An interview with Martin Novák, Technical Director of SOLSOL and Head of Development for Guardexy, the first cyber protection for PV systems
Where did the idea to develop a security solution for photovoltaics come from?
It first occurred to me when we, as an “ordinary” distributor, were able to command thousands of power plants under our technical management without any restrictions. ((Note: SOLSOL is the largest distributor of photovoltaics in the Czech Republic, with more than 11,000 solar power plants under management). If we can do it, the question arises as to what someone else with far greater technical capabilities could do. We realized that the protection of inverters—the brains of the power plants—is completely inadequate.
What specific moment motivated you to begin the actual development?
We were strongly affected by the attack of Russian hackers on the distribution network in Ukraine. It became clear that the misuse of energy infrastructure has serious and immediate consequences. We realized that it is very easy to identify weak points in the infrastructure from operational data—for example, based on voltage or frequency fluctuations. It is then only a matter of time before someone exploits these weak points at the least opportune moment. Therefore, we started working on a solution that would function as preventive protection—one step ahead of potential misuse.
Which threats did you analyze during development?
We see two key scenarios. The first is an attack with a domino effect, where coordinated manipulation of inverters can cause problems across the entire distribution network. The second scenario concerns individual installations—not necessarily just the destruction of the inverter. A much more realistic risk is that the inverter and its network connection could become a starting point for penetrating the IT infrastructure of a company or municipality. Another variant is the targeted triggering of an outage in part of the electrical installation, for example, on outputs connected via UPS, which can halt the operation of critical equipment.
Some argue that residential installations are less important for grid security than large commercial ones. Do you agree?
Not entirely. Currently, security is primarily addressed from the perspective of distribution network operators—meaning their secure control via dedicated devices and channels. However, no one is really looking at the fact that there are other ways to control or misuse inverters. At the same time, there is not much talk about protecting the end users themselves. Yet even residential or smaller municipal installations can have strategic importance. If they are compromised, it can lead to direct financial damage and threats to operational safety.
What makes your Guardexy solution unique?
Standard firewalls mostly block only outgoing communication. Guardexy, however, filters data flows in both directions. It can audit, log, and block suspicious commands. Nothing similar is currently available abroad. Existing solutions usually take the path of complete disconnection from the internet, which is impractical—remote monitoring and service are key to operation. We want a smart filter, not a ban. And we certainly do not believe that the future lies in a blanket ban on Chinese technologies, as is being done in some countries. That is a dead end, especially when over 90% of installations in the Czech Republic today run on Chinese inverters.
How big of a risk are we talking about in the Czech context?
There are more than 200,000 photovoltaic power plants with these technologies in the Czech Republic. SolaX is the most widespread—an estimated 100,000 to 120,000 installations. Second is GoodWe, of which there are around 50,000 to 60,000. These are numbers that cannot be ignored.
What data and commands currently flow between manufacturers’ servers and inverters in the Czech Republic?
Practically everything, because the manufacturer has a detailed map of the entire network. They know exactly where the inverter is, how it works, and have the ability to send remote commands. If someone were to gain access and trigger a global command, such as “charge from the grid,” the consequences would be immediate and massive.
How does your device work in practice?
Guardexy has two modes. In basic mode, it performs auditing and logging. The user can set what data they want to monitor and what to share. In advanced mode, the device already filters specific commands and recommends whether they are safe. The goal is not only protection but also transparency of the data flow between the inverter and the manufacturer’s cloud.
How long does installation take and what does the end user need?
It is a plug-and-play solution. Connection is simple, similar to connecting a charger. The entire process, including configuration, takes about ten minutes.In conclusion: what are Guardexy’s ambitions?
We want to protect not only households but also municipalities with municipal photovoltaics and commercial installations. The security of energy infrastructure is not a luxury, but a necessity. And this applies not only to the Czech Republic but to all of Europe. If we do not want to wake up to a blackout one day, we must start addressing security from the bottom up, directly at the level of individual inverters.