A recent ethical hack in the Netherlands highlights the critical vulnerability in smart solar panel systems, specifically through converters that connect the panels to the power grid. These devices, essential for grid compatibility, have been found vulnerable to cyber intrusions, including remote disabling and Distributed Denial of Service (DDoS) attacks.
The report by FollowTheMoney, corroborated by a Dutch agency’s 2023 findings (Euractive), shows that solar panels are vulnerable to cyberattacks, challenging the belief that renewable energy infrastructure is inherently more secure than traditional power sources. Historically, cybersecurity in the energy sector has focused on high-value targets like power plants and substations, leading to significant investment in their protection. However, the rise of distributed energy resources (DERs) like solar panels introduces new vulnerabilities. Though smaller than traditional plants, these DERs form a vast, interconnected network that can be exploited rapidly by cyberattacks.
The decentralised nature of DERs (like solar rooftops) generally offers resilience against single points of failure. However, the vulnerability of the solar panel converters poses a significant risk – if hackers exploit these converters across multiple installations, it could trigger a “cascade attack” that destabilises the grid (europarl) Does this challenge the assumption that more nodes mean more security, highlighting the need for stronger cybersecurity in decentralised systems?
The increasing share of solar power in the European energy mix—from 1% in 2010 to 9% in 2023 (Ember), heightens the potential impact of any cyber-attack on these systems. As solar energy becomes more integrated into the grid, a successful cyberattack could severely disrupt energy supply, impacting the broader economy and public safety.
Industry and policy responses point out the need for stronger cybersecurity protocols. SolarPower Europe and other stakeholders advocate for comprehensive EU-wide regulations, such as mandatory monitoring and assessment frameworks for distributed energy sources. The argument is that as solar installations are increasingly aggregated and centrally managed, they require stricter oversight to prevent cyber threats. The push to classify solar panels as a critical product highlights the urgency of addressing their vulnerabilities. This classification would lead to stricter safety and security assessments, reducing their vulnerability.
The geopolitical dimensions of solar panel cybersecurity are significant due to China’s dominance in the global supply chain for solar components. China produces ~60-70% of the world’s solar inverters and converters (IEA), which are identified as vulnerable. The EU faces additional risks if these systems are compromised. Beyond economic impacts, such a compromise could have serious national security implications, increasing risks of espionage, sabotage, or energy blackmail if critical infrastructure relies on potentially compromised components.
The EU’s cybersecurity agency’s (ENISA) report highlights that Europe is currently inadequately prepared for a large-scale attack on its energy infrastructure. Given the sector’s indispensable role in modern economies, it has emerged as a prime target for “advanced persistent threats”, whether they are foreign states or insiders.
The industry’s push for enhanced support of the EU’s home-grown solar sector, likely driven by cybersecurity concerns, aims to reduce dependence on foreign suppliers and boost regional security. The EU Electrification Action Plan highlights that cybersecurity is integral to future energy strategy, linking it directly to overall energy security goals.
The ethical hack in the Netherlands has exposed previously underestimated vulnerabilities in solar panel systems, highlighting the critical need for robust cybersecurity as solar energy increasingly integrates into the European grid. The threat lends support to the need for public investment in domestic and EU solar supply chains. Vulnerabilities in converters, together with reliance on Chinese production, present potential risks to energy security.
For the UK solar industry, which aims to meet its ambitious renewable energy targets, prioritising cybersecurity is crucial. Key considerations should include:
· Integrating strong cybersecurity measures into solar system design and operation.
· Investing in technologies to enhance solar system security.
· Collaboration between government, industry, and academia to develop effective regulations.
· Diversifying the solar component supply chain to reduce geopolitical risks.
· Engaging with global partners to share best practices and establish common standards.
#Geopolitics #cybersecurity #solar #energysecurity