As a potential weak point, inverters are the focus of a research project in the USA that aims to develop new measures to protect PV systems. Image: BayWa re
Cybersecurity can easily fly under the radar, just as a hacker snakes through systems and goes undetected through files. The documented cases of cyber attacks on the energy system are hardly a cross-page list, and the number of cases involving solar systems is even lower. But that doesn’t mean that the risk is so low. What is largely viewed as the first cyberattack on a power grid occurred in Ukraine in 2015. It is also considered to be one of the most dramatic cyber attacks in the energy sector. In a scene that was supposed to come straight out of a spy movie, an operator in the Prykarpattyaoblenergo control center was locked out of his computer and watched his cursor move independently of his own actions. The attack triggered 30 substations and caused a power outage that took six hours to fully resolve.
The knowledge that a cyber attack could and does cause power outages infiltrated other events. When the UK suffered a major power outage on August 9, 2019, initial suggestions were made on social media that it was the result of a cyberattack, although rumors were suppressed within hours. In fact, it was the result of a lightning strike that caused faults in an offshore wind farm and gas-fired power station, rather than the result of a cyber attack.
Cyber attacks on solar parks are not reported frequently, but this could change. Digitization is creeping into the solar industry, automating processes and making components more intelligent. And where digital technology increases, the cyber attack threat is never far behind.
Digitization and the effects of locks
The solar sector is gradually relying on digitization. The bans introduced due to the COVID-19 pandemic have accelerated digitization efforts. Companies both inside and outside the energy sector are increasingly reliant on digital tools for their day-to-day operations as many employees work from home. Significantly more business is therefore carried out through calls and e-mails via a personal conversation between colleagues. While this has undermined awareness of the importance of digital services, it has also increased the risk of a cyber attack.
“The threats and dangers have increased during the lockdown period because of this increasing dependency,” said Geoff Taunton-Collins, senior analyst at renewable energy insurer GCube. According to Taunton-Collins, the scale of the cybersecurity threat is “reasonable but growing” compared to other risks that solar systems see.
This is confirmed by Marek Seeger, Information Security Manager at SMA, who says that solar “becomes a more interesting target for hackers” as the technology plays a bigger role in power supply due to decarbonization and decentralization efforts.
Small and medium-sized solar systems in particular are at risk, since systems with> 1 MWp are usually “professionally integrated, connected and maintained, including all relevant safety measures”.
One way hackers can artificially malfunction a PV system is to launch cyberattacks on the inverter’s control and monitoring system, said Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of one Paper from 2018 in which the cybersecurity risk of solar PV systems with reactive power.
“This is a vulnerability that can and has been exploited to attack the grid,” he says, pointing out that the large number of PV units on the grid – including solar on the roof – means that there are “lots of attacks “Gives points”, which underlines the importance of cybersecurity at the inverter level.
Updating cybersecurity measures is therefore incredibly important for solar installers and operators, especially given the 15-20 year lifespan of a solar park. This means cybersecurity needs to evolve as the farms age, with current measures allowing operators to stay one step ahead of hackers.
However, this can be made more difficult by a lack of cybersecurity awareness. According to Taunton-Collins, cyberattacks on renewable energies are inadequately reported by GCube because it is “easier to stay quiet than in other industries”.
Most cyber attacks result in data breaches, such as the cyber attack on IT in April 2019. The Portuguese energy company was hit by Ragnar Locker ransomware that stole over 10 TB of confidential company files. If any third-party data is lost, it must be reported to the authorities in the country in which it occurred and a warning sent to the people whose data has been stolen.
However, attacks on renewable energy tend to be more private and internal attacks on business disruptions as many do not have data from third parties. As a result, asset owners often have no reason to make it known that an attack has occurred. In addition, disclosing information about this type of attack could damage the reputation of the company and potentially the industry itself, causing some asset owners to remain silent.
A cyber attack on a solar park that made headlines, however, targeted the US solar operator sPower, which took place in 2019. It resulted in no blackouts, and sPower, who owns and operates over 150 renewable generators in the U.S. and recently closed funding for the 620 MWdc Spotsylvania Solar Energy Center, its largest project of all time – was unsurprisingly close to the incident.