Time for solar to step up to cyber threat

deliberate criminal activity is just one type of cybersecurity threat. Image credit: Amaranto.

The ransomware attack earlier this month brought global attention to the scale and sophistication that cybercrime can unleash.

But deliberate criminal activity is just one type of cybersecurity threat. The digitalisation of power grids and the increasing connectivity of solar farms means PV assets need to ensure they are protected.

Stefano Salerno, COO, Amaranto Asset Management says most of the solar industry is woefully under-protected.

“At the moment there is no culture of cybersecurity in solar,” he says. “People in solar are not up to date, they are not updating their software or controlling access. There is no backup of the data from the meter. The asset owner is relying on the meter operator but no-one is thinking about the fact that a cyberattack can also impact the meter operator.”

This claim has precedent with the UK suffering smart meter attacks. Ukraine also endured unprecedented hacks of its power grid infrastructure. The risks to the solar industry cannot be overstated. With multi-billion dollar operations like national grid infrastructure vulnerable, solar asset owners must not underestimate the measures they need to take to be as secure as possible.

“The technical solutions in place are still immature. There is no redundancy in place. The correct processes to sign in to systems are not there. Some companies are just plugging a router into a public IP, the network is like a building with an unlocked, open door,” says Salerno.

“If they can get in through the router they can turn off the inverters. They can get in through the O&M software, or the monitoring software, again, it is like letting a kid inside an unlocked building and letting them touch any buttons they want to. They can turn off everything. This is another risk that can affect the production of the site,” explains Salerno.

“It’s about what kind of door and what kind of lock you put on your solar farm to stop anybody from just walking into your house. When a hacker gets in the building, the damage will go straight to the SPV. Investors will ask why they did not protect themselves. The market will then scrutinise this and it could have a very negative impact on a listed fund for example, collapsing the share price.”

Stefano Salerno, COO, Amaranto Asset Management. Image credit: Amaranto.


It’s not all about keeping out hackers. Salerno describes the data generated by an operating solar plant as it identity card, a passport to revenue if you like. It should then, be treated as such.

“It has to be safe and secure, and stored in the right place without any problems. Asset owners tend not to be directly involved in this process. They have their monitoring, they don't know where the data is physically stored. They are only focused on the output, they don't look at how that data is being processed and stored,” he says.

Maintaining the integrity of production data is directly linked to revenue. Other performance data also has operational value and protecting it from other interested parties is also worthwhile.

Log ins

Another unwelcome visitor to your data could come in the more familiar form of an ex-employee.

“Cybersecurity is not exclusively related to a hacker attack. It happens everyday. If an employee changes company and an investment fund doesn't change the username and password of the monitoring system [they can access it]. It could be a [static] generic username for all employees so when someone changes company they still have access to the entire monitoring system.

“We need to develop a culture of monitoring each user on the platform, what time do they log in and what they are doing. If an ex-employee or current employee can get inside the monitoring system, they can get inside the meter, they can get inside the G59 or the CCTV. You have to monitor what they are accessing and what actions they are taking. These are typical scenarios that happen all the time,” claims Salerno.

Unsatisfied with what was on the market, Amaranto has developed its own system in-house but Salerno insists the most important step is for the industry as a whole to take the issue more seriously. He offers a further incentive, were any needed.

“Think about your insurance firm. They would love to able to say ‘sorry, against this kind of catastrophic event there is nothing we can do because you didn't have the right tools and procedures in place so it is not covered’.”

A small investment

While mandatory government regulations for the industry may emerge as a push for digitalised grids continues, Salerno has his own advice for asset owners in the meantime.

“The thing is to do an audit. A technical advisor is likely not to have the necessary skills in-house, they look at the rest of the investment but they also lack the mentality of thinking about cybersecurity. I've never seen the due diligence by a technical advisor include scrutiny of the router. Where is it going? What software is in place? Is there a VPN? Who is managing it? Asset owners need to do an assessment and point out the risks, there will never be a perfect IT system.

“Then when you know the risks, you have to do a penetration test and simulate how the system responds to a hacker attack or any other risk and to examine what procedures are in place to inform someone of this so they can put corrective actions in place,” says Salerno.

“It’s a small investment for the owner and this war is moving so fast you have to keep up to date because people will always find a new way in.” 

Read Next

September 22, 2022
JA Solar has been promoted to AAA-Rating status for the first time, joining LONGi Solar and Trina Solar in this exclusive bankability ratings, now recognised widely across the PV sector as one of the most accurate and detailed ranking systems on offer to PV module buyers when undertaking supplier due diligence.
PV Tech Premium
August 9, 2022
PV Tech Premium examines the current and emerging counter-theft technologies and strategies sites should employ to boost their security and reduce their potential losses if an incident does occur.
PV Tech Premium
July 7, 2022
PV Tech Premium spoke with Lawrence Berkeley National Laboratory (LBNL) about the i2X programme to provide some added clarity on the main challenges the US interconnection system faces.
July 4, 2022
Norwegian energy data and intelligence company TGS has acquired renewable energy asset and real-time data manager Prediktor.
June 7, 2022
Timo Moeller, president of International NovaSource Power Services and head of NovaSource in Europe, stresses the need for the industry to entrust experts at every step of the project lifecycle, or risk deterring investment.

Subscribe to Newsletter

Upcoming Events

Solar Media Events
October 4, 2022
New York, USA
On-Demand Webinars, Solar Media Events
October 11, 2022
Virtual event
Upcoming Webinars
October 18, 2022
10am (EDT) / 4pm (CEST)