Energy

New report: Solar sector proposes solutions to mitigate critical cybersecurity risks

29/04/2025
admin

Amid increasing attacks on energy infrastructure in Europe, energy security measures are becoming a pivotal element of a modern EU energy system. Current efforts are, however, focused on traditional energy infrastructure such as large, centralised power plants.

To accelerate the transition to a smart, digitised renewables-based energy system, the European solar sector has issued strong recommendations to EU policymakers and regulators to address cybersecurity risks associated with its technology in an increasingly digital energy system. Solar photovoltaic (PV) systems are digitalised and more and more connected to the internet via inverters. A new report, produced by DNV, and commissioned by SolarPower Europe, performs a comprehensive risk assessment for the sector, and offers clear remedies:

  1. Develop and mandate industry-specific cybersecurity controls, for example via standard, for securing remote-controlled solar PV infrastructure.
  2. Limit remote access and control of EU solar PV systems from outside the EU via the inverter.

Walburga Hemetsberger, CEO of SolarPower Europe, said: “Like any technological revolution, digitalisation presents incredible opportunity, for example, energy system cost savings of €160 billion/y. It also comes with new challenges, like cybersecurity. We didn’t need anti-virus protection for a typewriter – but we do need it for our laptops. As a responsible, forward-looking sector, we have mapped the cybersecurity challenge, and we’re rising to meet it with clear, comprehensive solutions.”

The report notes that Europe’s move away from an energy system dependent on a few, high-impact targets, to a more decentralised system, offers clear energy security benefits. To maximise this benefit, cybersecurity legislation – which focuses on that legacy, centralised energy infrastructure – needs to be updated. It must address the specific security needs of distributed energy sources, like smaller rooftop solar installations. The report also notes that although the solar sector has been targeted by cyberattack, they do not compare to those seen in other parts of the energy sector, where industrial espionage, ransomware, and attacks leading to public grid blackouts have occurred with increasing frequency over the past decade.

In analysing risk, the report highlights risks from direct controls on inverters, e.g. intended for providing grid services, and updates, e.g. intended for security updates. On the one hand, it finds that utility scale installations are more secure. They are often managed by experienced utilities and covered by the EU’s NIS2 Directive. On the other hand, small scale solar systems, which are often rooftop installations, lack stringent cyber rules. They are connected to the clouds of manufacturers, installers, or service providers. While the impact of compromising a single installation is low, when aggregated for power system efficiency, they become virtual power plants of significant scale.

The report states that a targeted compromise of 3 GW of generation capacity can have significant implications for Europe’s power grid. The analysis reveals that over a dozen Western and non-Western manufacturers control significantly more than 3 GW of installed capacity today. As consequence, of the 14 risk areas evaluated in the report, five areas are categorised as medium risk, six areas are high risk, and three areas are critical risk. The measurement of risk combines severity of impact and probability. While adopted EU legislation like the Cyber Resilience Act, NIS2 Directive, and the Network Code for Cybersecurity (NCCS) mitigate some of the risk, SolarPower Europe outlines a clear pathway to achieve ‘low risk’ status on all 14 risk areas.

To return to a ‘low’ risk category for cybersecurity, the report recommends two overarching solutions. The first would ensure that existing laws on cybersecurity are specific enough to the needs of the solar sector. The second would introduce new rules that keep the control of relevant solar systems via inverters within the EU or jurisdictions that can provide an equivalent level of security.

On the second solution, the report recommends following an approach similar to GDPR rules, where control of aggregated distributed devices, like small scale rooftop solar systems, should only take place in regions judged equivalent in security to the EU. This should be implemented through the EU NCCS or another new fast-track procedure. High-risk entities would then be required to develop cyber solutions which would be monitored and approved by the competent authorities.

 

 

For more news and technical articles from the global renewable industry, read the latest issue of Energy Global magazine.

Energy Global’s Spring 2025 issue

The first issue of 2025 is here! The Spring issue of Energy Global starts with a guest comment by Tim Reid from UK Export Finance about expanding operations overseas before a regional report from Aurora Energy Research no the effect of negative electricity prices in Europe. Other interesting topics covered in the issue include electrical infrastructure, sit surveys & mapping, developments in solar, and much more. Featuring contributions from key industry leaders such as EM&I, DeterTech, and Global Underwater Hub, among others, don’t miss the valuable insights available in the Spring 2025 issue.

Read the article online at: https://www.energyglobal.com/solar/29042025/new-report-solar-sector-proposes-solutions-to-mitigate-critical-cybersecurity-risks/

#report #Solar #sector #proposes #solutions #mitigate #critical #cybersecurity #risks