As cyberattacks against energy infrastructure surge across Europe, safeguarding the future of solar energy has become more critical than ever. Traditionally, cybersecurity efforts have focused on large, centralized energy assets. However, the accelerating shift toward a digitalized, renewables-based system—particularly solar photovoltaic (PV)—necessitates urgent action tailored to the unique challenges of distributed energy resources (DERs).
Recognizing this emerging need, SolarPower Europe, in collaboration with DNV, has conducted an in-depth risk assessment and issued clear recommendations to elevate cybersecurity standards across the solar sector.
The Digitalization of Solar: Opportunity and Vulnerability
Solar energy today is increasingly reliant on smart inverters and cloud-based management platforms, linking PV systems directly to the internet. While digitalization offers immense benefits—including estimated energy system cost savings of €160 billion annually—it simultaneously creates new vulnerabilities. Cyber threats that were once limited to centralized grid assets now extend to rooftop PVs and commercial solar installations, which often lack the professional cybersecurity measures seen in utility-scale plants.
Walburga Hemetsberger, CEO of SolarPower Europe, aptly compares the situation: “We didn’t need anti-virus protection for a typewriter – but we do need it for our laptops.” In the same vein, protecting solar systems from digital threats must become a core design principle.
Key Risks Identified
The DNV-led study highlights several critical issues:
- Device-Level Threats: Insecure inverters and remote access systems can be exploited to manipulate grid parameters or disrupt power output.
- Supply Chain Vulnerabilities: Installers, service providers, and even manufacturers—especially those outside the EU—may lack stringent cybersecurity controls.
- Grid Stability Threats: A coordinated cyberattack on as little as 3 GW of solar capacity could severely destabilize Europe’s power grid.
Despite solar PVs currently being less targeted than larger utilities, their growing role in Europe’s energy mix makes them increasingly attractive to cyber adversaries.
Strategic Recommendations for a Secure Solar Future
SolarPower Europe and DNV propose a two-pronged approach to mitigate these risks:
- Develop Industry-Specific Cybersecurity Standards:
Existing frameworks like ISO 27001 are too general for solar’s unique requirements. New tailored standards should define cybersecurity practices for solar inverters, cloud platforms, and remote access systems. These guidelines must be integrated into certification processes to ensure consistency and accountability across the industry. - Restrict Remote Access Outside the EU:
To minimize exposure, remote control of solar assets should be limited to entities within the EU or other secure jurisdictions. This mirrors measures taken by countries like Lithuania, which have restricted high-risk foreign access to energy assets.
Further recommendations include implementing secure data hosting within the EU, developing regulated intermediaries to manage remote inverter control securely, and ensuring that all firmware updates and communications are verifiable and tamper-proof.
Policy Action Needed
The report urges the European Commission to adopt these recommendations swiftly, integrating them into the Network Code for Cybersecurity (NCCS). Policymakers should enforce requirements that manufacturers, aggregators, and service providers managing critical solar infrastructure comply with strict cybersecurity standards.
By doing so, Europe can ensure the resilience of its energy transition and fortify the digital backbone of its growing solar fleet.
