Addressing the growing cybersecurity concerns within solar

Often referred to as the ’brain’ of a solar system, the PV inverter is responsible for converting power from solar panels into usable electricity. In commercial and residential rooftop solar installations, the inverter is directly connected to the internet, making it the point of exposure for a cyberattack on a solar system, with potentially grave implications.

By obtaining administrator rights, it has already been proven that hackers can gain remote control of a manufacturer’s installed solar systems. With this access, the hacker could disable or damage inverters, lock them for ransom, or access sensitive parts of the customer’s network. For businesses, this could include customer management databases and financial systems. Hackers may also be interested in energy consumption data, revealing detailed household routines, or business performance.

A more concerning possibility is hackers targeting the central servers that manage these solar systems. Thousands, sometimes millions, of systems can be controlled from a single point. These servers can be targeted by hackers in order to take down the entire grid.

Grids are designed to constantly maintain balance between supply and demand of electricity. If the critical threshold of gap between supply and demand is surpassed, sections of the grid can enter emergency shutdown. Current consensus among experts is that the energy produced by residential solar systems has long surpassed the maximal gap threshold. With millions of solar installations worldwide, these implications are driving increased scrutiny on the cybersecurity of solar.

Targeted attacks have already begun

In May 2024, The European Solar Manufacturing Council (ESMC) called for greater efforts to tighten inverter cybersecurity. That same month, Vangelis Stykas – an ‘ethical hacker’ whose purpose is to expose cyber flaws so they can be fixed – announced that using just a mobile phone and laptop he had gained full remote access to solar systems from six global inverter manufacturers.

This gave him access to aggregated power of over three times the entire German grid. While he did not attack grid operations, he had access to significant amounts of power, which could have been used to cause widespread outages.

In August, two further solar companies were hacked by renowned cybersecurity leader Bitdefender, giving them access to 195GW of solar power—20% of global solar production. While Dutch ethical hacking group, DIVD, disclosed six new cybersecurity vulnerabilities to a major solar inverter manufacturer, leaving four million systems in over 150 countries exposed.

But not all hacks on solar systems were benign. In early February 2024, a Russian cybercriminal group gained access to the Lithuanian utility company Ignitis. The hackers provided video evidence of shutting down user accounts and demanded ransom to cease their attacks. They did so through the targeting of solar monitoring software and by accessing data from 22 facilities including hospitals and military academies.

Another malicious real-world cyberattack making headlines took place in Japan. Hackers hijacked 800 Japanese solar remote monitoring devices, exploiting them for bank account thefts. Unlike most vulnerabilities, this one is unfixable as there is no remote update mechanism in place, leaving the vulnerability permanently open.

DERSec is a cybersecurity company that published a review of 54 solar energy cyberattacks and vulnerabilities on consumer-level systems in October 2024. The report found that the rising trend of cyberattacks is likely to continue, as threat actors seek to penetrate and disrupt critical infrastructure around the world. This has led to an awakening amongst industry bodies and governments, providing proof that the cybersecurity risks via solar are very much real.

The response from industry bodies and governments

In light of these events, SolarPower Europe – the leading solar association in Europe – recently stated that the EU must act now to enforce high standards of cybersecurity on the manufacturers of solar inverters in order to protect energy security. This was also echoed by the ESMC.

In the US, the FBI also recently warned about hackers hitting at critical infrastructure and specifically at vulnerable renewable power supply, citing the increasing reliance on renewables and lack of sufficient cybersecurity protocols and regulations.

Governments are now on the back foot, needing to address this issue urgently from a standing start. In the US the White House’s Office of the National Cyber Director (ONCD) recently published a roadmap outlining the critical technologies in need of cybersecurity as the clean energy transition accelerates. It identified specific product categories, like solar inverters and electric vehicle (EV) chargers, which require special attention.

Others, such as the Dutch RDI government agency and research firm SECURA, or the Australian Cybersecurity Cooperative in its Power Out report, have also identified this risk.

In some areas, we have seen the first regulation to address Distributed Energy Resources (DERs) take shape. The UK’s Smart Charge Points regulation, for example, requires the incorporation of built-in hardware delay timers in EV chargers to prevent mass outages and allow the grid time to adjust in case a cyberattack starts. However, while this might mitigate the worst-case scenario, it doesn’t prevent DERs being hacked in the first place.

The European Commission is attempting to address this through more robust regulation. But for some, it may be too late. Lithuania is a prime example, the first country to take matters into its own hands. Soon after the cyberattack on the Lithuanian utility in February, the local Parliament made the decision to ban nations classified as threats to Lithuania’s national security from remotely accessing solar, wind and storage devices.

This means solar inverters from nations considered adversarial by Lithuanian law will be banned from 1^t May 2025, and existing facilities must disconnect non-compliant inverters by the same time the following year.

How do we solve this?

In the absence of robust regulation, solar inverter manufacturers must realise they are building critical infrastructure, and treat it as such by prioritising investment in cybersecurity technologies over cost-cutting and higher margins, to help ensure the future stability and security of the solar industry.

In addition, businesses investing in solar must be made aware of the cyber risks and evaluate the cybersecurity measures of different suppliers to ensure their systems are secure. For example, asking questions of the installer, such as who has remote access to my solar system? Where is my data stored and how is it being protected? Is it a brand with a good track record with cybersecurity? Otherwise, you may find yourself with an inoperable system, or owning a soon to be non-compliant solar system that needs to be replaced well before the ROI period.

As we race to deploy clean energy technologies, embedding cybersecurity from the outset is paramount. The rapid deployment of the internet three decades ago came with significant cybersecurity compromises that we are still paying for today. In order to avoid making these mistakes of the past, the lesson is clear: prevention is better than cure.

Uri Sadot is the elected chairman of SolarPower Europe’s digitalisation group and cybersecurity program director at SolarEdge.