The growing number of solar power plants makes them an increasingly tempting target for cybercriminals. William Noto of cybersecurity firm Claroty looks at the main areas of vulnerability and how the industry can best prepare itself against the growing threat.
Unlock unlimited access for 12 whole months of distinctive global analysis
Photovoltaics International is now included.
- Regular insight and analysis of the industry’s biggest developments
- In-depth interviews with the industry’s leading figures
- Unlimited digital access to the PV Tech Power journal catalogue
- Unlimited digital access to the Photovoltaics International journal catalogue
- Access to more than 1,000 technical papers
- Discounts on Solar Media’s portfolio of events, in-person and virtual
Or continue reading this article for free
The energy sector has emerged as an increasingly vulnerable target for cyberattacks, with a growing number of high-profile cases around the world in the last few years.
As the world steadily transitions to renewable power, the solar industry is also in the firing line. It’s estimated that solar may be the single largest source of energy by 2030, so while there have been no significant attacks on PV technology yet, it will be increasingly tempting to threat actors. The field shares the same vulnerabilities as the wider energy sector and some unique issues that leave it at risk.
Leading trade body SolarPower Europe recently published a paper [1] highlighting the risks and calling for more solar-specific security strategies to mitigate the damage. In the UK, concerns have been raised about security threats emerging with the move towards green energy.
Here we discuss the most likely paths of attack on PV technology, the impact of a serious incident, and what the industry can do to harden its defences against a growing threat.
What are the leading cyber threats facing PV?
Power generation and distribution are highly susceptible to disruptive attacks such as ransomware due to the dire consequences of a serious outage. This puts the sector in the sights of both criminal gangs looking to extort payments and nation-state actors looking to sow discord. The ransomware group BlackCat has been involved in a string of incidents including energy supplier Encevo and the German energy agency.
Industry heads and political leaders alike have also reported an increasing number of attacks since the outbreak of the Russia-Ukraine war [2].
While some groups are motivated by corporate espionage, aiming to break into the system and steal valuable IP, most perpetrators aim to deliver widespread disruption, affecting a large number of people with impacted supply and/or prolonged blackouts.
As such, attacks on PV technology will almost certainly be on a utility-scale level. While residential installations are more vulnerable, their highly distributed nature means any attack will have a lower impact on the function of the overall grid.
The distributed nature of utility-scale PV also makes it an attractive target. A PV grid will typically involve a larger number of smaller sites that have little physical security, compared to a single centralised traditional power generation plant. Breaching one inverter will potentially enable an attacker to “swim upstream” and reach other inverters or even separate facilities on the same network.
Alongside maximising the impact of their strike, threat groups will also aim to find the path of least resistance into their target system. Systems as large and complex as energy infrastructure are naturally rife with overlooked weaknesses that can be exploited for ready system access. Unpatched software vulnerabilities and gaps in access controls are readily exploited by threat actors.
“Breaching one inverter will potentially enable an attacker to ‘swim upstream’ and reach other inverters or even separate facilities on the same network”
The heavy reliance on cyber-physical systems (CPS) is another major security challenge. operational technology (OT) systems that control the physical environment are increasingly interconnected with traditional IT networks.
While this has enabled several advantages in automation and remote connectivity, it also exposes critical assets to cyber threats they were not designed for. Further, standard security tools are rarely compatible with OT systems, leading to gaps in security processes and blind spots in threat monitoring.
Why inverters are a prime target
The inverter is one of the main targets for attackers exploiting CPS. A recent report by the European Solar Manufacturing Council (ESMC) on sustainability and resilience in solar highlighted the inverter as a primary cyber target, labelling it “the heart and brain of the PV system” [3].
With most critical functions for the system being controlled from the inverter, it’s a priority target for malicious actors looking to wreak havoc with unauthorised shutdown or discharge commands that will interrupt supply.
As with many other elements of the power grid, the greatest challenge in securing inverters is that they have been around for quite a long time and were generally not originally designed with strong cybersecurity in mind.
The industry has undergone rapid digitalisation in recent years, resulting in critical systems being connected to the cloud that were not designed to withstand attacks originating online.
Most of these systems lack basic cybersecurity controls and blindly follow the commands sent to them without confirming that the sender is authorised.
Furthermore, it’s common to find inverters using either very basic VPN encryption or simply lacking encryption altogether. As such, malicious actors are able to breach the plant’s VPN system and will likely gain ready access to every inverter on the network.
How threat actors execute their attacks
For all the unique factors in PV infrastructure, an attack on the solar grid will likely begin with the same common tactics seen in most incidents. Attackers will usually aim to use stolen user credentials to access the network – Verizon’s annual Data Breach Investigations Report (DBIR) found that stolen credentials were still the most common way of executing a breach in 2023 [4].
Unless there are effective identity and access controls in place, simply possessing the right username/password combination will often be enough to grant a threat actor full system access.
Spear phishing is one of the most effective techniques for harvesting these credentials. Posing as a trusted contact such as IT support or an official system request asking to confirm login details are some of the most common tactics. Threat actors will either launch a phishing campaign themselves, or purchase cred sets stolen by other criminal groups over the dark web.
Once user credentials have been acquired, the attacker will seek to increase their access rights and achieve lateral movement through the network to reach critical systems and data. Again, if there are weak access controls and monitoring capabilities in place, there’s a good chance they will be able to move through the system undetected at this point.
How attacks can lead to disruption and blackouts
With access unlocked, the most direct path to disrupting the grid is to simply send a shutdown command using the native protocols of the inverter. To really pour the pressure on the target, the attacker might swiftly follow this up with a ransomware attack.
SCADA systems, engineering workstations, human-machine interfaces (HMIs) and ICS historians associated with the system would be some of the readiest targets here, resulting in a widespread system lockdown that grinds operations to a halt.
To really maximise the damage, we often see this kind of attack accompanied with wiper commands that would make it very difficult, potentially impossible, to remotely restore systems from backups. This will cause impacts such as interrupted power supplies to take much more time to fix. Threat actors backed by nation states will be aiming for as much disruption as possible, while criminal groups will seek to add more pressure to increase the chances of the victim paying their ransom demand.
The globalised nature of the PV supply chain is another potential risk factor. The recent report from the ESMC highlights Europe’s over-reliance on Chinese manufactured PV inverters and other components as a potential weak link, with an estimated 80% of all currently installed inverters in the EU being made in China.
Due to China’s National Intelligence Services Laws, organisations and citizens are required to provide any assistance required by the state—potentially including sensitive data and system access. The ESMC speculates that in a worst-case scenario of escalated international tensions, the Chinese government could potentially orchestrate mass blackouts through Chinese-supplied inverters. The report recommends prioritising Europe-made infrastructure to reduce the risk.
Defence starts with understanding
While the complexities of PV infrastructure make it challenging to secure against cyber threats, there are several steps that operators can take to improve their resilience against attack and mitigate the impact on their supply.
The first step is to have a strong inventory of the entire network environment. There needs to be an accurate overview of all assets, how they connect and how they are accessed. Without this knowledge, it is impossible to effectively move forward with security controls. Due to the fact standard IT and security tools are rarely compatible with OT systems, a full inventory requires specialist solutions built explicitly for interfacing with CPS and OT assets.
Once a full and accurate inventory has been completed, it can be leveraged to understand the key risk exposures. This knowledge will help to structure and prioritise security efforts to protect the most critical assets first.
This will help to facilitate an exposure management strategy, locating points where the system is exposed to external threats, or where internal assets can be exploited in an attack. Again, this needs to accommodate the physical side of the PV infrastructure and account for how it connects to digital systems that in turn can be accessed online.
Dealing with vulnerabilities and system access are fundamental
Good patch management is one of the most fundamental but often overlooked priorities. Over 21,000 critical vulnerabilities have been reported this year alone [5], and security and IT teams must have a handle on which are the most critical issues in need of urgent patching. The patching plan must also account for physical systems that have not necessarily been designed with security in mind.
Gaining firm control of system access should be high on the agenda. This includes deploying a mature remote access solution designed for CPS environments so that only authorised individuals may access the system remotely. Alongside this, identity and access control measures are essential.
Following a least privilege approach will ensure that authorised users only have access to systems that are essential for their jobs.
Crucially, these controls need to cover the points where IT and OT cross over. This interconnectivity often ends up being a blind spot that gives threat actors the opportunity to evade security controls.
It’s also important to have threat detection and monitoring tools that are built specifically for CPS. This will enable security teams to gain visibility of any potential threat activity and respond quickly before an attack can escalate, even if attackers are exploiting the complexity of the CPS environment.
Finally, it’s essential to have a strong backup in place. A system’s restore capability needs to be regularly tested to ensure it’s up to the task of getting the lights back on quickly in a crisis. As noted, cybercriminals will usually seek to encrypt or wipe backups if they can access them. As such, backups should ideally be safely offsite or otherwise disconnected from the main systems to keep them out of harm’s way.
Seek out frameworks to guide the security roadmap
With the daunting size and scope of a comprehensive strategy, PV operators should also seek to follow standards and frameworks that are applicable in their region. This will help to provide more structure to activity.
As noted by the SolarPower Europe report [1], there is currently a lack of frameworks designed specifically with PV technology in mind. In the meantime, broader energy frameworks will address most PV security issues effectively. Ideally, these frameworks should be seen as a baseline for security, and PV operators should take a proactive stance in further improving their defences.
For companies operating in the EU, the forthcoming NIS2 directive [6] includes the broader energy sector as a critical industry, requiring mandatory controls centred on risk assessment and visibility. The European Commission EC has also published guidance on energy security [7], as has the Cybersecurity and Infrastructure Agency (CISA) in the US [8].
Preparing for a hostile future
Looking ahead, heightened international tensions and emboldened criminal gangs mean that the energy sector is set to remain highly vulnerable to cyberattacks. As solar continues to grow in prominence and scale, it will be increasingly exposed to malicious actors.
We’re also seeing rapid shifts in technology that are further complicating the threat landscape. The rapid pace of AI is one of the most influential developments, with threat actors using the technology to automate both their social engineering attacks on personnel and digital attacks on infrastructure.
Operators will need to be increasingly on guard about spear phishing and ensure personnel are trained to recognise the most common techniques.
Similarly, security teams will need to move even faster to spot and stop more automated attacks. The good news is that AI is also aiding with faster and more accurate security solutions.
While the complexities of CPS-heavy infrastructure mean PV technology is a challenge to secure, the risk can be mitigated with a comprehensive strategy adapted to its unique needs. Combining standard IT security measures like patching and access controls with specialist OT security will help see off attackers intent on putting out the lights.
References
[1] ‘Setting a harmonised cybersecurity baseline for solar PV’, SolarPower Europe position paper, July 2024 https://www.solarpowereurope.org/advocacy/position-papers/setting-a-harmonised-cybersecurity-baseline-for-solar-pv
[2] ‘Europe’s grid is under a cyberattack deluge, industry warns’, Politico, November 2023 https://www.politico.eu/article/energy-power-europe-grid-is-under-a-cyberattack-deluge-industry-warns/
[3] ‘Implementation of the NZIA: Recommendations for resilience, sustainability, and social criteria’, European Solar Manufacturing Council, May 2024, https://esmc.solar/wp-content/uploads/2024/05/2024-05-17-Implementation-of-the-NZIA-Proposition-for-sustainability-social-and-resilience-criteria.pdf
[4] ‘2024 Data Breach Investigations Report’, Verizon Business https://www.verizon.com/business/en-gb/resources/reports/dbir/
[5] National Vulnerability Database, US Department of Commerce https://nvd.nist.gov/general/nvd-dashboard
[6] Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
[7] https://energy.ec.europa.eu/topics/energy-security/critical-infrastructure-and-cybersecurity_en
[8] https://www.cisa.gov/sites/default/files/publications/nipp-ssp-energy-2015-508.pdf
Author
William Noto is the vice president, industry principal at Claroty where he specialises in OT and cyber physical system (CPS) security, alongside edge computing, IIOT, ICS and renewables. He is an experienced executive with a demonstrated track record spanning product marketing, product management, sales, software development and technology architecture.
