With cybersecurity becoming a hot topic in solar, it’s worth stepping back to ask how we got to solar becoming a critical infrastructure.
For decades, Europe’s energy grid was centralized and analogue, powered by large, highly regulated plants. However, the rapid growth of solar and other renewables has created a decentralized, digital network of smaller sources, the majority of which lack the same security oversight. While large utility-scale solar plants of over 100 MW are typically subject to stricter rules, the majority of European solar power coming from Utility-scale plants is from sites of less than 100 MW. In fact, according to data analytics company Wood Mackenzie, half of that power (over 120GW) comes from plants which produce less than 25 MW each. The smaller the site, the less likely it has to meet any cybersecurity regulations.
Solar systems have also become more digitally connected. When installed in residential and most commercial settings, the inverters, which convert solar energy into usable electricity, are connected to the internet to enable remote monitoring, software updates and troubleshooting. In a utility-scale solar plant, dedicated services will be put in place to manage remote monitoring, battery usage optimization or production curtailment in case of grid surplus and negative pricing. However, as with many new technologies, cybersecurity has been overlooked in the rush to scale up. Many low-cost systems, both residential, commercial and utility scale, are still accessible over the public internet with default or weak passwords, making remote takeover of unsecured PV inverters not just possible, but in some cases, alarmingly easy.
Making cybersecurity more robust with new regulations
Growing awareness across the EU has resulted in many developments in regulation and industry action. The European Radio Equipment Directive (RED) Article 3.3 and the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act made a good start in 2024 on improving the security of connected devices, introducing basic standards like unique and complex passwords, and protections for user data. While these rudimentary requirements apply to a broader set of connected devices, and not just solar, they have helped to raise the bar for our industry as well.
More robust regulation is on the way. The Cyber Resilience Act has been passed, due to come into effect gradually in the next two years, and will impose stricter security requirements on manufacturers of connected devices than RED or PSTI. The EU’s NIS2 Directive is expected to be adopted across all member states within the next year and will vary in how it’s transposed to every member state’s lawbook, but the drafts make clear that it will assign clearer responsibility and liability for cybersecurity risks to asset owners, operators and critical service providers. In the solar industry, this means the management of EPCs, developers, asset owners and even investors or insurers, are expected to carry legal accountability for their solar arrays, and any results of a cybersecurity breach, including potential outcomes such as blackouts.
Tightening cybersecurity regulations is a positive development for the industry, but they are not solar-specific, leaving gaps. For example, there is little oversight of how device manufacturers manage communications with installed power-producing devices such as inverters, a matter in which residential solar products are unique from any other connected devices. Even bigger gaps remain in utility-scale setups, as there is no regulation on firewall access management for small solar plants, which constitute the majority of solar power generation in Europe. Regulation is catching up, but awareness is growing fast – a strong sign that more targeted policies are coming. The EU Commission has announced the launch of photovoltaic risk assessments, and countries like Germany have launched public consultations and industry engagement to develop bespoke regulations for their solar sectors. Lithuania has gone a step further, setting severe connectivity limitations on solar devices based on cybersecurity considerations – even retroactively, despite costly retrofits to businesses’ legacy installations. As such, installers, developers and EPCs should closely monitor regulatory changes which may soon impact their business directly.
What can be done
While we await clearer, more robust regulations, the solar industry must take proactive steps now. For homeowners and businesses, the first step is understanding the inverter being installed as the single most “cyber important” part of your system. This means researching the manufacturer’s cybersecurity credentials and overall posture is advised. For system owners not satisfied with their legacy inverter, installing a local controller or EMS device can mitigate part of the risks.
For owners of utility-scale solar plants, and the O&M companies that service them, it’s important to understand how regulations may soon assign you legal liability over the cybersecurity of your asset portfolio. Just as you’re now required to install fences, security cameras and fire safety measures, in the near future, you will likely be required to invest in both software and hardware cybersecurity solutions beyond a simple firewall and VPN connection. Asset owners are advised to onboard the expertise needed to ensure compliance with developing requirements beyond just NIS 2, and to understand what contractual obligations they will need to require from their O&M providers and EPC partners. You must also understand that components such as inverters, BESS or your PV monitoring provider may be subject to varying levels of compliance requirements. At minimum, updated inventories of physical components should be maintained.
Reducing Risk
As regulations tighten, nearly every part of the solar value chain may face risk of breaches or compliance exposure – meaning costly retrofits, penalty payments, or even product recalls if their systems fall short of new standards. Given the long lifetime of solar systems, choosing more secure, future-minded solutions would be wise, as is standard in other areas such as fire safety, electricity safety, or durability, where more durable solar panels are chosen to withstand extreme weather events over the system’s lifetime.
For homeowners and businesses, the solar installer plays a vital role in protecting them from cybersecurity risks. Choosing an inverter with strong access controls such as unique passwords and encrypted communication should be standard practice, and is likely to become enforced. That’s why inverter manufacturers must embed cybersecurity into every level of product design, while avoiding added complexity to users or installers. For example, manufacturers can embed a simple QR code setup that initiates a cryptographic key exchange that offers strong cloud-based security while keeping installation quick and easy. As authentication technologies evolve, manufacturers should move beyond traditional passwords and adopt best-in-class methods common in other industries, like biometric verification.
For utility-scale sites, asset owners and Operations & Maintenance companies must start managing access and control to solar plants of any size as if these were already regulated as critical infrastructure.
Crucially, industry professionals must anticipate regulation rather than react to it. With growing awareness among installers, system owners, and regulators, the era of treating cybersecurity as a cost to be minimized is over. It’s as outdated as viewing seat belts or airbags as superfluous costs in the automotive industry. Instead, it should be seen as a non-negotiable way to reduce liability and risk. Companies that fail to adapt to this paradigm shift will risk being regulated out of the market – or worse, becoming the weak link in a national infrastructure attack. Investing in cybersecurity now will help ensure the continued growth of our industry, and will prevent costly retrofits later.
As the old saying goes, prevention is better than a cure.
Author: Uri Sadot
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.