The European Commission (EC) is reportedly “very resolved to take harsh steps” in its enforcement of cybersecurity laws in the solar energy sector.
Speaking at the SolarPLUS Europe conference in Milan last week, Uri Sadot, managing director of solar cybersecurity firm SolarDefend, said that the EC has expressed a “surprisingly strong drive to protect European industry and ensure risk levels are reduced for the grid.”
Get Premium Subscription
The Commission is currently running a dedicated solar risk assessment to determine the parameters of its revision to cybersecurity legislation; Sadot has been part of the technical risk assessment process.
He outlined two primary questions currently being considered in Brussels: What will be allowed around remote access to digital products when building a new project, and potentially earmarking a portion of financing for security? And will Europe have to retrofit existing fleets?
“These are questions being debated and negotiated as we speak in Brussels,” he said. “They may be disruptive to how existing fleets will continue to operate and also financing for future ones.”
The EC could take a number of routes to enforce cybersecurity legislation. At the harsh end, there is the possibility of “rip and replace” policies where products deemed to be risky – likely solar inverters – would have to be replaced. Were it to happen, this would likely apply to larger solar projects deemed to be critical infrastructure, rather than hundreds of thousands of residential systems. Widespread replacements are unlikely, though, as they would be particularly disruptive.
Speaking in Milan, Sadot said: “While regulators are trying to be as non-disruptive as possible, they realise they have to be [somewhat disruptive].”
More realistic might be greater support for European inverter manufacturers or the exclusion of high-risk products or suppliers from the EU’s Net Zero Industry Act (NZIA) capacity auctions. Measures will almost definitely cover remote access to inverters and digital infrastructure, which theoretically gives overseas manufacturers or server operators the ability to switch power assets off from a distant data centre.
Speaking on the panel, Sadot also said that there would be different regulations and standards for different solar market sectors – residential, C&I, utility and balcony solar.
Last week, the South China Morning Post reported that Ursula von der Leyen, president of the EC, approved a plan to stop EU funds going to products containing Chinese inverters. This is a step beyond much of the action and rhetoric the EC has issued around solar supply and cybersecurity concerns, which has so far avoided specifying Chinese origin.
The proposal for the revised Cybersecurity Act did include plans to identify “high-risk” country dependencies and suppliers.
Moreover, in February, the European Investment Bank (EIB) announced plans to support European inverter manufacturers as the dominance of Chinese inverters in the European market raised “cybersecurity as well as strategic dependence concerns.” It may be that the EC ultimately uses a risk assessment scale to determine the cybersecurity of inverters and other digital energy assets, which could become a factor in loans and financing either from the EIB or other bodies.
PV Tech heard that there is reportedly some push and pull between parts of the EC over the severity of the coming restrictions, with some advocating for a complete break with and refusal to finance projects with certain Chinese products, while others call for accepting security measures without excluding products or producers. The restrictions on Huawei’s involvement in European 5G infrastructure form a precedent for similar restrictions around energy products.
Money will probably come into it, too. The price of products, investment and energy will undoubtedly be weighed against any harsh security measures or restrictions on market access. But with global tensions rising and evidence of malicious attacks on solar infrastructure, Sadot said he is confident that the measures brought in will be robust.
Cybersecurity attacks on solar energy could theoretically result in blackouts. The attack on Poland in December, when hackers targeted 30 wind and solar farms (in Sadot’s words, to “destroy whatever they could”) shows the ability and malicious intent that threatens to undermine Europe’s infrastructure without real protection.
Fabian Michel, head of cybersecurity and operational technology at Belectric, pointed to the Iberian blackout last summer (the origin of which was likely not a cyberattack) for evidence of what can happen in a widespread blackout for just 24 hours – namely, deaths, estimated between six and the mid-teens.
Cyberattacks could come from hacker groups looking for ransom or financial gain, or, as is becoming increasingly common, state or state-backed actors looking to cause disruption and destruction to Europe’s grid.
“The Poland attack shows us what is possible if attackers come over the internet into the distributed system operator (DSO) network,” Michel said. He said those attackers (currently thought to be the Russian-linked hacker group Sandworm, reportedly named for the subterranean monsters in Frank Herbert’s novel Dune) found vulnerabilities in publicly accessible devices at around 30 solar and wind power plants; “They are like open doors at your house,” he said. “[the attackers] knock on the door, and if they find an open door they go in.” He said disruptive actors could be inside a DSO network for “days or weeks” looking for vulnerabilities.
“They manipulate settings in your inverters, they manipulate your remote terminal units (RTUs),” he said. In the case of the Poland attack, the internet connection for the assets was disabled and the DSO was unable to control them, yet they were still connected to the grid. Luckily, the attackers were unable to cause much disruption to power production.
The Poland attack shows a change in motivation among cyber attackers, Sadot said, from ransom or theft to “vandalism or state-on-state attack. There were a lot of cases in Ukraine where sites were breached just to do damage, to wreak havoc. And that’s exactly what happened in the week after Christmas Eve in Poland.”
Europe’s grid can withstand a power disruption of up to around 3GW. Immediate fluctuations above that threshold could trigger widespread blackouts.
The obvious response to this reality is to secure large-scale power plants, of whatever technology, against cyber and physical attacks. And that has been largely successful; the panelists in Milan agreed that utility-scale solar plants are well protected, as they are recognised as critical infrastructure and large companies have to account for risk to secure financing.
But large inverter vendors control tens of gigawatts of assets, in some cases, spread across thousands of small residential, C&I and smaller grid-scale installations. There is currently no obligation for asset owners to implement specific security measures on assets from 1MW to 100MW, Michel said.
“If you had ten power plants of 90MW, you are under the threshold [for existing critical infrastructure requirements],” added Sadot, despite the company in this scenario potentially having up to 1GW of capacity in its digital system. He said that the digital management systems of the largest inverter vendors could potentially reach up to 50GW of operational capacity; “This is a real cyber concern that has got on the radar of regulators in the recent few years, both from a cyber breach point of view and a foreign influence point of view.”
Theoretically, a breach in the digital systems of a major inverter supplier could open doors for attackers to access GWs of distributed systems across Europe.
Beyond the sheer security risk, Robin Hirschl, managing director of asset owner PV-Invest, said that cyberattacks “cost more than US$20 million per minute.”
The digital control of inverter-based infrastructure could be based outside Europe, and often in China or the US. Given growing geopolitical tensions with China, Russia, and most recently with the US over Greenland, it seems all too timely that the EU is considering bold action. But, as came up in a discussion on procurement strategies for traceability and ESG we heard at the conference last week, reliance on regulation alone could be a risky strategy as tensions rise.

source