A report from the European Solar Association Solarpower Europe emphasizes the cyber security of PV installations in the European Union. An important care is the vulnerabilities of connected inverters and data management via cloud services outside Europe.
Since solar energy becomes a strategic pillar of the energy transition in Europe, another less visible but equally critical challenge is on the rise: the cyber security of photovoltaic installations.
A report published on April 29 by Solarpower Europe, in collaboration with DNV and the European Inverter Forum, emphasizing worrying gaps in the digital security of the sector. Entitled “Solar sector proposes solutions to reduce critical cyber security risks”, makes the document a simple observation: Smart Inverters, an important part of solar energy plants, form a vulnerable gateway for more and more refined cyber attacks.
A regulatory framework and management that is still insufficient
In contrast to traditional energy infrastructure, suns are often designed and used as connected objects. They are remotely accessible for various stakeholders involved in the management of the installation: manufacturers, installers, energy aggregators, network operators, etc. To this end, information, data and certain functionalities are hosted online, based on cloud services. The increasing number of stakeholders with direct or indirect access to these inverters increases the risk of breaches of security. The fast -growing sector is therefore an excellent target for ransomware (which blocks access in exchange for a ransom) or other threats, sometimes even physical closure, such as a remote closure or disruption of the infrastructure.
Although the European Union has strengthened the legislation with the NIS2 directive in recent years, the Cyber Resilience Act (CRA), the network code for Cyber Security (NCCS), or, simpler, are the General Data Protection Regulation (GDPR), these regulations are not always designed for all critical infrastructure. For example, small residential or commercial PV installations often fall outside the thresholds defined by the regulations. Moreover, the lack of a single operator that is responsible for security makes it difficult to apply robust standards in every project.
Although almost 70% of the residential and commercial installations are now connected to the internet, the cyber security knowledge of installers and service providers is limited in view of the refinement of potential attacks. Bad practices – standard passwords, lack of firewalls, uncertain configurations – are common. Poorly informed end users are often not aware of the risks related to external access or data storage in non-EU data centers, sometimes in less protective areas of law.
Scaling up: The need for proportional measures
The situation becomes even more disturbing when considering the scale of the capacities concerned. In 2023, seven inverter manufacturers each had the potential to manipulate more than 10 GW installed capacity remotely. A compromise of only one of these players could possibly influence the stability of the European electricity grid. Sensitive data, either in real time or involving user information, can also be exposed to risks of espionage or sabotage, especially if the servers outside the EU are hosted.
Faced with these findings, SolarPower Europe argues for the approval of a ‘harmonized cyber security framework for a photovoltaic framework’, in particular for smart inverters. The report emphasizes the need to assess distributed solar systems on the basis of their real risk level, to define clear governance for safety during the life cycle of installations, to increase consumer awareness and to promote systems that are safe, and the lack of a European standard dedicated to the entire decentralized system.
This content is protected by copyright and may not be reused. If you want to work with us and reuse part of our content, please contact: editors@pv-magazine.com.
