“It takes time, and it takes courage!” begins Marcel Suri, CEO of Slovakian data analysis firm Solargis, speaking to PV Tech Premium about changes in technical specifications in the global solar industry, and how this can impact cybersecurity concerns.
Suri’s comments follow increasing appetite for more data collection and usage in the solar industry. Suri himself has written for PV Tech frequently on collecting more granular, high-quality data on solar irradiance and solar project electricity generation to better inform decision-making about those projects; while the International Energy Agency’s Photovoltaic Power Systems Programme (IEA PVPS) has highlighted a lack of data as a key obstacle to the deployment of floating PV projects at scale.
Unlock unlimited access for 12 whole months of distinctive global analysis
Photovoltaics International is now included.
- Regular insight and analysis of the industry’s biggest developments
- In-depth interviews with the industry’s leading figures
- Unlimited digital access to the PV Tech Power journal catalogue
- Unlimited digital access to the Photovoltaics International journal catalogue
- Access to more than 1,000 technical papers
- Discounts on Solar Media’s portfolio of events, in-person and virtual
But, as Suri says, collecting this depth of data, and combining it with factors such as macroeconomic conditions, energy prices and electricity generation forecasts, is no simple task for many project managers.
“On one hand it’s about the data, but on the other it’s about the software and how it’s able to put together the various data flows,” Suri says.
“For example, project data historically just needed weather data; now to build a good project – which is typically a combination of PV-plus-storage – you need to have a business model in mind, and your simulation already has to come with some economic data, for example energy prices and the time series of energy prices in your region.”
This is to say nothing of the myriad challenges associated with changing how a project is planned, built and operated; how people are hired for work in this particular industry; and the potential cybersecurity concerns that can arise from more numerical information flowing in and out of solar projects, all of which must be overcome if the solar industry is to optimise its operations.
Dealing with more data
“The simulation starts with solar irradiance data, then it goes to megawatt hours of electricity produced, then you convert it to money [and ask] is this the right way of building the revenue model? Or should I change the technical design, or my business model,” says Suri, describing the data-collection work of Solargis, and how this information needs to be fed into a wider business case for a project, and then assessed.
“It’s more about complexity and having tools which can support your complex decision-making process.”
However, he notes that this increasing complexity is nothing new for the solar industry; while the recent push for more granular weather data, or more specialised information on the performance of particular solar assets in distinct markets are new phenomena, the core idea of collecting more information to make a more informed decision about a project is nothing new.
“This is something that we learned when we introduced our solar database ten or 15 years ago,” explains Suri. “There was a lot of expectation, and everyone was saying: ‘It’s a pain, we need a better solution’. But when that moment comes, everyone suddenly sees the burden of absorbing the change and transforming the company, the teams and the people, and how they use the existing solutions.”
“First, you need to get some level of confidence that this – what is offered – gives you real benefits,” he continues, suggesting that if a developer can be made aware of the financial benefits of incorporated more sophisticated data into their projects, it can be much easier for them to support the initiative.
“At DNV we are really well prepared,” adds Juan Carlos Arévalo, CEO at GreenPowerMonitor, which provides software solutions to manage renewable energy assets, and is owned by DNV. He told PV Tech Premium that this greater appetite for data, and working with information in a more sophisticated way, has encouraged DNV to hire more than 500 “cyber experts”.
“The teams, which are in project development, need to recruit people who are skilled in various areas,” agrees Suri, suggesting that dealing with more nuanced data is not simply about existing asset managers learning how to use the wealth of information now available, but bringing data experts into the solar space.
“Selling electricity today applies a combination of power purchase agreement (PPA) and direct participation on the energy market, which means that you need to have people who understand short-term forecasting. You need more people to understand various things, and they need better data and better software.”
A growing cybersecurity challenge
When asked about the growing complexity of data in solar asset management, Uri Sadot, cybersecurity programme director at inverter producer SolarEdge and cybersecurity lead at SolarPower Europe, suggested that a greater depth and complexity of data being stored at solar projects presents a cybersecurity risk, as this information could be attractive to potential hackers.
“S&P Global Commodities said cybersecurity is one of the top three trends in 2025 for inverters,” said Sadot, adding: “We’re seeing it across the board, from customers to regulators to vendors.”
“There is no way of escaping this,” agrees Suri. “In certain markets, like the US, they’re effectively there, and in Europe, we’re approaching [that].
“With the blackout in Spain and Portugal, we clearly see that PV needs to more proactively support the grid,” he continues, referring to April’s blackout that was, at one point, thought to have been a cyberattack, before this was ruled out by the Spanish energy minister. “You cannot be a simple power generator, we need to offer grid-supporting or grid-forming services, which are not only technical [decisions] but also financial and business [decisions]; we need to have business models that attract this.”
When asked why this has become such a priority in recent years, Sadot says there are two key reasons: the penetration of solar power to the world’s “big leagues” and awareness-raising done by bodies such as SolarPower Europe.
“Part of it is the maturation of the industry; ten years ago, the penetration in terms of the contribution to the energy mix [was smaller],” he says. A report into European solar cybersecurity published by DNV and SolarPower Europe earlier this year found that the rapid pace of solar project deployment had made it challenging for legislators to keep up with new policies to support the breadth and depth of these projects.
“Across countries in Europe, it’s getting to critical thresholds [which] means that – we may talk about what happened in Spain and Portugal – it’s a big contributor to the overall mix, which imposes new levels of reliability and responsibility for the vendors.
“Number two is a lot of awareness-raising work that’s been done, by SolarPower Europe and some of the vendors, and maybe the global atmosphere – [for example] the war in Ukraine and America pulling out of Europe – where there’s this level of concern that hasn’t existed in the past,” adds Sadot.
“I would say we face more than 2,000 cyberattacks per minute, every day, so we are really well-protected,” says Arévalo, highlighting the scale of the challenge. “We have our own cybersecurity team, protecting the solutions. We play the role of data custodian for our customers, so we cannot afford to have a failure. We are following all the standards, and I think we are quite well-protected.”
‘Hard technical truths’
However, Sadot notes that there are some “hard technical truths” about the current setup of devices and components used in solar projects that present some inherent vulnerabilities from a cybersecurity perspective.
“The concern about cybersecurity is that there are some hard technical truths,” he says. “Solar systems can be controlled remotely in residential and commercial settings. Typically, they’re controlled in central places, and that’s the technical reality of the architecture of inverters, how they’ve matured bottom-up without regulation.
“You have these potential single points of failure that now have more and more power and responsibility that’s been placed on them; if you managed one of these servers ten years ago, who cares, but today you’re a critical infrastructure operator,” Sadot continues, who goes on to describe the question of who has access to these servers as a “political question”.
“I’m not a political expert – I can talk about the architecture – but we know from other industries that architecture that is centralised is very attractive to hackers and criminals, setting aside political motivations. If you can threaten downtime and disruption of servers, as we’ve seen in Ukraine as part of the war [where] you’ve seen data wipes, a criminal will have a lever, and will say: ‘give us a ransom payment’.”
However, he does not say this to be downbeat about the solar industry, or to suggest that optimising operations to help meet the world’s climate goals will always bring security risk for operations, which is simply the cost of doing business in the modern day. He says this to make it clear that these are vulnerabilities that the industry is aware of, and actively working to fix.
Taking the burden off customers
Fixing these vulnerabilities could be key, particularly in the residential sector, where interest in the sector has slowed in Europe. Figures from SolarPower Europe show that Europe added just 5GW of new residential solar capacity in 2024, down from 12.8GW in 2023, and Sadot suggests that a lack of coherent cybersecurity legislation has made it challenging for consumers to feel confident that their projects will not be attacked.
“My philosophy is that a homeowner, like my aunt, should not be expected to know anything about cyber,” he explains, calling for more coherent legislation to take the cybersecurity burden off customers, particularly in the wake of the DNV-SolarPower Europe report that suggests that, at the very least, policymakers are aware of the need to work faster. “It’s better not to open phishing SMS messages and not have the same password for everything for ten years, but I think the real responsibility is on regulators, companies and businesses.”
“There hasn’t been a regulation setting what they should be, and you see different vendors have very different levels. Imagine if each car vendor individually decided whether they put in a seatbelt or an airbag. You can imagine that, say, Volkswagen would make a responsible choice, but others would not, they’d look to compete on price and quality, and that’s what we’re seeing in the inverter space.”
Inverters, in particular, have been a source of cybersecurity concerns recently, following the finding of ‘rogue’ communication devices found in Chinese-made inverters in the US. Solar Energy Industries Association (SEIA) CEO Abigail Ross Hopper called the incident a “serious issue”, and Sadot suggests that the solar industry could learn from other sectors, such as banking, where inter-device communication is accepted as part and parcel of operating procedure.
“When you manage these systems – these fleets of devices – there are fairly well-established best practices,” he says. “There’s a reason we all trust our online banking app. There are ways to create digital systems in ways that are very secure [and solar] legislation hasn’t really reached that point.”
