Solar Farms in Crosshairs as German NIS-2 Deadline Nears, Officials Warn – AD HOC NEWS

BSI and BfV warn of Russian probes on vulnerable photovoltaic systems. NIS-2 registration deadline July 31, 2026; new KRITIS and TRBS rules expand OT security mandates.
German security authorities have issued a fresh alert: poorly protected photovoltaic installations are being actively probed by Russian operatives. The warning, jointly published in June 2026 by Germany’s Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV), points to vulnerabilities in inverters, storage units, and remote-maintenance portals. Urgent firmware updates, replacement of default passwords, and checks on network isolation are recommended as countermeasures.
The alert underscores a broader push to tighten cybersecurity for industrial control systems, which is reaching a critical juncture. By 31 July 2026, companies must complete mandatory registration with the BSI under the NIS-2 directive. Although registration became compulsory on 6 December 2025 and the original deadline fell in March 2026, only around 18,500 facilities had registered by the end of May. Firms that miss the date face substantial fines.
The NIS-2 registration is one component of a wider regulatory overhaul. The KRITIS-Verordnung 2026 extends the scope of critical infrastructure protection beyond pure IT security to operational resilience. Newly affected sectors include the pharmaceutical precursor stage, biotechnology, logistics, and research and development. These companies now have to produce detailed risk analyses and resilience measures. Larger enterprises — those with more than 250 employees or annual revenue exceeding €50 million — face tightened oversight.
Alongside the KRITIS expansion, the revised TRBS 1115-1 (Technical Rule for Operational Safety, Part 1) has sharpened requirements for the cybersecurity of measurement, control, and regulation equipment (MSR). It defines six core measures: network segmentation, strict access control, system hardening, independence of safety-relevant components, continuous monitoring, and established emergency management. Monitoring must occur regularly and on an ad-hoc basis — for example after technical changes or when new threat intelligence emerges. Experts stress that non-intrusive capture of network traffic and cross-referencing with vulnerability databases are essential for modern OT monitoring.
The urgency of these controls is backed by troubling data on the physical state of building technology. The TÜV Association’s Baurechtsreport 2026 recorded a defect rate of 35.9% for building services in special structures during the 2025 inspection year — a record high. In 2020, the rate of significant defects stood at 26.1%. The report attributes the deterioration to growing system complexity, aging installations, and a shortage of skilled workers.
In response, industry bodies and technology providers are pushing standardized security frameworks. PROFIBUS & PROFINET International (PI) published a whitepaper in early May 2026 on the secure use of industrial communication protocols, advocating a risk-based approach using zone concepts and segmentation.
New safety-engineering environments released in late June support functional safety up to SIL3 per IEC 61508, increasingly incorporating AI extensions to automate code generation, create test cases, and speed up fault analysis.
Open-source tools are also gaining traction. At trade events this spring, experts demonstrated how organizations can build a zero-trust infrastructure using open-source firewalls, VPNs, and asset-management platforms. While such solutions offer transparency and independence, they require professional planning and ongoing maintenance.
Security service providers are urging a shift away from permanent remote-access connections to OT environments. Instead, they recommend just-in-time permissions to reduce the risk of ransomware infections.

source

This entry was posted in Renewables. Bookmark the permalink.

Leave a Reply