Because cyber security becomes a hot topic in solar energy, it is worth taking a step back to ask how we became a critical infrastructure on solar energy.
For decades, the European energyter was centralized and analogous, powered by large, highly regulated plants. However, the rapid growth of solar and other renewable energy sources has created a decentralized, digital network of smaller sources, the majority of which lack the same security overview. Although large sun plants on a utility scale of more than 100 MW are typically subject to stricter rules, most European solar energy that comes from plants on a utility scale comes from locations of less than 100 MW. According to data analysis company Wood Mackenzie, half of that power (more than 120 GW) even comes from plants that each produce less than 25 MW. The smaller the site, the less likely it must meet all cyber security regulations.
Solar systems have also become more digitally connected. When installed in residential and most commercial institutions, the inverters, which convert solar energy into usable electricity, are connected to the internet to allow remote monitoring, software updates and problem solution. Special services will be introduced in a solar energy on a utility scale to manage remote monitoring, optimization of battery use or production button in the case of roster surplus and negative prices. However, as with many new technologies, cyber security has been overlooked in the hurry to scale up. Many cheap systems, both residential, commercial and utility scale, are still accessible via the public internet with standard or weak passwords, making the external takeover of uncovered PV formers not only possible, but in some cases, alarmingly simple.
Making cyber security more robust with new regulations
The growing consciousness throughout the EU has resulted in many developments in regulations and industrial action. The European Directive Radio Equipment (RED) Article 3.3 and the UK’s Product Security and Telecommunications Infrastructure (PSTI) ACT made a good start in 2024 on improving the security of connected devices, introducing basic standards such as unique and complex passwords and protection for user data. Although these rudimentary requirements apply to a wider set of connected devices, and not only solar energy, they also helped to set the bar for our industry.
More robust regulations are on the way. The Cyber Resilience Act has been adopted, which will gradually take effect in the coming two years and will impose stricter security requirements on manufacturers of connected devices than red or PSTI. The NIS2 EU Directive is expected to be hired in all Member States in the following year and will vary in how it has been converted to the Code of each Member State, but the concepts will make it clear that it will grant clearer responsibility and liability for cyber security risks to owners, operators and critical service providers. In the solar industry, this means that the management of EPCs, developers, assets and even investors or insurers is expected to bear legal accountability for their solar panels, and all the results of a violation of cyber security, including potential results such as black -outs such as black -outs.
Sharpening cyber security regulations is a positive development for industry, but they are not sun-specific, which means that holes are left behind. For example, there is little supervision of how manufacturers of devices manage communication with installed power -producing devices such as inverters, a matter in which residential solar products are unique of other connected devices. Even larger gaps remain in set-ups on a utility scale, because there is no regulation on the management of firewall access for small solar panels, which form the majority of solar energy generation in Europe. Regulation is catching up, but consciousness is growing rapidly – a strong sign that there is more targeted policy. The EU committee has announced the launch of photovoltaic risk assessments, and countries such as Germany have launched public consultations and the involvement of industry to develop tailor -made regulations for their sun sector. Lithuania has gone one step further and has set serious connectivity restrictions on solar devices based on cyber security -even with retroactive effect, despite expensive retrofits for the old installations of companies. As such, installers, developers and EPCs must follow the legal changes closely that will soon be directly affected by their company.
What can be done
Although we are waiting for clearer, more robust regulations, the solar industry must now take proactive steps. For homeowners and companies, the first step is to understand the inverter that is installed as the most “cyber important” part of your system. This means research into the cyber security references of the manufacturer and the general attitude is advised. For system owners who are not satisfied with their legacy converter, installing a local controller or EMS device can reduce part of the risks.
For owners of solar energy factories on utility companies and the O&M companies that serve them, it is important to understand how regulations can soon grant you legal liability about the cyber security of your assetportfolio. Just as you now have to install gates, security cameras and fire safety measures, in the near future you will probably have to invest in both software and hardware -cyber security solutions that go beyond a simple firewall and VPN connection. Assiva owners are advised to guarantee the expertise needed to ensure compliance with the development of the requirements than just NIS 2 and to understand which contractual obligations they should require from their O&M providers and EPC partners. You must also understand that components such as inverters, Bess or your PV monitoring provider can be subjected to different levels of compliance requirements. At least updated stocks of physical components must be maintained.
Reducing the risk
As the regulations become tighter, almost any part of the solar chain can run a risk of infringement or exposure to compliance – which means expensive retrofits, penalty payments or even product reminder if their systems do not fall to new standards. Given the long lifespan of solar systems, choosing more safe, future solutions would be wise, as is standard in other areas such as fire safety, electricity safety or sustainability, in which more sustainable solar panels are chosen to withstand extreme weather conditions during the lifetime of the system.
For homeowners and companies, the solar installation program plays a crucial role in protecting it against cyber security risks. Choosing an inverter with strong access controls such as unique passwords and encrypted communication must be standard practice and will probably be enforced. That is why manufacturers of inverters must enclose cyber security in every level of product design, while avoiding extra complexity for users or installers. For example, manufacturers can include a simple QR code installation that initiates a cryptographic key fair that offers strong cloud-based security and at the same time remains fast and easy. As authentication technologies evolve, manufacturers must go beyond traditional passwords and use the best methods that are common in other industries, such as biometric verification.
For sites in the field of utility scale, asset owners and operations and maintenance companies must start managing access and control for sun factories of every size as if they have already been regulated as critical infrastructure.
It is crucial that industry professionals have to anticipate regulations instead of responding to it. With a growing awareness among installers, system owners and supervisors, the era of the treatment of cyber security is over as a minimized costs. It is just as outdated as viewing safety belts or airbags as superfluous costs in the car industry. Instead, it must be seen as a non-negotiable way to reduce liability and risk. Companies that do not adapt to this paradigm shift run the risk of being regulated from the market – or worse, become the weak link in a national infrastructure attack. Investing in cyber security will now help to guarantee the continuous growth of our industry and will later prevent expensive retrofits.
As the old saying reads, Prevention is better than a remedy.
Author: Uri Sadot
Sadot is director of Solarddefendend and the chairman of Solarpower Europe’s Digitalization Workstream. Solarddefendend is a cyber security company that is exclusively aimed at the Solar PV sector.
The views and opinions expressed in this article are the author, and do not necessarily reflect it by PV -Magazine.
This content is protected by copyright and may not be reused. If you want to work with us and reuse part of our content, please contact: editors@pv-magazine.com.
