
As noted here in November 2021 and October 2023, the renewable energy sector faces growing concerns over its vulnerability to cyberattacks. Since then, the situation has not improved; the U.S. electrical grid has grown more vulnerable to cyberattacks,[1] with domestic utilities experiencing a 70% surge in cyberattacks in 2024.[2]
As of August 2024, U.S. solar electricity generation capacity totaled 107.4 gigawatts.[3] With the growth in smaller power generation devices (e.g., rooftop solar devices), the attack surface for renewable energy systems is growing quantitatively (and in complexity, as the components connected to these Operational Technology networks become more diverse).[4] Last year, a People’s Republic of China-sponsored cyber actor, Volt Typhoon, demonstrated how cyberattacks against military critical infrastructure could spread (accidentally or intentionally) to civilian critical infrastructure.[5]
Although solar systems historically presented relatively minor risk of cyberattack, the growth in the number of installations and the modernization of solar power components to communicate wirelessly and/or over the Internet have increased risk for these systems.[6]
Recently, Vangelis Stylkas, a cybersecurity consultant, was able to use a laptop and a cellphone to bypass firewalls in solar panels around the world and “gained access to more power than runs through Germany’s entire system.”[7] Actual “bad actor” attacks on solar energy products have already occurred: remote hackers first interfered with U.S. grid networks through a solar resource on March 5, 2019, when a firewall breach permitted a Denial-of-Service (DoS) condition for a control center and several solar generation sites that affected multiple states.[8] On July 1, 2024, the Federal Bureau of Investigation published a “Private Industry Notification” warning of potential cyberattacks against small solar energy facilities.[9]
Cyberattacks on solar facilities could cause financial damage by changing where power is delivered, and/or physical damage by hacking inverters to change the voltage or current injected into homes or the grid.[10]
The Department of Energy (DOE) advocates multiple layers of protection for solar generation, including anti-virus software in distributed energy resource systems like solar inverters and battery controllers, with virus protection and detection on firewalls and servers that integrate those distributed energy resources (DER) into aggregate grid operations.[11] The DOE’s Solar Energy Technologies Office (SETO) provides multiple resources and standards focused on ensuring the security and capability of the electric grid,[12] including a Roadmap for Photovoltaic Cybersecurity,[13] DER cybersecurity standards,[14] and the Securing Solar for the Grid (S2G) project.[15]
Despite the DOE’s efforts, its guidance on solar industry cybersecurity has been criticized as “limited.” Specifically, the guidance fails to address the vulnerabilities of Smart Supervisory Control and Data Acquisition (Smart SCADA) systems that allow solar projects to be monitored and controlled from a central location via cloud computing, artificial intelligence, and other new technologies to monitor and manage activities like solar tracking.[16] These advanced technologies introduce opportunities to exploit cybersecurity vulnerabilities in the software/source code, in communications protocols and interfaces, and in the supply chain.[17]
Cybersecurity is a dynamic discipline that must evolve in pace with the manifestation of new threats and tools that can circumvent previous security measures; for example, artificial intelligence and quantum computing may soon render standard password protection ineffectual.[18] As our electrical grid becomes more reliant on solar generation, multiple layers of evolving cybersecurity efforts to protect and control that generation will become increasingly essential to preserve grid stability.
[1] “US electric grid growing more vulnerable to cyberattacks, regulator says”, Laila Kearney, Reuters, Apr. 4, 2024; see: https://www.reuters.com/technology/cybersecurity/us-electric-grid-growing-more-vulnerable-cyberattacks-regulator-says-2024-04-04/.
[2] “Cyberattacks on US utilities surged 70% this year, says Check Point”, Seher Dareen and Srivastava Vallari, Reuters, Sept. 11, 2024; see: https://www.reuters.com/technology/cybersecurity/cyberattacks-us-utilities-surged-70-this-year-says-check-point-2024-09-11/.
[3] “Utility-scale U.S. solar electricity generation continues to grow in 2024”, U.S. Energy Information Administration, Oct. 2, 2024; see: https://www.eia.gov/todayinenergy/detail.php?id=63324.
[4] “Energy sector’s digital shift opens door to cyber threats”, Stephen Withers, ComputerWeekly.com Nov. 28, 2024; see https://www.computerweekly.com/news/366616364/Energy-sectors-digital-shift-opens-door-to-cyber-threats.
[5] Ibid.
[6] “Solar Cyber Security Basics”, U.S. Dept. of Energy, see https://www.energy.gov/eere/solar/solar-cybersecurity-basics.
[7] “Hacking Rooftop Solar Panels Is a Way to Break Europe’s Grid”, Eamon Farhat, Bloomberg Law, Dec. 11, 2024; see: https://www.bloomberg.com/news/articles/2024-12-12/europe-s-power-grid-vulnerable-to-hackers-exploiting-rooftop-solar-panels.
[8] “NERC finds first remote hacker interference on US grid from cyberattack”, HJ Mai, UtilityDive; see: https://www.utilitydive.com/news/nerc-finds-first-remote-hacker-interference-on-us-grid from-cyberattack/562478/.
[9] See https://s3.documentcloud.org/documents/24788637/fbiwarning.pdf. See also “Rapid renewable energy growth led FBI to warn hackers will hit new, vulnerable power supply”, Michelle Castillo, CNBC Technology Executive Council, Jul. 29, 2024; see https://www.cnbc.com/2024/07/29/renewable-energy-growth-leads-fbi-to-warn-hackers-will-hit-new-power.html.
[10] Ibid.
[11] Solar Cyber Security Basics”, U.S. Dept. of Energy, see https://www.energy.gov/eere/solar/solar-cybersecurity-basics.
[12] Ibid.
[13] See: https://www.researchgate.net/profile/Jay_Johnson3/publication/322568290_Roadmap_for_Photovoltaic_Cyber_Security/links/5accfd764585154f3f3f9f9b/Roadmap-for-Photovoltaic-Cyber-Security.pdf.
[14] See: https://sunspec.org/cybersecurity-work-group/.
[15] See: https://www.energy.gov/eere/solar/securing-solar-grid-s2g.
[16] “Capturing the Sun: Solar and Cybersecurity”, Henry J. Sienkiewicz and Thelonious K. Walker II, Georgetown University, United States Cybersecurity Magazine, Summer, 2023; see https://www.uscybersecurity.net/csmag/capturing-the-sun-solar-and-cybersecurity/.
[17] Ibid.
[18] “Quantum Plus AI Widens Cyberattack Threat Concerns”, John Koon, Semiconductor Engineering, Sept. 18, 2023, see: https://semiengineering.com/quantum-plus-ai-widens-cyberattack-threat-concerns/. See also “What Is Post-Quantum Cryptography”, U.S. Dept. of Commerce National Institute of Standards and Technology; see: https://www.nist.gov/cybersecurity/what-post-quantum-cryptography.