack, even if we continue to import basic parts while we catch up.
Final word: This is about control
Power is no longer just about generation. It’s about control—of data, of infrastructure, of national destiny. This is not about blaming any one country, it’s about building resilience. Until we develop end-to-end capabilities, sourcing components globally is pragmatic, but the control and intelligence of our energy systems must rest firmly within our borders. We must choose security, sovereignty, and self-reliance.
About the author: Dr Charusmita is director at Statcon Energiaa—a leading power converter manufacturer in India.
The views and opinions expressed in this article are the author’s own, and do not necessarily reflect those held by pv magazine.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.