Reassessing the role distributed solar operators and installers have to play in minimising cybersecurity risks, and developing legislation to support these parts of the European solar industry, could have a significant impact on the ability of the European solar industry to protect itself from cyberattacks.
These are some of the conclusions drawn by SolarPower Europe and DNV, which co-authored and today published a report into European cybersecurity. The report, ‘Solutions for PV Cyber Risks to Grid Stability’, identifies inverters as a critical piece of cybersecurity infrastructure; speaking on a panel hosted by the trade body to launch the report, SMA Solar director of global public affairs Eric Quiring dubbed inverters the “heart and brain of the power plant”.
Unlock unlimited access for 12 whole months of distinctive global analysis
Photovoltaics International is now included.
- Regular insight and analysis of the industry’s biggest developments
- In-depth interviews with the industry’s leading figures
- Unlimited digital access to the PV Tech Power journal catalogue
- Unlimited digital access to the Photovoltaics International journal catalogue
- Access to more than 1,000 technical papers
- Discounts on Solar Media’s portfolio of events, in-person and virtual
Or continue reading this article for free
The report notes that simulations have shown that an attack made against just 3GW of inverter capacity could have “significant implications” for Europe’s power grid, a warning that is all the more stark considering this week’s blackout in Spain and Portugal.
While Ryan Davidson, principal engineer for grid cybersecurity at DNV, suggested today that there have only been “reports” of this event being tied to a cyberattack, and that “at the moment all we can do is sit and wait” to learn more, the incident has once again refocused attention on the effectiveness and reliability of Europe’s power grid. Last year, a report from Ember found that Europe’s grids would lack capacity for over 200GW of solar power alone by the end of the decade.
The report also points out that the vast majority of inverter manufacturers have much greater manufacturing capacity than just 3GW, suggesting that should even a single inverter manufacturer fall to a cyberattack, Europe’s grid as a whole could suffer. The crucial importance of inverters to Europe’s grid, and the fact that inverter manufacturers are vulnerable in this way, means that the risks are “above acceptable limits”, according to the SolarPower Europe and DNV report.
Distributed energy challenges
At the panel discussion held this morning, speakers pointed out that improving European solar cyber-resilience is not as simple as imposing new legislation, due to the increasingly distributed nature of European solar.
While 2024 marked a significant slowdown in new capacity installations, particularly in the distributed sector, the residential rooftop sector alone still added 12.8GW of operating capacity, and SolarPower Europe still expects Europe’s cumulative installed solar capacity to exceed 800GW by the end of the decade.
This growth in distributed system deployments means that, increasingly, members of the public and commercial and industrial managers—that is, people who may not have access to specialised cybersecurity training—are increasingly shouldering the burden for ensuring Europe’s solar systems are protected from cyberattacks.
“The regulators have and tried to take on those challenges,” said Quiring. “While I wouldn’t say this was a market failure, the development of solar was so quick, at SMA we [tackled] those challenges over time.”
“The connected solutions we see in the solar field were initially not covered by the design of central power plants,” continued Quiring, highlighting how new solar projects particularly in the distributed sector or that rely on connected devices and Internet of Things technology, are not affected by both the design of and legislation covering traditional centralised power plants.
There are also gaps in the legislative framework itself. The report points out that the components of many PV systems, such as inverters used in distributed systems, are too small to be classified a “critical infrastructure,” so are excluded from some existing regulations, and are not the responsibility of utilities to manage.
As a result, simply expanding and enforcing existing legislation may not be sufficient; a broader rethinking of its purpose and scope, and which people and products it targets, may be necessary.
“We need to clearly change the parameters of energy security that we have in Europe,” said SolarPower Europe CEO Walburga Hemetsberger, who introduced a presentation on the report. “Traditionally we focused on the diversification of fossil fuel supplies. The new focus has to be on electrification, powered by abundant European renewables.”
Delivering practical change
Of course, if distributed system operators are to become an increasingly integral part of the European cybersecurity landscape, training and empowering those people to better manage their systems is an obvious starting point.
“What we do at corporate level is train employees,” explained Quiring. “Start with awareness and monitoring the system, helping customers to improve their own security level on both an individual level and on a corporate level.”
“Ideally we wouldn’t have to rely on the homeowners to take steps, but it’s important they do,” agreed Davidson. “They can do certain things like maintain basic cybersecurity hygiene so there’s some kind of access control. From the end user perspective they’re going to have access to comfort services for monitoring or collecting data on their phones or computers, so they want to have passwords for that, and [use] private networks.”
In addition to more comprehensive training, effectively implementing existing legislation could make a significant impact on European solar cybersecurity, according to Felipe Castro-Barrigon, cybersecurity policy officer at the European Commission, who also spoke on the panel. Castro-Barrigon said that legislation such as the EU’s Cyber Resilience Act (CRA), which sets cybersecurity requirements for hardware and software sold in the EU, is theoretically very effective, but that it needs to be better implemented.
“We need to differentiate [between] the existence and comprehensiveness of legislation and the implementation of this existing legislation, and how gaps may come, from the legislation itself or from implementation,” said Castro-Barrigon. “When we look at the existing framework there is a common understanding that it is relatively comprehensive.
“If you look inside you can find more or less all of the elements Ryan Davidson was describing, from device security to supply chain and remote access. It’s relatively recent—implementation is ongoing—so we need to see what is inside versus what can be done and how it will be done.”
Global risk assessment
Many of the difficulties in implementing these rules stems from the fact that connected systems over transcend national and international boundaries. The report notes that the cloud servers that drive inverter function “are assumed to be commonly hosted outside the EU”; while DNV notes that Tier-1 manufacturers typically use servers based in Europe, this remains a potential vulnerability as “inverters can be operated via these cloud servers without any restriction of the host following EU legislation”.
When asked about the prospect of Chinese inverters, deployed in markets such as Europe, being used as a lunch pad for cybersecurity attacks, Davidson noted that “there has been a lot of media attention” on the potential for such an event.
Figures from Rystad Energy suggest that China accounted for 68% of the world’s inverter manufacturing capacity in 2023, with Asia as a whole responsible for 77%. While Davidson described the prospect of China using inverters to launch cybersecurity attacks as “very unlikely”, this significant imbalance in the global supply chain still presents a cybersecurity risk.
“This would essentially be economic suicide for any manufacturers that would support this, and generally these manufacturers oppose the economic strategy of China at the moment. Also for China there would be pretty significant geopolitical implications of an attack like this; it’s bordering on this grey area of an act of war or an act of aggression, so that would stress geopolitical tensions quite quickly.
“At the current landscape it doesn’t seem like this is a likely scenario, but we can’t predict the future. We just look at the technical feasibility, and it is technically possible through these vendors, and they have the capacity — it’s gone past the threshold for having enough capacity to have an impact — but it’s extremely unlike that that capability will be used.”
Davidson went on to call for an “intermediate security layer” for all inverter systems currently in place in Europe, where a trusted third party would be able to provide cybersecurity services to all products, across manufacturers and markets, as part of a more dynamic approach to cybersecurity. This sentiment was echoed by Jörg Ebel, president of the German Solar Association and vice-president of IBC Solar, who also spoke on the panel.
“I think it’s very important that we start to look a cybersecurity not only now, but every time we do this,” said Ebel. “This report is just a glance at the different situations, because security is always a process. We have to work not only once at it but continuously.”
At this year’s Intersolar Europe event, Solar Media will host a panel discussion on European manufacturing at 3:30pm on Wednesday 7 May in hall A2, booth 159. Speakers include Gaëtan Masson of the Becquerel Institute and Edd Crossland of Oxford PV. Interested attendees can register to attend the panel for free here.
