Showing evidence
Proving that the Horus scenario is theoretically possible is one thing, but if no security vulnerabilities exist in PV-installations it is still practically impossible.
In 2017 A live test setup was used to discover vulnerabilities in the market leading ,and likely the most secure, brand: SMA. Devices of this brand are generally considered to be the Mercedes among PV inverters, have won several awards for outstanding solar energy products and at the time had been the market leader for several years.
In 2025 the market for PV looks vastly different. SMA is still a big player but chinese manufacturers now dominate the market. However, security wise, the market has not improved, on the contrary, critical vulnerabilities are found frequently even in manufacturer systems controlling 10+ or even 50+ GW within Europe. For an overview of recent attack, see the attack overview page.
Laws & guidelines
Several laws and guidelines exists for power supply equipment and its cyber security. For example IEC62443, IEC 62351 & ISO/IEC 27001. That said, the PV installation businesses and PV inverter suppliers are in no way obliged to actually follow these laws and guidelines. Since they are not obliged to follow these laws and guidelines it can be expected that little cyber security measures are in fact in place for the majority of PV inverter vendors.
Even in 2025, when PV installations are a significant part of our critical infrastructure, little to no laws and regulations are applicable to these devices. Those laws and regulations that are applicable (e.g. CRA) underclassify these devices and the related portals, effectively making the regulation miss the mark in solving the issue. The NIS2 law, in most cases also does not cover the specific edge case of Distributed energy PV systems. Nice write-ups of this can also be found here, here and here.
Field testing horus 1.0
In the Thesis of Willem Westerhof in 2017 a hands on black box study was done to find vulnerabilities in the test setup. Full technical details are available upon request. Findings ranging from a 0.0 CVSS3.0 (Informational) score up to a 9.0 CVSS3.0(Critical) score were discovered. These findings resulted in an attacker being able to compromise the device completely. Not only was it possible to hack the device and control its flow of power, there were actually several different ways of doing this.
In total seventeen (later spliced to twenty-one findings as requested by the vendor) vulnerabilities were discovered. Fourteen of which have been awarded a CVE-ID. Using several of these vulnerabilities it is possible to create a complete kill chain from start to finish executing the Horus scenario.
- CVE-2017-9851
- CVE-2017-9852
- CVE-2017-9853
- CVE-2017-9854
- CVE-2017-9855
- CVE-2017-9856
- CVE-2017-9857
- CVE-2017-9858
- CVE-2017-9859
- CVE-2017-9860
- CVE-2017-9861
- CVE-2017-9862
- CVE-2017-9863
- CVE-2017-9864
All these vulnerabilities were responsibly disclosed to the vendor, in December 2016. Early 2017 the theoretical concept as well as the vulnerabilities in this scenario were disclosed to specific governmental institutes and power grid regulators since they had a direct impact on the vital infrastructure.
Further field testing
Since 2017 several other researchers have also done indepedent research into this topic and proven the scenario’s to be possible in practice by exploiting PV-installations and it’s related components. An overview of the latest practical proof can be found here.
By looking at affected vendors, the amount of PV installed, and the discovered vulnerabilities in 2025 alone, It’s possible to determine that the vast majority of PV installations could have been compromised by leveraging vulnerabilities at the start of 2025. In practice, this means load-altering attacks of dozens of GW were possible and could be used to take-down almost any grid across the globe.
For europe specificaly, at the start of 2025, over 60 GW of PV-installations were vulnerable to exploitation over the internet by arbitrary attackers, (based on vulnerabilities publically released between January-2025 and early August-2025 and publically available vendor market share data). With the theory indicating that ~5 GW should be enough to down the european grid, this situation is worrying to say the least.
Sadly even more vulnerabilities will be coming out later this year, and presumably in future years as well. These will be posted seperately here.