SolarPower Europe Calls For Focus On Cybersecurity

With the increasing digitalization of the energy sector, the need of the hour is to be ready for potential technological challenges like cybersecurity, especially for the ‘future-looking sector of solar,’ according to the European solar PV lobby association SolarPower Europe (SPE).  

In a new position paper, it says digital flexibility solutions can help save €32 billion by 2030 and €160 billion by 2040. Nonetheless, this digitalization leaves the energy infrastructure vulnerable to the risk of cyberattacks leading to data theft or manipulation, and disruption of power operations, thus destabilizing the electricity system.  

It refers to an International Energy Agency (IEA) report to show that attacks on the global power grid have increased from 504 to 1,101/week, including ransomware attacks on wind farms and the Russian attack on the Ukrainian power grid on April 8, 2022.  

With the current levels of solar penetration, such a threat impacting the grid remains limited, yet companies are taking measures on their own to ensure resilience against cyberattacks.  

According to the SPE, “As providers increasingly monitor, optimise, visualise, and control modern smart inverters, and other distributed energy resources via remote IT infrastructure, a cybersecurity standard for secure operation becomes essential.” 

Pointing to the world-leading cybersecurity and data protection policies of the European Union (EU), SPE wants the same to be extended to the solar industry. It is calling on the regulators and policymakers to create a sector-specific, harmonized cyber-preparedness baseline.  

“There are clear steps to be taken on the lower voltage levels, including improving cyber risk assessments, setting a new EU standard for product security for distributed energy resources, and empowering consumers to manage their device security,” said SPE’s Deputy CEO Dries Acke. “Any centrally co-ordinated or managed devices (for example, aggregated rooftop solar installations) should have an EU or nationally authorised layer of monitoring.” 

Among its various recommendations are the following:  

• Solar PV power plant owners should bear the responsibility for cyberattacks as part of the Network and Information Security (NIS) 2 Directive implementation.  

• Conduct risk assessments for low-voltage grids in EU and national frameworks. 

• Reinforce cybersecurity at the product level, via the Cyber Resilience Act (CRA) compliance requirements. Incorporate a dedicated standard for distributed energy resources.  

• Operational PV power plant data should remain in the EU or in jurisdictions that can ensure similar security levels.  

• Governments must introduce a security layer to monitor relevant commands where aggregators and manufacturers centrally coordinate distributed energy resource devices like inverters.  

• Users and installers of small-scale PV installations must be able to manage the cybersecurity of their devices by setting strong passwords and installing security updates.  

The SPE position paper titled A Harmonised Cybersecurity Baseline for Solar PV is available for free download on its website.