Most IBRs Bypass Traditional SCADA Firewalls: Understanding the Emerging Cybersecurity Challenges

Inverter-based resources (IBRs) are transforming the architecture of the electric grid. Once viewed as supplemental or niche technologies, assets like solar inverters, battery energy storage systems, and smart wind controllers are now integral to daily grid operations. As utilities, co-ops, and independent power producers race to modernize and decarbonize, the footprint of IBRs is growing rapidly — particularly at the distribution edge, where visibility and control are often weakest.

But with that transformation comes a critical cybersecurity challenge few organizations are fully prepared to address: most IBRs today operate completely outside the protection of traditional SCADA firewalls.

This isn’t a failure of security architecture — it’s a misalignment between the assumptions of legacy systems and the realities of modern, decentralized energy. As IBRs proliferate and become more autonomous, their ability to communicate, respond, and even make control decisions independent of traditional OT networks introduces new pathways for risk.

If IBRs aren’t behind your firewall, who’s watching them?

The Evolution of Energy Infrastructure

For decades, the energy sector relied on centralized systems managed through SCADA networks. Firewalls in these environments were meticulously configured to protect critical control systems from outside interference. These architectures were designed for static, known assets with fixed communication paths.

But the emergence of distributed energy resources — including IBRs — has shifted the paradigm. These devices are now deployed across a variety of field environments, often connected through public networks, cellular modems, or vendor-managed cloud services. They operate with autonomy, sometimes independently of traditional OT supervision.

In short, they’ve outgrown the architecture we built to protect them.

How IBRs Bypass SCADA Firewalls

In traditional SCADA environments, devices are deployed within well-defined perimeters. Communications are tightly controlled, usually routed through segmented networks and inspected by firewalls that enforce access policies and filter traffic. But IBRs were never designed with that model in mind.

Most IBRs are connected through entirely separate pathways instead of residing within the trusted OT network. A solar inverter installed in a substation or along a feeder line might be configured to communicate with a cloud-hosted vendor platform using LTE cellular. A battery system could be monitored and adjusted remotely via Wi-Fi or a third-party dashboard that lives outside the utility’s security infrastructure.

The physical asset may sit inside a substation fence, but its control plane may bypass every firewall the utility has in place.

What makes this especially problematic is that these systems are often commissioned by contractors or engineering teams working on aggressive project timelines. During installation, the priority is typically bringing the resource online — not performing a security review or aligning it with internal network policies. As a result, many IBRs go live with vendor default credentials still intact, no multi-factor authentication, and zero integration with the utility’s centralized telemetry or logging tools.

The firewall isn’t failing. It’s simply never part of the conversation.

To make matters more complicated, IBR vendors commonly provide web-based access portals for configuration and firmware updates. These portals allow technicians to push changes to connected inverters — often without any visibility by the utility or their security operations center. There are no alerts triggered. No logs pulled into the SIEM. The device might be delivering energy to the grid, but from a cybersecurity standpoint, it’s operating in a blind spot.

In this model, the firewall is not circumvented in the traditional sense — it’s completely bypassed. The assumptions that once defined perimeter defense no longer hold when the control path lives in the cloud, and the communication happens over public networks. The result is a growing fleet of grid-connected assets that function independently of the tools and practices designed to keep critical infrastructure secure.

Real-World Risks and Vulnerabilities

These architectural blind spots aren’t just hypothetical. According to research by Forescout’s Vedere Labs (2023), dozens of unpatched vulnerabilities have been identified in leading solar inverters, many of which could allow remote code execution or configuration changes.

Meanwhile, the U.S. Department of Energy’s Office of Solar Energy Technologies warns that internet-connected inverters and control devices are increasingly at risk of cyberattack, particularly when operated outside of utility-owned network protections.

In a distributed environment, the consequences can include:

• Loss of visibility into grid performance
• Unauthorized configuration changes
• Remote disabling of inverters or storage systems
• Impacts on frequency and voltage stability
• Inability to respond rapidly during grid emergencies

Rethinking Visibility, Ownership, and Control

As inverter-based resources expand across the grid, many utilities are discovering a simple but unsettling truth: they no longer have direct security oversight of every device contributing to grid operations.

In the past, most grid-connected devices lived inside known networks — segmented, protected, and monitored. Firewalls, access controls, and intrusion detection systems could see nearly every command, alarm, and status change. But IBRs are changing that equation.

Today, a utility may own the infrastructure but lack visibility into how that infrastructure is being managed. Devices may communicate over cellular networks, send data to third-party clouds, and receive updates from vendor-operated systems. These actions can happen without triggering a single alert in the utility’s OT environment.

This doesn’t mean IBRs are inherently unmanageable — it just means that the tools and assumptions we’ve historically relied on are no longer sufficient.

So what needs to change?

 Map Communication Pathways

Start with a visual and functional map of how each IBR asset communicates. Where is telemetry going? How is control pushed to the device? Which networks are involved — public, private, cellular, or otherwise? Understanding these paths is foundational for determining where security boundaries need to be enforced.

Evaluate Vendor Portals Like You Would Internal Systems

Many IBRs are managed via web-based platforms hosted by equipment vendors. These platforms may allow firmware updates, password resets, or real-time configuration changes — all from a remote browser. If your teams aren’t assessing these portals for things like multi-factor authentication, logging, and user provisioning, you’re missing a major part of the risk surface.

Feed Data into SIEMs or OT Monitoring Platforms

Start with a visual and functional map of how each IBR asset communicates. Where is telemetry going? How is control pushed to the device? Which networks are involved — public, private, cellular, or otherwise? Understanding these paths is foundational for determining where security boundaries need to be enforced.

Simulate an IBR Breach During Exercises

Most incident response plans still focus on traditional SCADA targets — like RTUs or control center breaches. But what if an attacker changed the settings on 100 inverters via a cloud interface? Would you detect it? Would operations know what to do? By adding IBR-specific scenarios to tabletop exercises, you prepare both IT and OT teams for emerging realities.

Assign Security Ownership — Even for Third-Party Managed Systems

If your utility or organization owns the physical infrastructure, it must also own the security risk — even if a third party operates the device. Clarify who is responsible for patching, credential management, log review, and security updates. Include these expectations in contracts and validate them regularly

Modern grid protection isn’t just about building higher walls — it’s about knowing where your walls stop and what’s operating beyond them. The question isn’t whether IBRs can be secured. It’s whether your organization is ready to treat them like critical infrastructure — and govern them accordingly.

A Strategic Inflection Point for Utilities

The rapid proliferation of inverter-based resources is changing not only how we generate electricity but also where cyber risk lives.

Every new IBR that connects to the grid without clear visibility, accountability, or integration into your security architecture introduces a new edge to defend. And unlike traditional substation devices, many of these systems are remotely managed, cloud-connected, and operating far outside the assumptions baked into legacy controls.

This is not a temporary transition. It’s a structural shift — and one that demands a strategic response.

The utilities that act now — not in reaction to an incident, but in anticipation of this evolving threat landscape — will not only protect their systems but also build the trust and operational resilience that define modern infrastructure leadership.

• That means treating IBRs as mission-critical cyber-physical assets.
• It means pushing past traditional firewall-centric thinking.
• It means elevating visibility, control, and accountability to match the distributed nature of the modern grid.

Firewalls still matter. But they are no longer the gatekeepers of grid security.

You are.

At this inflection point, the most forward-thinking utilities aren’t asking if IBRs are a risk — they’re asking what they’re going to do about it.

The edge is expanding. The threat is evolving. And the time to act is now.

References

1. Forescout Vedere Labs. (2023). Millions of solar power systems could be at risk of cyber attacks after researchers find flurry of vulnerabilities.

   https://www.techradar.com/pro/millions-of-solar-power-systems-could-be-at-risk-of-cyber-attacks-after-researchers-find-flurry-of-vulnerabilities

2. U.S. Department of Energy. Solar Cybersecurity Basics.

   https://www.energy.gov/eere/solar/solar-cybersecurity-basics