To Acceleratethe transition to a smart, digitised renewables-based energy system, the European solar sector has called on EU policymakers and regulators to address cybersecurity risks in the increasingly digital energy landscape. Solar PV systems are becoming more digitalised, with inverters increasingly connected to the internet. A new report from DNV, commissioned by SolarPower Europe, provides a comprehensive risk assessment and offers clear recommendations for the sector.
1. Development and mandating of industry-specific cybersecurity controls, for example via a Standard, for securing remote-controlled solar PV infrastructure.
2. Limiting of remote access and control via inverters of EU solar PV systems from outside the EU.
The report notes that Europe’s move away from an energy system dependent on a few, high-impact targets, to a more decentralised system, offers clear energy security benefits. To maximise this benefit, cybersecurity legislation – which focuses on that legacy, namely centralised energy infrastructure – requires updating. In the future, it must address the specific security needs of distributed energy sources such as smaller rooftop solar installations. The report also notes that although the solar sector has been targeted by cyberattack, they do not compare to those seen in other parts of the energy sector, where industrial espionage, ransomware, and attacks leading to public grid blackouts have occurred with increasing frequency over the past decade.
Include aggregated rooftop solar systems in cybersecurity
In analysing risk, the report highlights risks from direct controls on inverters, e.g. intended for providing grid services, and updates, e.g. intended for security updates. On the one hand, it finds that utility-scale installations are more secure. They’re often managed by experienced utilities and covered by the EU’s NIS2 Directive.
The smarter E Europe looks to flexibilisation, digitalisation and sector coupling
On the other hand, small-scale solar systems, which are often rooftop installations, lack stringent cyber rules. They are connected to the clouds of manufacturers, installers, or service providers. While the impact of compromising a single installation is low, when aggregated for power system efficiency, they become virtual power plants of significant scale.
14 risk areas evaluated
The report states that a targeted compromise of 3 GW of generation capacity can have significant implications for Europe’s power grid. The analysis reveals that over a dozen Western and non-Western manufacturers control significantly more than 3 GW of installed capacity today. As consequence, of the 14 risk areas evaluated in the report, five areas are categorised as medium risk, six areas are high risk, and three areas are critical risk.
Huawei webinar on C&I BESS: Multitasking is a must
The measurement of risk combines severity of impact and probability. While adopted EU legislation like the Cyber Resilience Act, NIS2 Directive, and the Network Code for Cybersecurity (NCCS) mitigate some of the risk, SolarPower Europe outlines a clear pathway to achieve ‘low risk’ status on all 14 risk areas.
To return to a ‘low’ risk category for cybersecurity, the report recommends two overarching solutions. The first would ensure that existing laws on cybersecurity are specific enough to the needs of the solar sector. The second would introduce new rules that keep the control of relevant solar systems via inverters within the EU or jurisdictions that can provide an equivalent level of security.
New rules recommended
On the second solution, the report recommends following an approach similar to GDPR rules, where control of aggregated distributed devices usch as small-scale rooftop solar systems should only take place in regions judged equivalent in security to the EU. This should be implemented through the EU NCCS or another new fast-track procedure. High-risk entities would then be required to develop cyber solutions which would be monitored and approved by the competent authorities.
Clear regulation required for grid digitalisation
Walburga Hemetsberger, CEO of SolarPower Europe: “Like any technological revolution, digitalisation presents incredible opportunity, for example, energy system cost savings of €160 billion per year. It also comes with new challenges, like cybersecurity. We didn’t need anti-virus protection for a typewriter – but we do need it for our laptops. As a responsible, forward-looking sector, we have mapped the cybersecurity challenge, and we’re rising to meet it with clear, comprehensive solutions.” (hcn)
