In this article, Uri Sadot – Elected Chairman of SolarPower Europe’s Digitalization group and Cybersecurity Program Director at SolarEdge, explains why hackers would target solar systems, what is being done by government on regulation, and what homeowners and businesses with solar should pay attention to in order to better protect themselves.
The Cybersecurity Risks of a Decentralized Grid
Large energy sites like gas plants and nuclear facilities, have long been protected with rigorous cyber security regulation. New entrants to the energy mix such as offshore wind farms, and solar utility fields, have also been subject to similar regulatory structures to some degree, due to their large size. However, as the world transitions to an even more decentralized energy infrastructure, with millions of consumer-scale solar systems on the roofs of homes and businesses, numerous internet-connected components are involved, each with unique vulnerabilities. This presents very different cybersecurity challenges to the large energy sites we’ve dealt with in the past.
Often referred to as the “brain” of a solar system, the PV inverter is responsible for converting power from solar panels into usable electricity. In commercial and residential rooftop solar installations, the inverter is directly connected to the internet, making it the point of exposure for a cyberattack on a solar system, with potentially grave implications. By obtaining administrator rights, its already been proven that hackers can gain remote control of a manufacturer’s installed solar systems. With this access, the hacker could disable or damage inverters, lock them for ransom, or access sensitive parts of the customer’s network. For businesses, this could include customer management databases and financial systems. Hackers may also be interested in energy consumption data, revealing detailed household routines, or business performance.
A more concerning possibility is hackers targeting the central servers that manage these solar systems. Thousands, sometimes millions, of systems can be controlled from a single point. These servers can be targeted by hackers in order to take down the entire grid. Grids are designed to constantly maintain balance between supply and demand of electricity. If the critical threshold of gap between supply and demand is surpassed, sections of the grid can enter emergency shutdown. Current consensus among experts, is that the energy produced by residential solar systems has long surpassed the maximal gap threshold. With millions of solar installations worldwide, these implications are driving increased scrutiny on the cybersecurity of solar.
Targeted attacks have already begun
In May 2024, The European Solar Manufacturing Council (ESMC) called for greater efforts to tighten inverter cybersecurity . That same month, Vangelis Stykas – an ‘ethical hacker’ whose purpose is to expose cyber flaws so they can be fixed – announced that using just a mobile phone and laptop he had gained full remote access to solar systems from six global inverter manufacturers. This gave him access to aggregated power of over three times the entire German grid . While he did not attack grid operations, he had access to significant amounts of power which could have been used to cause widespread outages.
In August, two further solar companies were hacked by renowned cybersecurity leader Bitdefender, giving them access to 195 GW of solar power – 20% of global solar production . While Dutch ethical hacking group, DIVD, disclosed six new cybersecurity vulnerabilities to a major solar inverter manufacturer, leaving four million systems in over 150 countries exposed .
But not all hacks on solar systems were benign. In early February 2024, a Russian cybercriminal group gained access to the Lithuanian utility company Ignitis. The hackers provided video evidence of shutting down user accounts and demanded ransom to cease their attacks. They did so through the targeting of solar monitoring software and by accessing data from 22 facilities including hospitals and military academies .
Another malicious real-world cyber-attack making headlines took place in Japan. Hackers hijacked 800 Japanese solar remote monitoring devices, exploiting them for bank account thefts . Unlike most vulnerabilities, this one is unfixable as there is no remote update mechanism in place, leaving the vulnerability permanently open.
DERSec is a cybersecurity company that recently published a review of 54 solar energy cyberattacks and vulnerabilities on consumer-level systems . The report found that the rising trend of cyberattacks is likely to continue, as threat actors seek to penetrate and disrupt critical infrastructure around the world. This has led to an awakening amongst industry bodies and governments, providing proof that the cybersecurity risks via solar are very much real.
The response from industry bodies and governments
In light of these events, SolarPower Europe – the leading solar association in Europe – recently stated that the EU must act now to enforce high standards of cybersecurity on the manufacturers of solar inverters in order to protect energy security. This was also echoed by European Solar Manufacturing Council. In the United States, the FBI also recently warned about hackers hitting at critical infrastructure and specifically at vulnerable renewable power supply, citing the increasing reliance on renewables and lack of sufficient cybersecurity protocols and regulations.
Governments are now on the back foot, needing to address this issue urgently from a standing start. In the U.S., the White House’s Office of the National Cyber Director (ONCD) recently published a roadmap outlining the critical technologies in need of cybersecurity as the clean energy transition accelerates. It identified specific product categories, like solar inverters and EV chargers, that require special attention . Others such as the Dutch RDI government agency, and research firm SECURA, or the Australian Cybersecurity Cooperative in its Power Out report have also identified this risk.
In some areas, we have seen the first regulation to address Distributed Energy Resources (DERs) take shape. The UK’s Smart Charge Points regulation, for example, requires the incorporation of built-in hardware delay timers in EV chargers to prevent mass outages and allow the grid time to adjust in case a cyberattack starts. However, while this might mitigate the worst-case scenario, it doesn’t prevent DERs being hacked in the first place.
The European Commission is attempting to address this through more robust regulation. But for some, it may be too late. Lithuania is a prime example, the first country to take matters into its own hands. Soon after the cyberattack on the Lithuanian utility in February, the local Parliament made the decision to ban nations classified as threats to Lithuania’s national security from remotely accessing solar, wind and storage devices . This means solar inverters from nations considered adversarial by Lithuanian law will be banned from 1st May 2025, and existing facilities must disconnect non-compliant inverters by the same time the following year.
How do we solve this?
In the absence of robust regulation, solar inverter manufacturers must realize they are building critical infrastructure, and treat it as such by prioritizing investment in cybersecurity technologies over cost-cutting and higher margins, to help ensure the future stability and security of the solar industry.
In addition, businesses investing in solar must be made aware of the cyber risks and evaluate the cybersecurity measures of different suppliers to ensure their systems are secure. For example, asking questions of the installer such as who has remote access to my solar system? Where is my data stored and how is it being protected? Is it a brand with a good track record with cybersecurity? Otherwise, you may find yourself with an inoperable system, or owning a soon to be non-compliant solar system that needs to be replaced well before the ROI period.
As we race to deploy clean energy technologies, embedding cybersecurity from the outset is paramount. The rapid deployment of the internet three decades ago came with significant cybersecurity compromises that we are still paying for today. In order to avoid making these mistakes of the past, the lesson is clear: prevention is better than cure.
