Listen to this post

As noted here in November 2021 and October 2023, the renewable energy sector faces growing concerns over its vulnerability to cyberattacks.  Since then, the situation has not improved; the U.S. electrical grid has grown more vulnerable to cyberattacks,[1] with domestic utilities experiencing a 70% surge in cyberattacks in 2024.[2]

As of August 2024, U.S. solar electricity generation capacity totaled 107.4 gigawatts.[3]  With the growth in smaller power generation devices (e.g., rooftop solar devices), the attack surface for renewable energy systems is growing quantitatively (and in complexity, as the components connected to these Operational Technology networks become more diverse).[4] Last year, a People’s Republic of China-sponsored cyber actor, Volt Typhoon, demonstrated how cyberattacks against military critical infrastructure could spread (accidentally or intentionally) to civilian critical infrastructure.[5]  

Although solar systems historically presented relatively minor risk of cyberattack, the growth in the number of installations and the modernization of solar power components to communicate wirelessly and/or over the Internet have increased risk for these systems.[6] 

Recently, Vangelis Stylkas, a cybersecurity consultant, was able to use a laptop and a cellphone to bypass firewalls in solar panels around the world and “gained access to more power than runs through Germany’s entire system.”[7]  Actual “bad actor” attacks on solar energy products have already occurred: remote hackers first interfered with U.S. grid networks through a solar resource on March 5, 2019, when a firewall breach permitted a Denial-of-Service (DoS) condition for a control center and several solar generation sites that affected multiple states.[8]  On July 1, 2024, the Federal Bureau of Investigation published a “Private Industry Notification” warning of potential cyberattacks against small solar energy facilities.[9]

Cyberattacks on solar facilities could cause financial damage by changing where power is delivered, and/or physical damage by hacking inverters to change the voltage or current injected into homes or the grid.[10]

The Department of Energy (DOE) advocates multiple layers of protection for solar generation, including anti-virus software in distributed energy resource systems like solar inverters and battery controllers, with virus protection and detection on firewalls and servers that integrate those distributed energy resources (DER) into aggregate grid operations.[11]  The DOE’s Solar Energy Technologies Office (SETO) provides multiple resources and standards focused on ensuring the security and capability of the electric grid,[12] including a Roadmap for Photovoltaic Cybersecurity,[13] DER cybersecurity standards,[14] and the Securing Solar for the Grid (S2G) project.[15] 

Despite the DOE’s efforts, its guidance on solar industry cybersecurity has been criticized as “limited.” Specifically, the guidance fails to address the vulnerabilities of Smart Supervisory Control and Data Acquisition (Smart SCADA) systems that allow solar projects to be monitored and controlled from a central location via cloud computing, artificial intelligence, and other new technologies to monitor and manage activities like solar tracking.[16]  These advanced technologies introduce opportunities to exploit cybersecurity vulnerabilities in the software/source code, in communications protocols and interfaces, and in the supply chain.[17]

Cybersecurity is a dynamic discipline that must evolve in pace with the manifestation of new threats and tools that can circumvent previous security measures; for example, artificial intelligence and quantum computing may soon render standard password protection ineffectual.[18]  As our electrical grid becomes more reliant on solar generation, multiple layers of evolving cybersecurity efforts to protect and control that generation will become increasingly essential to preserve grid stability.


[1] “US electric grid growing more vulnerable to cyberattacks, regulator says”, Laila Kearney, Reuters, Apr. 4, 2024; see: https://www.reuters.com/technology/cybersecurity/us-electric-grid-growing-more-vulnerable-cyberattacks-regulator-says-2024-04-04/.

[2] “Cyberattacks on US utilities surged 70% this year, says Check Point”, Seher Dareen and Srivastava Vallari, Reuters, Sept. 11, 2024; see:  https://www.reuters.com/technology/cybersecurity/cyberattacks-us-utilities-surged-70-this-year-says-check-point-2024-09-11/.

[3] “Utility-scale U.S. solar electricity generation continues to grow in 2024”, U.S. Energy Information Administration, Oct. 2, 2024; see:  https://www.eia.gov/todayinenergy/detail.php?id=63324

[4] “Energy sector’s digital shift opens door to cyber threats”, Stephen Withers, ComputerWeekly.com Nov. 28, 2024; see https://www.computerweekly.com/news/366616364/Energy-sectors-digital-shift-opens-door-to-cyber-threats.

[5] Ibid.

[6] “Solar Cyber Security Basics”, U.S. Dept. of Energy, see https://www.energy.gov/eere/solar/solar-cybersecurity-basics.

[7] “Hacking Rooftop Solar Panels Is a Way to Break Europe’s Grid”, Eamon Farhat, Bloomberg Law, Dec. 11, 2024; see:  https://www.bloomberg.com/news/articles/2024-12-12/europe-s-power-grid-vulnerable-to-hackers-exploiting-rooftop-solar-panels.  

[8] “NERC finds first remote hacker interference on US grid from cyberattack”, HJ Mai, UtilityDive; see:  https://www.utilitydive.com/news/nerc-finds-first-remote-hacker-interference-on-us-grid from-cyberattack/562478/. 

[9] See https://s3.documentcloud.org/documents/24788637/fbiwarning.pdf.  See also “Rapid renewable energy growth led FBI to warn hackers will hit new, vulnerable power supply”, Michelle Castillo, CNBC Technology Executive Council, Jul. 29, 2024; see https://www.cnbc.com/2024/07/29/renewable-energy-growth-leads-fbi-to-warn-hackers-will-hit-new-power.html.

[10] Ibid.

[11] Solar Cyber Security Basics”, U.S. Dept. of Energy, see https://www.energy.gov/eere/solar/solar-cybersecurity-basics.

[12] Ibid.

[13] See:  https://www.researchgate.net/profile/Jay_Johnson3/publication/322568290_Roadmap_for_Photovoltaic_Cyber_Security/links/5accfd764585154f3f3f9f9b/Roadmap-for-Photovoltaic-Cyber-Security.pdf.

[14] See:  https://sunspec.org/cybersecurity-work-group/.

[15] See: https://www.energy.gov/eere/solar/securing-solar-grid-s2g.

[16] “Capturing the Sun: Solar and Cybersecurity”, Henry J. Sienkiewicz and Thelonious K. Walker II, Georgetown University, United States Cybersecurity Magazine, Summer, 2023; see https://www.uscybersecurity.net/csmag/capturing-the-sun-solar-and-cybersecurity/.

[17] Ibid.

[18] “Quantum Plus AI Widens Cyberattack Threat Concerns”, John Koon, Semiconductor Engineering, Sept. 18, 2023, see:  https://semiengineering.com/quantum-plus-ai-widens-cyberattack-threat-concerns/. See also “What Is Post-Quantum Cryptography”, U.S. Dept. of Commerce National Institute of Standards and Technology; see:  https://www.nist.gov/cybersecurity/what-post-quantum-cryptography.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sean Farrell Sean Farrell

Sean combines his experience in real estate law and energy regulation to help clients build the renewable energy projects that will drive the future.

After beginning his legal career in litigation and real estate agreements, Sean found himself drawn to news articles regarding

Sean combines his experience in real estate law and energy regulation to help clients build the renewable energy projects that will drive the future.

After beginning his legal career in litigation and real estate agreements, Sean found himself drawn to news articles regarding changes in energy law and energy programs through the Public Utility Commission of Texas (PUCT). Realizing his true interest lay in the energy sector, he pivoted from his law firm job and took a position as a PUCT attorney, where he represented the public interest in proceedings before the Commission. Sean served as the lead attorney for the Competitive Renewable Energy Zone docket and regularly addressed matters involving transmission lines, violations and rulemakings.

Sean later returned to the private sector, representing clients in administrative proceedings before the PUCT, including contested rate cases and cases involving placement of transmission lines. He then transitioned from energy matters to real estate law, negotiating commercial leases and purchase and sale agreements, resolving title and survey issues, and representing landlords, tenants and developers.

Today, Sean combines both aspects of his background and represents renewable energy project developers and owners in a variety of real estate matters. He advises clients on title and survey issues, leases, easements, acquisitions and dispositions of property, landowner negotiations, and financing and investment agreements.

Sean greatly values the opportunity to work in such an important and evolving area of law, and he’s particularly excited to work with clients on the cutting edge of energy development. He knows renewable energy is a field the world is increasingly—and necessarily—embracing, and he finds great satisfaction in helping clients build a better and prosperous future.

Photo of Erik Dullea Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before…

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.