In May 2025, Reuters disclosed that Chinese-made solar inverters were being delivered with undocumented cellular radios—SIM-card slots and RF circuitry secretly soldered onto their PCBs and omitted from every datasheet and SBOM. Technicians at several U.S. solar farms traced unexpected LTE handshakes back to these devices, and teardown inspections confirmed factory-installed backdoors capable of bypassing firewalls and OT monitoring. Further briefings revealed that, as early as November 2024, attackers had already leveraged these covert channels to remotely disable inverters in the U.S. and abroad, demonstrating a pre-positioned “kill-switch.”

Technical Analysis & Insights

This attack aligns with Supply-Chain Compromise (T0862) in MITRE ATT&CK® for ICS, where hardware implants inserted during manufacturing lie dormant until activation. Once live, the hidden radios perform Adversary-in-the-Middle (T0830) techniques—intercepting and altering control communications so firmware tampering or shutdown commands appear as routine maintenance. Three critical gaps enabled this breach:

1. Undiscovered Interfaces
   Operators never audited hardware BOMs or ran RF-spectrum scans, so the concealed SIM slots went unnoticed.
2. Perimeter-Only Controls
   Standard firewalls and VLAN segmentation cannot detect or block out-of-band LTE links.
3. Exploitable Firmware
   A Forescout Vedere Labs report found nearly 50 vulnerabilities across major inverter brands—over 80% rated critical (CVSS 9.8–10)—that attackers could exploit once the backdoor was active.

CISA’s SBOM and HBOM frameworks emphasize transparent component inventories and randomized hardware audits to catch such hidden modules before they reach production.

Prevention Strategy

• Identify: Build a live digital twin of your OT network—catalog every device, interface, and firmware version to expose blind spots.
• Protect: Enforce zero-trust hardening—disable unused ports at install, segment per IEC 62443-3-3, deploy data diodes or layer 2/3 firewalls, and whitelist only authenticated SCADA endpoints.
• Detect: Use passive, deep-packet inspection and behavioural baselining to flag any out-of-band communications or unexpected maintenance commands in real time.
• Respond: Follow practiced playbooks to isolate or remove compromised devices, re-flash and patch trusted firmware, and restore safe operations—logging every step for post-incident review.
• Govern: Embed “right-to-inspect” clauses in procurement, conduct randomized hardware and software audits, and align with NERC CIP, NIST SP 800-82 Rev. 3, IEC 62443, and EU NIS 2 requirements.

Radiflow’s Integrated Defence

Radiflow builds and maintains a live digital model of your OT network, uncovering every asset, interface, and firmware version to highlight hidden modules and segmentation gaps. This model guides zero-trust hardening and zone-based protections. Passive iSID sensors then monitor all control traffic, learning normal patterns and generating immediate alerts on any protocol anomaly, each correlated against site-specific risk levels. During an incident, every detection and containment action is recorded to ensure a rapid, informed recovery and clear compliance reporting. Meanwhile, CIARA Risk Management continuously validates your environment against IEC 62443, NERC CIP, NIST 800-82, and NIS 2 standards, quantifies compliance gaps, and prioritizes the highest-impact mitigations and investments.

“Hidden hardware backdoors undermine every assumption about device trustworthiness,” says Ilan Barda, CEO of Radiflow. “By demanding full supplier transparency, enforcing zero trust, and maintaining continuous, behavior-based monitoring, we can stay steps ahead of adversaries who plan years in advance.”