Amid growing cyberattacks on Europe's energy infrastructure, strengthening cybersecurity is becoming a cornerstone of a modern EU energy system. However, current efforts remain focused on traditional infrastructure such as large, centralised power plants.
Digital threats to PV stability
The report, titled Solutions for PV Cyber Risks to Grid Stability and prepared by DNV for SolarPower Europe, identifies weaknesses in the digital security of PV installations and provides recommendations for risk mitigation. If left unaddressed, vulnerabilities in the cybersecurity of connected solar inverters could pose a serious threat to grid stability and, consequently, to the continent’s energy security.
“Digitalisation offers tremendous opportunities, including savings of up to €160 billion per year in the energy system by 2040. However, it also brings new challenges, including cybersecurity,” said Walburga Hemetsberger, CEO of SolarPower Europe.
Internet-enabled inverters as a gateway
The report highlights that PV systems are increasingly digitalised and interconnected, often relying on internet-enabled inverters that behave more like IoT devices than traditional power plants. These systems can be accessed remotely by various actors involved in their management and operation, including manufacturers, installers, aggregators, service providers and grid operators. Information, data and certain functionalities are hosted online via cloud platforms.
Listen to our podcast – Online villains expose solar weak spots
The growing number of actors with direct or indirect access increases the risk of security breaches. As a result, the rapidly expanding PV sector is becoming an attractive target for ransomware and other threats, including physical risks such as remote shutdowns or infrastructure disruptions.
A cluster of vulnerabilities
Key cybersecurity gaps identified include:
– Unsecured remote access to solar inverters, with widespread use of default usernames and passwords
– Firmware updates transmitted without reliable verification mechanisms
– Remote control functions operated via cloud servers, often hosted outside the EU
– Inadequate cybersecurity documentation and inconsistent implementation of procedures
Smaller systems particularly exposed
Security levels are particularly low for small-scale residential and commercial systems, despite nearly 70% being internet-connected. Many installers and service providers lack the personnel and resources “to adequately manage or even understand cyber risks,” the report states. While utility-scale PV systems benefit from experienced operators and stricter standards, smaller systems often lack comparable protection and monitoring.
KRITIS regulations do not apply.
Components such as inverters are typically too small to qualify as critical infrastructure (KRITIS) and are therefore not covered by existing EU regulations such as the Cyber Resilience Act (CRA), the Network and Information Systems Code on Cybersecurity (NCCS), the NIS2 Directive or the General Data Protection Regulation (GDPR).
SolarPower Europe pushes for sector-specific cybersecurity rules
As a result, many manufacturers, installers and service providers with remote access to small PV systems are not bound by any cybersecurity requirements. The lack of a single accountable operator also makes it difficult to apply consistent standards across individual projects.
Market concentration increases systemic risk
The issue is compounded by market concentration. In 2023, twelve major inverter manufacturers – nine based in China – accounted for 85% of the global market, representing 536 GW of installed capacity. In Europe, 70% of inverters installed that year came from Chinese suppliers. Seven inverter brands – Huawei, Sungrow, SMA, SolarEdge, Goodwe, Fronius and Growatt – each had the potential to remotely control more than 10 GW of installed capacity.
A targeted cyberattack exploiting these access points could trigger major disruptions. The report notes that simulations have shown an attack affecting just 3 GW of inverter capacity could have a “significant impact” on Europe’s power grid.
A growing target for future attacks
“The shift to a decentralised energy system strengthens resilience by reducing reliance on single, high-impact assets. But this resilience only holds if new risks are proactively addressed,” Hemetsberger emphasises. So far, the solar sector has experienced fewer cyberattacks than oil, gas or nuclear. However, as solar gains prominence in Europe’s energy mix, it is becoming an increasingly attractive target – whether for financial gain or geopolitical motives.
Sector-specific standards required
To mitigate these risks, SolarPower Europe is calling for sector-specific cybersecurity standards tailored to the solar industry. “Cybersecurity legislation must address the specific requirements of decentralised energy sources such as small-scale rooftop PV,” says Hemetsberger.
Fronius International
While general standards such as ISO 17001 or IEC 62443 and sector-specific guidelines like IEEE 1547.3 provide useful guidance, they are not sufficient. A dedicated solar framework should include:
Secure inverter design
- Protection of cloud-based monitoring platforms
- Mandatory certification schemes for critical assets
According to the report, a group of cybersecurity experts should draft these requirements and guidelines within the next three years.
SMA boosts cybersecurity with standards beyond compliance
Restricting remote access
SolarPower Europe also calls for restrictions on remote access and data storage from outside the European Union. As with the GDPR, remote operation of aggregated end-user devices such as small rooftop PV systems beyond defined thresholds should only be permitted in countries offering equivalent security guarantees. Remote access from other regions should be banned unless strict cybersecurity measures are demonstrably in place.
Tesvolt and Samsung collaborate on battery cybersecurity
High-risk companies would be required to develop cyber solutions subject to oversight and approval by competent authorities. The report cites Lithuania, where high-risk operators are encouraged to use third-party providers for remote maintenance and software updates. “We must ensure that control over Europe’s solar infrastructure remains firmly within secure legal jurisdictions,” Hemetsberger stresses.
Training for installers also essential
SolarPower Europe urges the European Commission to accelerate implementation through the Network Code on Cybersecurity or similar instruments. It recommends convening stakeholders to define a clear implementation roadmap. A whitelist of certified grid-connected devices could also help strengthen supply chain and grid security. End-user and installer awareness and training are equally important. “To build a modern, secure and reliable energy infrastructure, cybersecurity must be integrated from the ground up,” Hemetsberger concludes. (hcn)
