So that there’s no confusion I did mean “not connected to the internet”. I don’t object to “connected to a network within your house”.
Then that in my view would not be fit-for-purpose. For the amount of money spent on a typical PV system (inverter, plus panels, plus optionally battery) a consumer has a legitimate expectation of being able to monitor the operation of the system (and to do so in a way that does not create security or privacy risks).
See with something like Solar there’s at least solid reasons to have them connected to the internet. Systems of the future (and indeed some already) can monitor power prices and demand and release stored electricity to the grid when it is most needed and valuable. Or get the weather to anticipate when extra needs to be stored vs normal.
Lightglobes? Not so much
As long as it remains the owner’s choice i.e. you can still monitor the system without internet access, and if you choose to forgo internet access, you may also be choosing not to be able to engage in some of the more advanced pricing opportunities. (Some of what you are talking about presumably depends also on the electricity retailer i.e. they are prepared to agree to a dynamic feed-in-tariff rather than a fixed averaged FIT.)
Appreciate the clarification. I expected what you suggested was what was included with the supply of the inverter for our PV system. IE Local access via the home network. I needed to look past the promotional material and online.
Interestingly when I raised the question of security of the internet connection to the Inverter the PV System supplier referred me to a Blog on Solar Quotes web site.
And a link to a Whirlpool Forum topic that has been running for three years now on how to access directly the Sungrow Modbus mapped internal data registers (read only). This is a moving target and not for the average home PV owner to contemplate.
Without panicking any would be purchasers or owners of Sungrow inverters as part of a PV system, it is possible to access the inverter stored data without a home network. The solution still relies on the Sungrow supplied wifi adaptor (It functions as an access point and router).
The wifi adapter broadcasts a recognisable SSID open network. There is a login password for the inverter through a Sungrow App that can be installed on Android or IOS. This allows owners to access the stored history in graphical or simple table format on a mobile. How secure is that network connection? Sungrow indicate it uses WEP encryption, which is very weak. Hence any device connected to the Sungrow Inverter WiFi adaptor is vulnerable to some very simple attacks. It’s not evident if there is any additional encryption on the actual communication between the Inverter and App? Or if the login pw is also the WEP pass phrase?
When I approached Sungrow asking if I could turn the WEP network off or replace the Sungrow RS485 WiFi adaptor (AP) with an RS485 to Ethernet cable device, I hit a brick wall.
Sungrow “RS495 and Ethernet are different protocols and not interchangeable for this Inverter”. Knowing members of our Community are welcome to laugh or cry at the response. Politely, not the horses head! I’ve reproduced the possible typo.
Which explains why there is a mindful amateur and perhaps more professionally experienced interest group on Whirlpool sharing solutions. A working knowledge of modbus may help.
P.s. Sungrow updated their cloud server software earlier this year. The prior version facilitated easy down loads of history including individual string voltages, currents etc in bulk. Great for assessing panel and string issues or performance. The more recent version limits the downloads to a single variable, which is less convenient x10.
This is why our government should be stepping in to protect our interests, in any one of a thousand ways.
It is fundamentally flawed that, in the event of a dispute arising between you and the manufacturer regarding the health of the product, your only source of information regarding said health is dependent on the manufacturer. At the first sign of trouble they could cut off access to historical or current information (with some mumble mumble about the updated cloud server not being compatible with your model).
They may have done that for legitimate, honest reasons - but it just illustrates why you shouldn’t be in a position of having to get your data from any cloud server / internet web site.
Not answering the original question but here are some general comments about securing your router (or for that matter other similar networked devices).
Ideally you would do all this while your network is not yet connected to the internet.
General comment on passwords (probably occurring elsewhere):
a) use trusted software to generate random passwords - humans are not good at choosing random passwords
b) use trusted software to store all these hard (impossible) to remember passwords - preferably stored locally unless you really really trust the provider and know the risks and have assessed the risks
Three years on and Sungrow appear to have worked out they need a better solution for communicating with their inverters.
How it was.
Previously users required a SunGrow Wi-Fi V31 AccessPoint dongle to connect locally over a WEP encrypted service. Subsequently once configured through the WEP connection it was possible to connect using the home WiFi network and a Sungrow App. There was now a wired option.
Wired Ethernet adapter alternative, data sheet and install instructions.
Owners of SunGrow inverters may be best advised to check compatibility and supply/installation with their installer. When I spoke to ours earlier in the year they were not aware of the product or option. There are also several online sellers (includes Australian sources). The devices need to comply with ACMA approvals. Overseas supplied versions may not be compliant?
For security the common WiFi V31 dongle could be configured to connect to a guest or independent WiFi network.
It would be useful to hear feedback on the security risks and solutions of adding the inverter directly to the home copper network and enabling access to SunGrow’s cloud support/servers over your home NBN service.
The fundamental problem with that is the same as with so many other things.
It leaves you in a weak position if the manufacturer does something that you don’t like, or if you end up in a dispute with them. It makes you dependent on the manufacturer on an ongoing basis, including if the company ceases to exist or gets taken over.
The first thing I did after the installer left was to turn off WiFi in the inverter. (The installer wants to configure via WiFi because they are using some fandangled smartphone app to do the configuring - but the inverter was wired in via ethernet from Day 1 and that’s how I access it.)
The second thing I did was to disable most interaction with the inverter manufacturer’s servers, with the understanding that, as blackbox software, I have to trust that using the user interface to turn something off does actually turn anything off. (As software updates are still forthcoming for my inverter, I did leave that enabled i.e. it will check for available updates but not automatically download and install them.)
Enforcement over what the inverter can access on the internet rapidly gets complicated and if the inverter manufacturer is not cooperative (and/or not security savvy), it may not be practical to enforce other than to block all access to the internet.
Assuming that you are using only IPv4 (and that you are using NAT) and that you aren’t port forwarding to the inverter then most of the security risk is the software on the inverter itself.
You should always be a bit suspicious of embedded devices, and the smaller, the more suspicious - because corners tend to get cut in the implementation i.e. validation is not always comprehensive. So the device is vulnerable to being compromised via specially-crafted malicious data that is fed to it from the internet.
Manufacturers also have a poor reputation for leaving (undocumented) debug, trace or backdoor functionality.
I think that is too big a topic to cover here but will mention just one point: Be mindful of what data can be accessed from the local network without authentication. In general avoid having any data that can be accessed without authentication (unless the data is public anyway).
QFT. Never connect something to your main network that you do not trust, and try to get your hands on a router that physically isolates the various internal networks it provides (e.g. main vs. guest).
