Uri Sadot, Cyber-Consultant for SolarEdge Technologies, discusses how cyber secure renewable energy systems are with the speed of the global transition.
While renewable energy is a key component to achieving the world’s net zero goals, the reality is that there is still work to do to ensure it can be relied upon as a secure energy source.
With solar energy backed as one of the world’s primary energy sources of the future, Uri Sadot, Cyber Security Program Director at SolarEdge Technologies and a longtime cyber security specialist, explains why an increased focus on cyber security amongst vendors, commercial businesses, grid operators and governments is critical to safeguarding future energy security.
The meteoric rise of solar energy in recent years has seen it become an increasingly important component of the global energy landscape – offering homeowners and businesses a clean energy source to reduce their energy bills, while enabling grid operators to leverage a vast distributed energy source to support the grid.
By 2022, over 1,300 TWh of solar energy had been installed worldwide, accounting for just under five percent of global electricity generation1.
A number of drivers have accelerated solar deployment even further, with the pace of solar installations more than doubling each year, making solar the fastest growing power generation technology2.
Energy demands on the grid have never been this high and this will likely only increase as the world transitions from fossil fuels to electrification and other power-hungry applications.
Digitization, data centers and the growth of AI, as well as the mass rollout of electric vehicles and heat pumps.
Governments around the world are ramping up their sustainability initiatives further to meet their net zero targets.
Meanwhile the invasion of Ukraine contributed to a global awakening to the existential threat to energy security when dependance on one’s energy supply lies outside its borders.
These are all factors that have propelled renewable energy sources such as solar to the forefront of future energy security strategies, but with the weighting of dependency shifting from oil and gas to renewables, one must ask how secure is renewable energy supply?
With these systems connected to homes, businesses and grid infrastructure, how cyber secure are they? And who else has access?
The development of cyber security threats in solar closely mirrors what we saw with the rise of the internet three decades ago.
Had we paused in 1995 and taken the time to design the basic protocols of the internet to be cybersecure from the bottom up, the industry would have saved hundreds of billions of dollars in reactive fixes.
With the benefit of hindsight, the solar industry should be designing its products with cyber security top of mind as standard, before mass mainstream deployment occurs and it is too late to prevent a catastrophic cyber event or face extortionate costs to deploy retrospective cyber security measures.
Unfortunately, today there is little mandate or governance to enforce this on solar manufacturers.
The sophistication of cyberattacks has increased hugely in recent years, such as AI-based, botnet and 0-day attacks, as well as state-sponsored attacks used as a tool for geopolitical aggression, with energy networks and grid infrastructure a potentially crippling target.
Recent events such as the cyberattack on a major satellite communications company during the conflict in Ukraine, resulted in the disconnection of 11GW of German Wind Turbines3.
Similar attacks have targeted other renewable energy sources as well as grid substations, as evidenced by incidents in Ukraine where multiple substations were attacked, causing widespread power cuts in Kyiv4.
More recently, a Dutch “white hacker” known as Jelle Ursem gained access to 40,000 homes in the Netherlands via their rooftop solar systems through a remote monitoring tool developed by a Chinese manufacturer, enabling him to view homeowners’ personal data, create new customers and delete existing users5.
He was also able to access how much electricity customers’ solar panels generate via GPS coordinates, and download, adjust and upload inverter firmware.
The solar inverter is the critical component of a solar system that converts the power produced by solar panels into usable electricity.
It is also the part that connects to a home or business’ energy network, as well as the grid as countries move to more distributed energy sources to support grid stabilization.
If cyber security is not taken seriously, this opens the door to potential hacking of the inverter, which could lead to energy supply being remotely controlled and exposed.
Whether you’re a homeowner, business owner or grid operator, considerations should be made over who has access to these inverters and vetting the manufacturers of the technology with cyber security top of mind.
In recent years we’ve seen first-hand the devastating impact of grid failure due to weather events, such as the deep freeze in Texas in 2021 and the 2022 summer heatwave in California, with widespread power outages affecting millions of homes and businesses, and destabilizing people’s livelihoods.
When the grid goes down, restoration can take days or more. If a cyber-attack is involved, this can take even longer with grid operators having to first identify the cause and location of the issue, before clearing the system of intruders.
Only then can a black start process be initiated to gradually restore the grid and carefully bring assets back online to maintain grid balancing of supply and demand.
When the consequences of a cyber-attack on the grid are laid out in these terms, solar’s five percent of global energy production suddenly sounds more substantial, underscoring the critical need for cyber security to be prioritized from the top-down.
Defending against today’s highly sophisticated and automated cyber-attacks firstly requires an increased awareness amongst homeowners, businesses, grid operators and governments that the cyber security of solar products varies dramatically from one manufacturer to another.
Understanding the risk this poses to energy security, there needs to be shift in mindset across the energy value chain to a ‘prevention is better than a cure’ approach – no different to the robust cyber security measures built into phones or cars as standard.
This starts with the manufacturers themselves, who at present, mostly determine the security levels of their products individually without any regulation, resulting in a disparity in standards.
This is tantamount to car manufacturers individually decide on their safety standards.
The technological capabilities to enhance cyber security during product development exist, therefore it is imperative vendors prioritize investment in these technologies over cost-cutting and higher margins.
It should be non-negotiable, just like fire safety or electric safety.
Government regulation is essential to enforce this, setting rigorous quality standards for cyber security that the industry must follow.
This begins with mandating basic cyber security standards for all connected devices, including distributed energy resources (DERs), but also seeking participation from solar manufacturers by implementing physical and software-based security measures and security monitoring capabilities, alongside mitigation plans for potential cyberattacks.
The UK’s recent introduction of the PSTI cybersecurity standard set a global precedent, requiring compliance from all manufacturers of connected consumer devices – including solar inverters – on password strength, support period and technical documentation.
In Europe, the Cyber Resilience Act led by the European Commission – slated to be finalized later this year – is expected to mandate a longer list of cybersecurity requirements starting from 2027.
The act draft addresses thousands of IoT products, with solar inverters being one of them.
While this is a good starting point, improving solar cyber security requires its own legislative category and priority focus – particularly in a region where solar is seen as one of the key energy sources to reduce reliance on foreign oil and gas.
Some positive trends can be seen in the US, where industry associations and production certification labs have made first steps in initiating certification standards.
Whether it’s solar, wind or other renewable sources, it’s evident that abundant clean energy is critical to improving our lives and the health of our planet.
However, as their consumption increases, improving the security of its underlying technology now, before it’s too late, is imperative to safeguard energy and grid infrastructure from potential threats.
Even if the likelihood of needing one is rare, it is there to mitigate the possible dire consequences should an event happen.
While governments are awakening to this, tackling cyber-security in renewables will not work without international collaboration – particularly throughout Europe where cross-country electricity trading is prevalent.
Top-down legislation needs to be met halfway with bottom-up pressure, requiring both homeowners and businesses investing in solar to demand high cyber-security standards as a pre-requisite.
It always goes back to the timeless wisdom: Investing in prevention is better than investing in the cure.
