Solar parks and large battery systems are now part of critical infrastructure. How important is it to protect them from unauthorised access?
Sonna Barry: Critical infrastructure today includes not just energy networks but many other essential services such as large public companies, hospitals and supermarket chains. The number of attacks has risen sharply over the past five years. Criminals often try to extort ransom money, and an entire criminal economy has emerged.
Cybersecurity: “The solar industry has realised it must act proactively”
What kind of criminal actors are we talking about?
It started with the clichéd "hoodie hackers" or cyberkids who were seeing how far they could get. You might still find a few of them out there. But today we see state-sponsored groups and highly organised cybercrime outfits whose services can be bought on the darknet. These teams systematically scan for vulnerabilities to access data or systems, and the rise in attacks reflects how sophisticated this business has become.
Solar Investors Guide – Hackers highlight solar infrastructure risks (podcast)
Is this a growing wave?
It’s already here. Attacks have become routine occurrences for mid-sized companies. The statistics show thousands of attempted breaches every day. The question isn’t if they happen, it’s whether they succeed. You could say cyberattacks are as frequent now as pickpocketing at a train station.
PV systems under pressure from increasing cyber risks
Have there been known attacks on energy systems?
Cyberattacks now seem to be part of modern warfare. The Baltic states disconnected from the Russian grid to reduce their risk. In 2016, Ukraine suffered a partial blackout caused by hackers, reportedly with links to the Russian state. Incidents like this have become increasingly common.
Lithuania takes the lead on cybersecurity in solar
Are there any known cases in the solar sector?
Studies show that if attackers gain control over even a few gigawatts of PV capacity, they could destabilise the grid by shifting the frequency. Fortunately, that scale has not yet been reached. But as more PV systems and batteries connect to the grid, protection becomes more urgent. It’s the price of progress.
KRITIS in the EU spotlight as cybersecurity focus sharpens
What requirements come from the EU?
We usually split it into compliance and operational security. Let me start with compliance, which covers legal obligations. The EU’s new NIS2 directive will greatly tighten documentation and reporting requirements. The original 2016 directive has been expanded because threats have grown. The energy sector was already covered, but now it applies to many more and smaller providers.
Eurelectric report outlines technologies to ease renewable grid integration
In our field we deal with inverters and storage systems, usually linked to the grid via power electronics and control. What do manufacturers need to consider?
The EU has adopted the Cyber Resilience Act to cover these products. It applies to all internet-connected devices, including inverters, batteries, energy managers and building automation tech. From 2027, such devices may no longer be sold if known vulnerabilities exist. Manufacturers must constantly test for weaknesses and reduce risks, for example through regular firmware updates or targeted fixes for critical flaws.
Robert Janickas of Inion: “Blackouts are a lesson learned for flexibility”
What do you mean by vulnerabilities?
Primarily, we mean gaps that weren’t known when the product was sold but which could allow external access. Detecting such flaws, whether in products or internal IT systems, is the first step towards better cybersecurity. Devices also need to fit seamlessly into a broader security architecture.
Tesvolt presents stackable home and commercial storage system
Can you give an example?
Sure. An inverter sends its operating data to a cloud or operations centre. Those servers are also part of critical infrastructure. So if you’re analysing risk, you can’t stop at the inverter. You need to consider the entire digital chain.
Christian Carraro from SolarEdge: “Going ever-cheaper is high-risk”
How should a solar company proceed, for example if it runs a portfolio of solar parks?
First, ask yourself: do we have anyone in the company with cybersecurity expertise? If not, bring in qualified partners. Otherwise, it’s easy to get overwhelmed, especially with limited internal capacity.
Report: Cybersecurity an issue also for small rooftop solar
What are the key elements of protection?
Compliance is one. Hardening IT systems and operations against attacks is another. You may need partners to meet compliance standards. Among other things, they can help you work through ISO 27001 certification. Even if certification isn’t mandatory, going through its checklists helps identify and fix weak points.
SolarPower Europe extends its reach to storage and flexibility
What’s the right process for identifying vulnerabilities in systems and operations?
Start by analysing your IT landscape and also your operational technology (OT). The key questions: what weaknesses are present, how serious are the associated risks, and what worst-case scenarios could emerge? This kind of baseline analysis requires coordination between management, IT and all departments. It’s about finding critical systems and determining how long they can go down before mission-critical systems are threatened.
From slowdown to restart – Fronius is back on track
What comes next?
Then you address the risks. Cybersecurity must be part of overall risk management. We already do this in fire protection, if needed we bring in outside expertise. Many companies now need to extend this kind of thinking to the area of cyber.
Smarter storage and agile inverters reshape the C&I landscape
Can you give a practical example?
Most firms have fire plans or emergency procedures for technical failures. But what if all your inverters are hacked and your technicians can’t access the systems? You need backup processes ready to go. That’s part of what’s generally referred to as Business Continuity Management, or BCM.
Sigenergy – new app optimises energy management with AI (video)
How do you recover from a cyberattack?
The goal is to restore operations as quickly as possible. You may have to rebuild systems or restore backups. That can take time and money. If hardware is damaged, it must be replaced.
Atmoce – low voltages increase safety (video)
How can damage be limited?
It helps to stock critical components for quick replacement. You also need to decide what data should be stored offline versus in the cloud. Cloud-stored data should have an offline backup that’s inaccessible to hackers. These decisions depend on your risk profile and risk appetite.
Fenecon – innovations driving C&I storage (video)
How reliable are firmware updates and patches?
Updates must be applied promptly and in their latest version. You need an inventory of all devices and the software running on them. This ensures updates reach every relevant system. You also need to test whether the patches actually work in your infrastructure. Ultimately, responsibility for security lies with the operator. It can’t be outsourced.
EcoFlow – more intelligence, more yield (video)
So cyber security is never complete?
Exactly. You can harden systems, but the job isn’t over after installation. Ongoing monitoring is crucial. Monitoring systems will flag suspicious activity, although some alerts turn out to be false positives.
Solar Manager – making complex systems easy (video)
How do you filter the real threats?
AI can help identify typical patterns and distinguish real threats from noise. Attacks leave traces. Good monitoring systems speed up detection and help prevent escalating damage.
Tesvolt – new outdoor storage container (video)
What happens after a confirmed attack?
Then it’s the job of IT forensics. They determine when and how the attack happened, what was compromised and what actions were triggered. Speed matters: the longer attackers remain undetected, the greater the risk.
Lumenhaus – home storage with AI energy management (video)
Is this comparable to fire protection?
Exactly. And just like fire drills, cyberattack response must be practised at all levels. Don’t wait to learn the hard way as that will undoubtedly be expensive.
Kenneth Frey from SOFAR: “Good service is crucial”
Which risks are most often underestimated?
Access credentials. Companies need strong authentication systems and clearly defined access rights. Regular employee training is essential. Otherwise, it’s easy to fall for phishing. Some risks can’t be eliminated entirely, but cyber insurance can help cover potential losses.
Solar Investors Guide – innovation reaching new heights (e-paper download)
How useful is ISO 27001 certification?
It’s part of the Kritis framework and aims to expose and reduce vulnerabilities. At Secida, we’re ISO 27001 certified. It takes time and effort, but it offers an excellent starting framework. Still, I wouldn’t recommend it unless it’s legally required, because it’s resource-intensive.
Solis – new hybrid inverter delivers 125 kilowatts (video)
Is it relevant for the solar industry?
Personally, I would only use inverter suppliers certified to ISO 27001, otherwise you have to assess the risk of non-certified vendors. The standard applies EU-wide, and certification lasts two years.
Akku Sys – smart inverter with innovative architecture (video)
How much does it cost?
We spent a five-figure sum for certification at Secida. The documentation alone takes considerable effort. But preparing for certification is valuable in itself as it helps identify risks and design responses. Once you’ve gathered the documentation, an audit firm steps in. They check whether your documented processes are actually followed in practice. Then you usually get a list of corrections. Recertification after two years is much easier.
Sermatec expands Eastern European presence with 430 MWh storage in Bulgaria
So even small gaps can have major effects?
Precisely. IT systems are often less protected by regulation and more vulnerable. That makes it easier for attackers to reach the core systems. The resulting damage can be immense. That’s why cyber security must be a leadership issue, not just an IT problem.
Interview by Heiko Schwarzburger
About Sonna Barry
Sonna Barry holds a business degree and has worked with complex business software since 2007. Her passion is translating technical knowledge for non-specialist decision-makers. Since 2018, she has focused on cyber security. She is Vice President of Business Development & Strategy at German company Secida AG, which provides analysis, design, implementation and managed services for IT infrastructure and cyber security. Its clients include companies in the energy, finance and industrial sectors.
