Energy
Hackers coming after renewable energy
With solar as one of the world’s primary energy sources of the future, safeguarding energy security is critical, writes URI SADOT, cyber security programme director at SolarEdge.
The meteoric rise of solar energy in recent years has seen it become an increasingly important component of the global energy landscape, offering homeowners and businesses a clean energy source to reduce their energy bills, while enabling grid operators to leverage a vast distributed energy source to support the grid. By 2022, over 1,300 TWh of solar energy had been installed worldwide, accounting for just under five percent of global electricity generation. A number of drivers have accelerated solar deployment even further, with the pace of solar installations more than doubling each year, making solar the fastest growing power generation technology.
Energy demands on the grid have never been this high and this will likely only increase as the world transitions from fossil fuels to electrification and other power-hungry applications. Digitisation, data centres and the growth of AI, as well as the mass rollout of electric vehicles and heat pumps allow governments around the world to ramp up their sustainability initiatives further to meet their net zero targets. Meanwhile the invasion of Ukraine contributed to a global awakening to the existential threat to energy security when dependence on one’s energy supply lies outside its borders.
These are all factors that have propelled renewable energy sources such as solar to the forefront of future energy security strategies, but with the weighting of dependency shifting from oil and gas to renewables, one must ask how secure renewable energy supply is. With these systems connected to homes, businesses, and grid infrastructure, how cyber-secure are they? And who else has access?
A new era of cyber security risks
The development of cyber security threats in solar closely mirrors what we saw with the rise of the internet three decades ago. Had we paused in 1995 and taken the time to design the basic protocols of the internet to be cyber secure from the bottom up, the global industry would have saved hundreds of billions of rands in reactive fixes. With the benefit of hindsight, the solar industry should be designing its products with cyber security top of mind as standard, before mass mainstream deployment occurs and it is too late to prevent a catastrophic cyber event or face extortionate costs to deploy retrospective cyber security measures. Unfortunately, today there is little mandate or governance to enforce this on solar manufacturers.
The sophistication of cyberattacks has increased hugely in recent years, such as AI-based, botnet, and 0-day attacks, as well as state-sponsored attacks used as a tool for geopolitical aggression, with energy networks and grid infrastructure a potentially crippling target. Recent events such as the cyberattack on a major satellite communications company during the conflict in Ukraine, resulted in the disconnection of 11GW of German Wind Turbines. Similar attacks have targeted other renewable energy sources as well as grid substations, as evidenced by incidents in Ukraine where multiple substations were attacked, causing widespread power cuts in Kyiv.
Cybersecurity threats to solar
The solar inverter is the critical component of a solar system that converts the power produced by solar panels into usable electricity. It is also the part that connects to a home or business’ energy network, as well as the grid as countries move to more distributed energy sources to support grid stabilisation. If cyber security is not taken seriously, this opens the door to potential hacking of the inverter, which could lead to energy supply being remotely controlled and exposed. Whether you’re a homeowner, business owner or grid operator, considerations should be made over who has access to these inverters and vetting the manufacturers of the technology with cyber security top of mind.
In recent years we’ve seen first-hand the devastating impact of grid failure due to weather events, such as the deep freeze in Texas in 2021 and the 2022 summer heatwave in California, with widespread power outages affecting millions of homes and businesses, and destabilising people’s livelihoods. When the grid goes down, restoration can take days or more. If a cyber-attack is involved, this can take even longer with grid operators having to first identify the cause and location of the issue, before clearing the system of intruders. Only then can a black start process be initiated to gradually restore the grid and carefully bring assets back online to maintain grid balancing of supply and demand. When the consequences of a cyber-attack on the grid are laid out in these terms, solar five percent of global energy production suddenly sounds more substantial, underscoring the critical need for cyber security to be prioritised from the top-down.
What needs to happen to make solar more cybersecure?
Defending against today’s highly sophisticated and automated cyber-attacks firstly requires an increased awareness amongst homeowners, businesses, grid operators and governments that the cyber security of solar products varies dramatically from one manufacturer to another. Understanding the risk this poses to energy security, there needs to be a shift in mindset across the energy value chain to a ‘prevention is better than a cure’ approach – no different to the robust cyber security measures built into phones or cars as standard.
This starts with the manufacturers themselves, who at present, mostly determine the security levels of their products individually without any regulation, resulting in a disparity in standards. This is tantamount to car manufacturers individually deciding on their safety standards. The technological capabilities to enhance cyber security during product development exist, therefore it is imperative vendors prioritise investment in these technologies over cost-cutting and higher margins. It should be non-negotiable, just like fire safety or electric safety.
Government regulation is essential to enforce this, setting rigorous quality standards for cyber security that the industry must follow. This begins with mandating basic cyber security standards for all connected devices, including distributed energy resources (DERs), but also seeking participation from solar manufacturers by implementing physical and software-based security measures and security monitoring capabilities, alongside mitigation plans for potential cyberattacks.
The UK’s recent introduction of the PSTI cybersecurity standard set a global precedent, requiring compliance from all manufacturers of connected consumer devices – including solar inverters – on password strength, support period and technical documentation. In Europe, the Cyber Resilience Act led by the European Commission – slated to be finalised later this year – is expected to mandate a longer list of cybersecurity requirements effective from 2027. The act draft addresses thousands of IoT products, with solar inverters being one of them. While this is a good starting point, improving solar cyber security requires its own legislative category and priority focus – particularly in a region where solar is seen as one of the key energy sources to reduce reliance on foreign oil and gas. Some positive trends can be seen in the US, where industry associations and production certification labs have made first steps in initiating certification standards.
“As South Africa continues to embrace digital transformation in the renewable energy sector, the imperative for stringent cybersecurity measures grows ever more critical. Cyber-safe solutions should be a standard, not an option, in safeguarding our expanding solar energy infrastructure. At SolarEdge, we are committed to leading by example, designing our products to meet the highest cybersecurity benchmarks. This approach is vital for protecting investments and ensuring the reliability and stability of energy resources across the continent. By prioritising cybersecurity, we aim to foster greater trust and encourage the broader adoption of clean energy technologies.” Comments Laurence Lipjes, SolarEdge General Manager MEA”
The bottom line
Whether it’s solar, wind or other renewable sources, it’s evident that abundant clean energy is critical to improving our lives and the health of our planet. However, as their consumption increases, improving the security of its underlying technology now, before it’s too late, is imperative to safeguard energy and grid infrastructure from potential threats. Even if the likelihood of needing one is rare, it is there to mitigate the possible dire consequences should an event happen. While governments are awakening to this, tackling cyber-security in renewables will not work without international collaboration – particularly throughout Europe where cross-country electricity trading is prevalent. Top-down legislation needs to be met halfway with bottom-up pressure, requiring both homeowners and businesses investing in solar to demand high cyber-security standards as a prerequisite.
It always goes back to the timeless wisdom: Investing in prevention is better than investing in the cure. Lipjes says, “The UK’s new PSTI cyber security regulation marks a precedent for consumer device security – a legislative milestone towards creating a cyber-security benchmark for all manufacturers active in the UK market. Similar legislation has been adopted throughout the European Union and will come into effect in the coming years. Unified standards and regulations for the industry will allow stakeholders to work together against threats and identify risks.”