Solar power experts are warning that tighter controls are needed to stop a cyberattack from devastating the industry.
Energy security is in the spotlight in Europe, as attacks on energy infrastructure increase. Solar, while less targeted than traditional energy sources, is not immune to malicious actors.
To avoid a dangerous and disruptive event as the continent transitions to a smart system based on renewables, SolarPower Europe has published a report highlighting “clear remedies” to the potential threat.
“Like any technological revolution, digitalisation presents incredible opportunity, for example, energy system cost savings of €160 billion per year,” says Walburga Hemetsberger, CEO of the association which represents hundreds of solar organisations across Europe.
“It also comes with new challenges, like cybersecurity. We didn’t need anti-virus protection for a typewriter - but we do need it for our laptops. As a responsible, forward-looking sector, we have mapped the cybersecurity challenge, and we’re rising to meet it with clear, comprehensive solutions.”
The report, written by risk management organisation DNV, comes in the wake of a mass power outage in Spain and Portugal, which some commentators were quick to blame on a cyberattack.
While Spanish power company Red Eléctrica and the Portuguese government have now ruled out this possibility, the blackout still emphasises the need for a secure power grid.
Are solar systems prone to cyberattacks?
Europe’s move away from an energy system dependent on a few high-impact targets to a more decentralised system offers clear energy security benefits, the report states. Ukraine has learnt this in a particularly brutal way, following repeated cyberattacks on its power grid by Russia.
But to realise these benefits, cybersecurity laws, which focus on old, centralised infrastructure, need to be updated, the experts say. New legislation must address the specific security needs of distributed energy sources, like smaller rooftop solar installations.
Though on a much smaller scale than the strikes on other parts of the energy sector, the solar sector has faced attacks and interference, too.
In 2023, a group of Romanian solar customers modified mandatory inverter settings - which convert DC electricity generated by panels into the AC electricity used by homes - to disable the voltage-active power function.
This function is required by the grid operators to reduce active power at high grid voltage, in order to keep the power system running efficiently and safely.
Modifying this grid support function enabled the customers to make more money by not limiting their solar systems during high-voltage events, potentially jeopardising grid integrity as a result.
In a more pernicious incident, pro-Russian hacktivist group Just Evil stole credentials for 22 client sites in Lithuania and posted them on the Dark Web last year. This opened up access to the management portal of these solar sites, although access was not used to carry out further attacks on that occasion.
Analysing risk, the report found that these large utility-scale solar installations are more secure, since they are often managed by experienced utilities and covered by the EU’s Network and Information Security (NIS2) Directive.
Small-scale solar systems, meanwhile, which are often rooftop installations on people’s homes or businesses, lack strict cyber rules. They are connected to the clouds of manufacturers, installers, or service providers.
And while the impact of compromising a single installation is low, when grouped together for power system efficiency, they become virtual power plants of significant scale.
How can solar systems be protected from cyberattacks?
The experts propose two overarching solutions to toughen the solar sector’s defences.
Number one, they say, existing laws on cybersecurity must be made specific enough to cater to the needs of the solar sector.
Secondly, new rules should be formulated that keep the control of solar systems via inverters within the EU or jurisdictions that can provide an equivalent level of security.
This is relevant, as the analysis shows that over a dozen Western and non-Western manufacturers control significantly more than 3GW of installed capacity. And a targeted compromise of 3GW generation capacity could have serious implications for Europe’s power grid.
The report recommends an approach similar to GDPR rules, where control of aggregated distributed devices, like small-scale rooftop solar systems, should only take place in regions judged equivalent in security to the EU.
High-risk entities would then be required to develop cyber solutions, which would be monitored and approved by the competent authorities.
