When the Grid Gets Smart, the Threat Gets Smarter
Sadly, it feels like 2010. From Solar Panels to Smart Meters, Why IoT Is the Silent Saboteur in the Smart Grid Revolution
Hello Cyber Builders 🖖
This is the third and final post in my series on cybersecurity and power grids. Today, I want to explore one of the most underestimated threats: the rise of new, hyper-connected grids and how that’s creating opportunities for attacks through devices you’d never expect.
The first two posts explained the basics: power grids are complex systems with many stakeholders. There are the big players—state operators, energy producers, utilities—and then everyone else: local suppliers, consumers, and prosumers. These groups differ in size and cybersecurity maturity.
Now let’s add renewables to the mix. Here’s the thing—this isn’t really about whether energy comes from the sun, wind, or a coal plant. It’s about who is managing the devices and how well those devices were built by the manufacturer in terms of cybersecurity.
Because connecting thousands of cheap, poorly secured smart devices to your power grid upgrades your attack surface.
It has been sadly known for a long time.
Since 2010, experts have warned that electrical grids are highly vulnerable to cyber threats. Power utilities depend on SCADA/ICS (Supervisory Control and Data Acquisition / Industrial Control Systems) to manage generation and distribution systems, historically designed for reliability and safety, not security. Consequently, many grid control components have weak authentication, outdated protocols, and exposure to the Internet.
Cybersecurity researchers have repeatedly raised the alarm: electrical grids and energy infrastructure have become “highly attractive targets” for criminal and state-sponsored hackers.
See my last two posts on the series here:
A notable early warning came from the hacker community at the 31st Chaos Communication Congress (31C3) in 2014. In a talk titled “SCADA StrangeLove: Too Smart Grid in da Cloud,” researchers Sergey Gordeychik and Aleksandr Timorin revealed that the newest “smart grid” and renewable energy systems (wind turbines, solar PV plants) were often directly connected to the internet and riddled with known vulnerabilities.
They demonstrated how the software platforms that monitor and control large wind farms and household solar panels contained “low-hanging 0-days” (previously unknown exploits) and well-known security flaws.
Even by 2014 it was (or should have been) common knowledge that core components of green energy infrastructure were hackable.
The researchers humorously — and pointedly — noted that many industrial developers were rushing to put smart grid controllers “in the cloud” without basic hardening, thus “leaving no chances for security.”
Gordeychik and Timorin’s presentation, part of the SCADA StrangeLove project, linked IT vulnerabilities to real-world grid safety. They warned that an attacker who gains root access to a renewable plant’s control system in minutes could nullify years of engineering efforts toward fail-safe grid operations.
In one example, they showed how compromising a wind turbine’s controller could disable safety limits, potentially causing physical damage or destabilizing the local grid. This and similar research presaged today’s concerns: a cyber intruder in a solar or wind farm control network could rapidly override protective settings, knock critical generation offline, or spoof data – all with cascading effects on the larger electric grid.
I let you watch the video (remember it is 10 years old!)
🔗Links:
31C3 - SCADA StrangeLove: Too Smart Grid in da Cloud (here)
DEFCON 20 - SCADA Strangelove or: How I Learned to Start Worrying and Love the Nuclear Plants (here)
10 years later, we are still at the same point
In its wake, U.S. and European authorities began issuing urgent alerts. A 2024 FBI report warned that the rapid deployment of renewable energy technologies like solar farms, microgrids, and smart inverters opens new cybersecurity gaps that threat actors can exploit (see here).
Likewise, the World Economic Forum’s Global Cybersecurity Outlook 2025 cautioned that in our rush to roll out green energy solutions, “there is a risk of introducing vulnerabilities that could undermine the reliability of this new energy infrastructure” if security isn't built in from day one.
Then came the recent Iberian blackout—widely covered in outlets like The Guardian—a massive grid failure mercifully lacking clear cyber-attack indicators. Even so, it served as a wake-up call. Experts and regulators noted that while the cause might have been accidental, the incident eerily mirrored scenarios cyber-threat researchers had been warning us about for years.
These developments underscore a stark reality: as we embrace interconnected, IoT-driven energy systems, we must treat cybersecurity not as an afterthought, but as the foundation of the modern power grid.
Last but not least, as we discussed in Post 2, state actors have invested in hacking power grid equipment and renewable control systems for years to gain control over the power grids of other states.
Matt Johanson has done a great deep dive on solar panel “backdoors” in a Twitter feed.
Why IoT and Industrial Security are different
Technically speaking, the IoT threat isn’t just a variation of traditional IT risks—it’s an entirely different game.
In a typical IT environment, you’re dealing with a complex, custom-built system. You’ve got laptops, servers, networks, and cloud infrastructure—all stitched together uniquely in every organization. The IT setup of a global bank will look nothing like that of a manufacturing plant.
Even two banks won’t match—they have different architectures, software stacks, and versions of the same tools. Sure, there are some standard building blocks—Active Directory, Cisco routers, maybe some shared cloud providers—but the overall systems are shaped by years of decisions, budgets, and constraints.
For an attacker, every new target comes with a learning curve. You can’t just copy-paste your way into every enterprise. You’ve got to study the terrain, avoid tripping SOC alarms, and adapt constantly.
Now contrast that with the IoT world. Here, it’s almost the opposite. Many devices are connected directly to the internet without a firewall, segmentation, or warning. Whether it’s a smart home gadget or a power inverter, once it’s plugged in, it’s phoning home—pushing data to the cloud, pulling down updates, and sending telemetry.
And unlike IT systems that are custom per company, IoT deployments are cloned. Every smart meter of a particular model has the same firmware, and every solar inverter from that manufacturer has the same configuration.
That’s where the threat escalates. Because if you’re an attacker and you want to hack one of these devices—say, a solar panel used across your target region—you don’t need to guess. You buy one. Please ship it to your lab. Tear it apart. Spend days, weeks, months if needed—no rush, no SOC watching.
Find the hard-coded credentials. Map the firmware. Exploit the outdated libraries. And once you’ve got a working exploit, you don’t just have access to one device—you’ve unlocked thousands.
In IoT, the return on investment for attackers is massive. Find one crack, and you can break the whole system.
Final Takeaway: The Grid Is Only as Strong as Its Weakest Connected Device
We’ve known for over a decade that our power grids are vulnerable. We’ve had warnings, research, and proof-of-concepts, and now we will see real-world events that mirror those scenarios.
Yet, too many decision-makers consider cybersecurity an optional upgrade instead of a foundational requirement.
Every cheap, insecure, internet-connected device you add to the grid? That’s another open door. Another potential disaster waiting to happen.
So don’t just read this and nod.
🔒 If you’re a developer, demand secure defaults. Invest in the secure design of your grid software and IoT-connected devices.
🛡️ If you’re a utility, build defense in depth, not excuses. Manage safety, reliability, and cybersecurity.
Because the next blackout might not be an accident, and by then, it’ll be too late to ask who was supposed to care.
Laurent 💚
I wrote about this almost a year ago. Does anyone listen?
https://open.substack.com/pub/jirif/p/protecting-critical-infrastructures?r=1mxk41&utm_medium=ios