Renewables energy must be protected against cyber attacks

07 Jul 2024

‘The development of cyber security threats in solar closely mirrors what we saw with the rise of the internet three decades ago”, says Uri Sadot, Cyber Security Programme Director at SolarEdge Technologies. “

Had we paused in 1995 and taken the time to design the basic protocols of the internet to be cybersecure from the bottom up, the global industry would have saved hundreds of billions of rands in reactive fixes. With the benefit of hindsight, the solar industry should be designing its products with cyber security top of mind as standard, before mass mainstream deployment occurs and it is too late to prevent a catastrophic cyber event or face extortionate costs to deploy retrospective cyber security measures. Unfortunately, today there is little mandate or governance to enforce this on solar manufacturers.

The sophistication of cyberattacks has increased hugely in recent years, such as AI-based, botnet, and 0-day attacks, as well as state-sponsored attacks used as a tool for geopolitical aggression, with energy networks and grid infrastructure a potentially crippling target.

Cybersecurity threats to solar

“The solar inverter is the critical component of a solar system. It is also the part that connects to an energy network, as well as the grid as countries move to more distributed energy sources to support grid stabilisation. If cyber security is not taken seriously, this opens the door to potential hacking of the inverter, which could lead to energy supply being remotely controlled and exposed. Whether you’re a homeowner, business owner or grid operator, considerations should be made over who has access to these inverters and vetting the manufacturers of the technology with cyber security top of mind”, he says.

In recent years we’ve seen first-hand the devastating impact of grid failure due to weather events, such as the deep freeze in Texas in 2021 and the 2022 summer heatwave in California, with widespread power outages affecting millions of homes and businesses, and destabilising people’s livelihoods. When the grid goes down, restoration can take days or more. If a cyber-attack is involved, this can take even longer with grid operators having to first identify the cause and location of the issue, before clearing the system of intruders. Only then can a black start process be initiated to gradually restore the grid and carefully bring assets back online to maintain grid balancing of supply and demand. When the consequences of a cyber-attack on the grid are laid out in these terms, Solar's five percent of global energy production suddenly sounds more substantial, underscoring the critical need for cyber security to be prioritized from the top-down.

What needs to happen to make solar more cybersecure?

Defending against today’s highly sophisticated and automated cyber-attacks firstly requires an increased awareness amongst homeowners, businesses, grid operators and governments that the cyber security of solar products varies dramatically from one manufacturer to another. Understanding the risk this poses to energy security, there needs to be shift in mindset across the energy value chain to a ‘prevention is better than a cure’ approach – no different to the robust cyber security measures built into phones or cars as standard.

This starts with the manufacturers themselves, who at present, mostly determine the security levels of their products individually without any regulation, resulting in a disparity in standards. This is tantamount to car manufacturers individually decide on their safety standards. The technological capabilities to enhance cyber security during product development exist, therefore it is imperative vendors prioritise investment in these technologies over cost-cutting and higher margins. It should be non-negotiable, just like fire safety or electric safety.

Government regulation is essential to enforce this, setting rigorous quality standards for cyber security that the industry must follow. This begins with mandating basic cyber security standards for all connected devices, including distributed energy resources (DERs), but also seeking participation from solar manufacturers by implementing physical and software-based security measures and security monitoring capabilities, alongside mitigation plans for potential cyberattacks.

The UK’s recent introduction of the PSTI cybersecurity standard set a global precedent, requiring compliance from all manufacturers of connected consumer devices – including solar inverters – on password strength, support period and technical documentation. In Europe, the Cyber Resilience Act led by the European Commission – slated to be finalised later this year – is expected to mandate a longer list of cybersecurity requirements effective from 2027. The act draft addresses thousands of IoT products, with solar inverters being one of them. While this is a good starting point, improving solar cyber security requires its own legislative category and priority focus – particularly in a region where solar is seen as one of the key energy sources to reduce reliance on foreign oil and gas. Some positive trends can be seen in the US, where industry associations and production certification labs have made first steps in initiating certification standards.