Solar energy and the cyber winter – SPE

March 20, 2026
Emiliano Bellini

Cyber ​​winter is a metaphorical concept that describes a profound, structural shift in the nature of cyber threats and cyber-physical risks, particularly against critical infrastructure. The term was coined in 2022 by Yigal Unna, then head of Israel’s National Cyber ​​Directorate, following an Iranian cyberattack on an Israeli water supply. The concept refers specifically to the growing ability of modern cyber threats to operate over extended periods of time and exhibit systemic, coordinated patterns.

“The attack on the Israeli aqueduct caused no direct physical damage and its main purpose was to create panic among operators and the public,” cybersecurity expert Roberto Setola said. pv magazine. “While the incident was contained before any tangible damage occurred, Unna’s warning highlighted a fundamental shift in the nature of cyber operations against critical infrastructure.”

This fundamental shift also defined a cyberattack in December on several power plants in Poland, including many solar PV facilities, which was reportedly carried out by Russian hackers.

“With this attack, the perspective has changed,” Setola explains. “Previously, attacks have targeted the central SCADA system – the heart of the operation – which, while difficult to breach, is easier to defend because it is unique and centralized. In contrast, in Poland a series of coordinated attacks were carried out at field level, suggesting a combination of automated and manual operations.”

Essentially, the attackers focused on the plant’s remote terminal units (RTUs). These are field devices that collect real-time data from inverters, sensors and meters and send them to the central control system.

“A single attack on an RTU achieves nothing. From an energy balancing perspective, it is negligible,” Setola said. “However, if hackers attack 100 RTUs simultaneously, the impact becomes significant.”

Gaining this ability traditionally requires time to learn which commands to use and which variables to manipulate. However, artificial intelligence speeds up the process. “Hackers can now attack a large PV plant through all its RTUs instead of SCADA, causing much more damage,” he said. “Solar also has another vulnerability: many inverters come from the same manufacturer, so a flaw can be exploited across multiple units.”

Setola added that many O&M operators often lack the resources – both quantitative and qualitative – to effectively manage large PV farms. “PV asset owners often rely on third-party suppliers, which paradoxically makes attacks easier,” he noted.

“The first problem is that AI helps attackers carry out sophisticated operations. The second is illustrated by Poland: you do not have to target a single player managing 3 GW of power, which is the so-called ‘reference incident’ used for sizing the frequency control reserve (FRV) and represents the maximum sudden loss that a TSO in Europe must be able to absorb. You can attack 1,000 smaller operators managing 3 MW each. These smaller entities are much less protected because they have the expertise and resources lack of larger operators,” Setola said.

Poland’s case is particularly concerning because, while the attacks were not identical, they were carried out with greater sophistication in multiple locations. “The ultimate goal is unclear – perhaps to create panic. These attacks did not involve extortion, so making profit was not the goal. But the consequences could have been serious, for example a massive blackout. A blackout did occur, although the immediate impact on the population was limited because the threats were detected in time,” Setola explains.

In the attack in Poland, an AI-based system acted as an orchestrator to identify potential targets. Each target was then examined using a range of attack strategies. When a vulnerability was found, the attack disrupted the target’s communications capabilities; otherwise the system continued to the next target. “The PV installations continued to supply energy to the gridso nothing happened. If there had been an imbalance, we could have seen grid problems similar to the incident in Spain in April,” he explains. “A single PV park cannot cause such a disruption, but a series of simultaneous events can.”

Setola emphasized that the attacks in Poland were essentially warlike, targeted the country and not individual actors, and could cause major damage. “It’s not just about interrupting power generation. Hackers can block software configurations, force plant owners to reset all data or even delete communications configurations completely, causing economic losses. Machine downtime and possible fines under the EU NIS2 directive are also possible,” he stressed.

Even small and medium-sized PV operators are at risk, according to the cybersecurity expert. “They may have financial resources, but often lack cybersecurity awareness. That makes them likely targets for lucrative attacks,” he said. “Utilities can invest in expertise, technology and knowledge to protect themselves. Small businesses often do not have a dedicated IT or cyber office.”

He also sees cyber winter is evolving into a permanent pattern of risk for critical infrastructure as the current geopolitical landscape places the energy sector under increasing scrutiny.

“This suggests that attacks on energy infrastructure are likely to intensify in the near future, especially in the cyber domain,” he concluded. “In my view, cyber risk should now be considered as a core variable in the strategic assessments of renewable energy producers. This is especially important as a growing number of financial institutions begin to include a company’s cybersecurity position in their overall investment and risk assessment frameworks.”