The ransomware attack earlier this month brought global attention to the scale and sophistication that cybercrime can unleash.
But deliberate criminal activity is just one type of cybersecurity threat. The digitalisation of power grids and the increasing connectivity of solar farms means PV assets need to ensure they are protected.
Stefano Salerno, COO, Amaranto Asset Management says most of the solar industry is woefully under-protected.
“At the moment there is no culture of cybersecurity in solar,” he says. “People in solar are not up to date, they are not updating their software or controlling access. There is no backup of the data from the meter. The asset owner is relying on the meter operator but no-one is thinking about the fact that a cyberattack can also impact the meter operator.”
This claim has precedent with the UK suffering smart meter attacks. Ukraine also endured unprecedented hacks of its power grid infrastructure. The risks to the solar industry cannot be overstated. With multi-billion dollar operations like national grid infrastructure vulnerable, solar asset owners must not underestimate the measures they need to take to be as secure as possible.
“The technical solutions in place are still immature. There is no redundancy in place. The correct processes to sign in to systems are not there. Some companies are just plugging a router into a public IP, the network is like a building with an unlocked, open door,” says Salerno.
“If they can get in through the router they can turn off the inverters. They can get in through the O&M software, or the monitoring software, again, it is like letting a kid inside an unlocked building and letting them touch any buttons they want to. They can turn off everything. This is another risk that can affect the production of the site,” explains Salerno.
“It’s about what kind of door and what kind of lock you put on your solar farm to stop anybody from just walking into your house. When a hacker gets in the building, the damage will go straight to the SPV. Investors will ask why they did not protect themselves. The market will then scrutinise this and it could have a very negative impact on a listed fund for example, collapsing the share price.”
It’s not all about keeping out hackers. Salerno describes the data generated by an operating solar plant as it identity card, a passport to revenue if you like. It should then, be treated as such.
“It has to be safe and secure, and stored in the right place without any problems. Asset owners tend not to be directly involved in this process. They have their monitoring, they don't know where the data is physically stored. They are only focused on the output, they don't look at how that data is being processed and stored,” he says.
Maintaining the integrity of production data is directly linked to revenue. Other performance data also has operational value and protecting it from other interested parties is also worthwhile.
Another unwelcome visitor to your data could come in the more familiar form of an ex-employee.
“Cybersecurity is not exclusively related to a hacker attack. It happens everyday. If an employee changes company and an investment fund doesn't change the username and password of the monitoring system [they can access it]. It could be a [static] generic username for all employees so when someone changes company they still have access to the entire monitoring system.
“We need to develop a culture of monitoring each user on the platform, what time do they log in and what they are doing. If an ex-employee or current employee can get inside the monitoring system, they can get inside the meter, they can get inside the G59 or the CCTV. You have to monitor what they are accessing and what actions they are taking. These are typical scenarios that happen all the time,” claims Salerno.
Unsatisfied with what was on the market, Amaranto has developed its own system in-house but Salerno insists the most important step is for the industry as a whole to take the issue more seriously. He offers a further incentive, were any needed.
“Think about your insurance firm. They would love to able to say ‘sorry, against this kind of catastrophic event there is nothing we can do because you didn't have the right tools and procedures in place so it is not covered’.”
A small investment
While mandatory government regulations for the industry may emerge as a push for digitalised grids continues, Salerno has his own advice for asset owners in the meantime.
“The thing is to do an audit. A technical advisor is likely not to have the necessary skills in-house, they look at the rest of the investment but they also lack the mentality of thinking about cybersecurity. I've never seen the due diligence by a technical advisor include scrutiny of the router. Where is it going? What software is in place? Is there a VPN? Who is managing it? Asset owners need to do an assessment and point out the risks, there will never be a perfect IT system.
“Then when you know the risks, you have to do a penetration test and simulate how the system responds to a hacker attack or any other risk and to examine what procedures are in place to inform someone of this so they can put corrective actions in place,” says Salerno.
“It’s a small investment for the owner and this war is moving so fast you have to keep up to date because people will always find a new way in.”