Cybersecurity can easily fly under the radar, just as a hacker weaves through systems and sifts through files undetected. The documented cases of cyberattacks on the energy system are hardly a page-spanning list, and the number of cases on solar assets even fewer. But that doesn’t mean the risk is as slight. What is largely considered to be the first cyberattack on a power grid took place in Ukraine in 2015. It is also considered to be one of the most dramatic cyberattacks in the energy sector; in a scene that should be straight out of a spy movie, an operator in the Prykarpattyaoblenergo control centre was locked out of their computer, watching as their curser moved independently from any of their own actions. The attack took out 30 substations and caused a blackout that took six hours to fully resolve.
The knowledge that a cyberattack could – and has – caused blackouts seeped into other events. When the UK had a major blackout on 9 August 2019, initial suggestions seen on social media were that it was a result of a cyberattack, although within hours these rumours were squashed. It was, in fact, a result of a lightning strike that triggered faults in an offshore wind farm and gas-fired power station, and not a result of a cyberattack.
Whilst cyberattacks on solar farms specifically are not commonly reported, this could well change. Digitalisation is creeping into the solar industry, automating processes and making components smarter. And where there are increases in digital technology, the threat of cyberattacks is never far behind.
Digitalisation and the effect of lockdowns
The solar sector is embracing digitalisation little by little. The lockdowns that were put in place due to the COVID-19 pandemic have resulted in a speeding up of digitalisation efforts. Companies both in and out of the energy sector have become more reliant on digital tools for their day to day running, with many employees working from home. Significantly more business is therefore being conducted via calls and emails over a face-to-face conversation between colleagues. Whilst this may have affected the awareness of the importance of digital services, it has also increased the risk of a cyberattack.
“The threats and dangers have grown during the lockdown period because of that increased reliance,” according to Geoff Taunton-Collins, senior analyst at renewables insurer GCube. Taunton-Collins says that when compared with other risks solar assets see, the cybersecurity threat level is “reasonable but growing”.
This is echoed by Marek Seeger, information security manager at SMA, who says that solar is “becoming a more interesting target for hackers” as the technology takes a larger role in power supply as a result of decarbonisation and decentralisation efforts.
In particular, small and medium-sized solar systems are in danger, he says, with >1MWp plants usually integrated, connected and maintained “in a professional way that includes all relevant safety measures”.
One way hackers can artificially create a malfunction in a PV system is to launch cyberattacks to the inverter controls and monitoring system, according to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV units with reactive power capabilities.
“This is a vulnerability that can be, and has been, exploited to attack the power system,” he says, pointing to how the large number of PV units in the power system – including rooftop solar – means that there are “lots of attack points”, underscoring the importance of cybersecurity at the inverter level.
Keeping cybersecurity measures up to date is therefore incredibly important for solar installers and operators, particularly due to the 15-20 year lifetime of a solar farm, meaning that cybersecurity will need to continue to develop as the farms age, with up to date measures allowing operators to stay ahead of hackers.
This can, however, be made difficult by a lack of awareness over cybersecurity. Cyberattacks on renewables assets are underreported, according to GCube’s Taunton-Collins, occurring because it’s “easier to keep quiet than other industries”.
Most cyberattacks result in data breaches, such as the cyberattack on EDP in April 2019. The Portuguese energy firm was hit with a Ragnar Locker ransomware, with over 10TB of sensitive company files stolen. When third-party data is leaked, it has to be reported to the authorities of the country it occurred in, as well as an alert sent to the people whose data has been stolen.
However, attacks on renewables assets are more likely to be business disruption attacks, which are private and internal, due to many not holding third-party data. Asset owners therefore often have no reason to publicise that an attack has taken place. Furthermore, releasing information on this sort of attack can hurt the reputation of both the company and potentially of the industry itself, leading to some asset owners keeping quiet.
One cyberattack on a solar farm that did end up hitting headlines, however, was on US solar operator sPower, which occurred in 2019. It didn’t result in any blackouts, and sPower – which owns and operates over 150 renewable generators in the US and recently concluded financing for the 620MWdc Spotsylvania Solar Energy Center, its biggest ever project – has been unsurprisingly tightlipped about the incident.