James Showalter describes a specific, though somewhat unlikely, nightmare scenario. Imagine someone pulling up to your house, cracking your Wi-Fi password, and tampering with the solar inverter mounted beside your garage. This unassuming gray box converts the direct current from your rooftop panels into the alternating current that powers your home. “You’ve got to have a solar stalker for this scenario to play out,” says Showalter, referring to someone with both the technical skills and motivation to hack a home energy system.
As the CEO of EG4 Electronics, a Texas-based company, Showalter doesn’t consider this sequence of events particularly probable. However, it became a topic of discussion when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory detailing security vulnerabilities in EG4’s solar inverters. The flaws could allow an attacker with network access and the inverter’s serial number to intercept data, install malicious firmware, or take control of the system.
For the roughly 55,000 customers using EG4’s affected inverters, this revelation was unsettling. Many had little understanding of how these devices function. Modern solar inverters are no longer just simple power converters—they now serve as the backbone of home energy systems, monitoring performance, communicating with utility companies, and feeding excess power back into the grid.
This shift has occurred largely unnoticed. “Nobody knew what the hell a solar inverter was five years ago,” observes Justin Pascale, a principal consultant at Dragos, a cybersecurity firm specializing in industrial systems. “Now we’re talking about it at the national and international level.”
The rise of residential solar installations has turned individual homes into miniature power plants. According to the U.S. Energy Information Administration, small-scale solar installations—primarily residential—grew more than fivefold between 2014 and 2022. Falling costs, government incentives, and growing climate awareness have made solar power mainstream.
However, each new installation adds another node to an expanding network of interconnected devices, increasing energy independence but also creating potential entry points for malicious actors.
When questioned about EG4’s security standards, Showalter acknowledges shortcomings but argues the issue is industry-wide. He cites a 14-page report cataloging 88 solar energy vulnerability disclosures since 2019. Some customers, however, remain unimpressed, particularly after CISA’s advisory revealed fundamental design flaws, including unencrypted communication, lack of firmware integrity checks, and weak authentication procedures.
“These were fundamental security lapses,” says one anonymous customer. “Adding insult to injury, EG4 didn’t even notify me or suggest mitigations.” Showalter explains the delay in alerting customers as a “live and learn” moment, stating the company wanted to address CISA’s concerns before informing users.
The timing of EG4’s security issues coincides with broader concerns about renewable energy supply chains. Earlier this year, U.S. officials reportedly found unexplained communication devices in some inverters and batteries made in China. Given China’s dominance in solar manufacturing—Huawei alone accounts for 29% of global inverter shipments—these discoveries have raised geopolitical concerns.
Lithuania, for example, passed a law blocking remote Chinese access to solar, wind, and battery installations above 100 kilowatts. Showalter says EG4 is moving away from Chinese suppliers in response to customer concerns.
The vulnerabilities in EG4’s systems highlight broader risks. The U.S. National Institute of Standards and Technology warns that a coordinated attack on numerous home inverters could destabilize the grid. However, such an attack faces practical challenges, requiring simultaneous compromise of vast numbers of individual systems.
Residential solar installations operate in a regulatory gray zone. While utility-scale facilities face strict cybersecurity standards, smaller systems lack mandatory requirements, leaving security largely to manufacturers’ discretion.
For example, unencrypted data transmission—one of EG4’s cited flaws—is common in utility-scale environments for monitoring purposes. “In an operational environment, most things are transmitted in plain text,” Pascale explains.
The real concern lies in the aggregate vulnerability of a rapidly expanding distributed energy network. As power flows from millions of small sources rather than a few large ones, the attack surface grows exponentially. Each inverter represents a potential weak point in a system not designed for such complexity.
Showalter frames CISA’s intervention as a “trust upgrade,” an opportunity to strengthen EG4’s security and stand out in the market. Since June, the company has worked with CISA to address vulnerabilities, reducing an initial list of ten issues to three, with fixes expected by October.
For customers frustrated by EG4’s response, the episode underscores an uncomfortable reality. Many adopted solar technology for environmental benefits, only to find themselves entangled in a complex cybersecurity landscape few fully understand.