How cybersecurity is becoming crucial in solar’s digital age

As a potential weak spot, inverters are the focus of a research project in the US looking to develop new measures for protecting PV systems. Image: BayWa r.e.

Cybersecurity can easily fly under the radar, just as a hacker weaves through systems and sifts through files undetected. The documented cases of cyberattacks on the energy system are hardly a page-spanning list, and the number of cases on solar assets even fewer. But that doesn’t mean the risk is as slight. What is largely considered to be the first cyberattack on a power grid took place in Ukraine in 2015. It is also considered to be one of the most dramatic cyberattacks in the energy sector; in a scene that should be straight out of a spy movie, an operator in the Prykarpattyaoblenergo control centre was locked out of their computer, watching as their curser moved independently from any of their own actions. The attack took out 30 substations and caused a blackout that took six hours to fully resolve.

The knowledge that a cyberattack could – and has – caused blackouts seeped into other events. When the UK had a major blackout on 9 August 2019, initial suggestions seen on social media were that it was a result of a cyberattack, although within hours these rumours were squashed. It was, in fact, a result of a lightning strike that triggered faults in an offshore wind farm and gas-fired power station, and not a result of a cyberattack.

This article requires Premium SubscriptionBasic (FREE) Subscription

Unlock unlimited access for 12 whole months of distinctive global analysis

Photovoltaics International is now included.

  • Regular insight and analysis of the industry’s biggest developments
  • In-depth interviews with the industry’s leading figures
  • Unlimited digital access to the PV Tech Power journal catalogue
  • Unlimited digital access to the Photovoltaics International journal catalogue
  • Access to more than 1,000 technical papers
  • Discounts on Solar Media’s portfolio of events, in-person and virtual

Or continue reading this article for free

Whilst cyberattacks on solar farms specifically are not commonly reported, this could well change. Digitalisation is creeping into the solar industry, automating processes and making components smarter. And where there are increases in digital technology, the threat of cyberattacks is never far behind.

Digitalisation and the effect of lockdowns

The solar sector is embracing digitalisation little by little. The lockdowns that were put in place due to the COVID-19 pandemic have resulted in a speeding up of digitalisation efforts. Companies both in and out of the energy sector have become more reliant on digital tools for their day to day running, with many employees working from home. Significantly more business is therefore being conducted via calls and emails over a face-to-face conversation between colleagues. Whilst this may have affected the awareness of the importance of digital services, it has also increased the risk of a cyberattack.

“The threats and dangers have grown during the lockdown period because of that increased reliance,” according to Geoff Taunton-Collins, senior analyst at renewables insurer GCube. Taunton-Collins says that when compared with other risks solar assets see, the cybersecurity threat level is “reasonable but growing”.

This is echoed by Marek Seeger, information security manager at SMA, who says that solar is “becoming a more interesting target for hackers” as the technology takes a larger role in power supply as a result of decarbonisation and decentralisation efforts.

In particular, small and medium-sized solar systems are in danger, he says, with >1MWp plants usually integrated, connected and maintained “in a professional way that includes all relevant safety measures”.

One way hackers can artificially create a malfunction in a PV system is to launch cyberattacks to the inverter controls and monitoring system, according to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV units with reactive power capabilities.

“This is a vulnerability that can be, and has been, exploited to attack the power system,” he says, pointing to how the large number of PV units in the power system – including rooftop solar – means that there are “lots of attack points”, underscoring the importance of cybersecurity at the inverter level.

Keeping cybersecurity measures up to date is therefore incredibly important for solar installers and operators, particularly due to the 15-20 year lifetime of a solar farm, meaning that cybersecurity will need to continue to develop as the farms age, with up to date measures allowing operators to stay ahead of hackers.

This can, however, be made difficult by a lack of awareness over cybersecurity. Cyberattacks on renewables assets are underreported, according to GCube’s Taunton-Collins, occurring because it’s “easier to keep quiet than other industries”.

Most cyberattacks result in data breaches, such as the cyberattack on EDP in April 2019. The Portuguese energy firm was hit with a Ragnar Locker ransomware, with over 10TB of sensitive company files stolen. When third-party data is leaked, it has to be reported to the authorities of the country it occurred in, as well as an alert sent to the people whose data has been stolen.

However, attacks on renewables assets are more likely to be business disruption attacks, which are private and internal, due to many not holding third-party data. Asset owners therefore often have no reason to publicise that an attack has taken place. Furthermore, releasing information on this sort of attack can hurt the reputation of both the company and potentially of the industry itself, leading to some asset owners keeping quiet.

One cyberattack on a solar farm that did end up hitting headlines, however, was on US solar operator sPower, which occurred in 2019. It didn’t result in any blackouts, and sPower – which owns and operates over 150 renewable generators in the US and recently concluded financing for the 620MWdc Spotsylvania Solar Energy Center, its biggest ever project – has been unsurprisingly tightlipped about the incident.

This is an extract of an article first published in Volume 24 of PV Tech Power. The full article can be read here, or in the full digital copy of PV Tech Power 24, which can be downloaded via the PV Tech Store here

Read Next

Subscribe to Newsletter

Upcoming Events

Solar Media Events
February 28, 2024
Seattle, USA
Solar Media Events
March 12, 2024
Frankfurt, Germany
Upcoming Webinars
March 13, 2024
9am EDT / 1pm GMT / 2pm CET
Solar Media Events
March 19, 2024
Texas, USA