The way forward for cybersecurity: How renewable energy controls can defend inverters from hacks and assaults

cyber security

The world is changing rapidly as the spread of renewable energies increases. According to a study by UC Berkeley and GridLab, falling renewable energy costs could provide 90% clean electricity to the US by 2035. The rapid introduction of non-carbon fuel sources is a trend that is likely to continue for the foreseeable future.

At the same time, the world is becoming less secure. Cybersecurity threats are escalating to operating technologies and inverters, which are increasingly connected to the Internet to aid the operation of the power grid. Atlas VPN reports that cybercrime has annual sales of $ 1.5 trillion – that’s three times Walmart’s annual sales. In short, cybercrime is a lucrative career for hackers.

SMA’s ShadeFix optimization generates more energy than conventional optimizers. ShadeFix also offers higher reliability and lower service risk than alternatives. Watch the video and see for yourself!

In the case of solar systems on a supply scale, intelligent inverters with internet capability are particularly at risk, as they communicate with the grid in order to carry out administrative functions. There is a chance that hackers could use this inverter communication and the grid voltage could get out of control, which could lead to power outages or blackouts. The potential for damage is particularly alarming when the frequency of natural disasters increases.

Research laboratories and inverter manufacturers are taking steps to improve cybersecurity in the inverter itself. However, the flow of information in the grid is very complex. There are market and load management systems that communicate with balancing authorities that are linked to utility companies. These systems use SCADA systems (Project Supervisor Control and Data Acquisition) and finally the power plant control (PPC). This leaves many links in the chain vulnerable to cybersecurity risks.

Is there a solution to effectively reduce risks? One approach is the introduction of cybersecurity protection at the level of the control of renewable power plants. The reduction of the risk of injury in the communication of solar systems contributes to the protection of the inverter and thus the entire solar system and the entire power grid.

Protection of the inverter by solar system control

First, it helps to understand some basic functions and architectures of solar systems. Power plant controls consist of software and hardware, including a PPC and SCADA system. Site operators use a PPC to control the behavior of the plant such as production level, sales, compliance and network stability. The PPC communicates with the plant’s SCADA system and field devices such as inverters via a power plant network using industry-standard communication protocols such as Modbus, TCP or DNP3. The SCADA system serves as a security gateway that enables or restricts the flow of information between the system and the inverter network.

The hardware and software connected to the system control and SCADA systems are located in a housing in a substation outside the solar system. They are connected to the inverter and other field devices via a network of fiber optic cables.

Attacks can occur anywhere along the plant architecture. Hackers can embed malicious malware in the inverter’s communication board, connect it to the connector on the housing that houses the fiber optic cables, or infiltrate the plant control network. Such events can compromise the reliability of the facility by tripping a circuit breaker at the junction or limiting inverters to stop generating electricity, quickly affecting project performance. Even more damage could be caused by the control of the inverter’s reactive power injection or absorption, which could lead to voltage spikes or drops in the grid.

Buyer Beware Webinar: Lessons learned from the inverter test with PVEL – April 6th – Register here for free

So what is to be done?

Since the inverter manufacturers are working on increasing the security directly on the communication board of the inverter, additional protection along the power plant control system offers further safety precautions. For example, a burglar alarm can signal the operator via the SCADA system when the door to the fiber optic network housing has been opened. Operators can also add a list of authorized users to restrict access to plant controls based on IP addresses. It is even possible to define which type of device is allowed to exchange information on a network port and instruct the system to block everything else.

As an additional protective measure, Merit Controls also recommends security methods that are more specific to inverters, e.g. E.g. the separation of the IP network of each device so that one inverter cannot communicate directly with another. All communication must take place via the secure SCADA system, which filters the data traffic. A plant control system also continuously monitors inverter configurations – manufacturer programs to regulate frequency, voltage sweep, and more at a given location. Hackers could potentially change these values ​​and compromise plant reliability, but the right renewable plant control systems will alert operators immediately if a change is detected.

Another recommendation we propose is to use ring communication protocols for fault redundancy. Ring protocols determine how field devices such as inverters are connected for communication – in this case in a ring and not in a linear configuration. This means that the rest of the network can continue to communicate when an inverter is out of service for maintenance. This avoids disconnecting the entire system due to a single point of failure.

We recommend the use of standard naming conventions and communication protocols (Media Redundancy Protocol (MRP) for the ring topology; OPC UA, Modbus or DNP3 protocols for SCADA system filtering, IEC 61131-3 for manufacturer-independent programming language, etc.), as they are proprietary or third-party protocols may pose a higher risk. Widely accepted standards by the industry make it easy to test the facility and troubleshoot problems to ensure long-term project success.

Future-proof against attacks

As cybersecurity threats continue to grow, security officials are adapting existing cybersecurity programs. For example, North American Electric Reliability Corporation (NERC) recently partnered with the US Department of Energy on two pilots under the organization’s Cybersecurity Risk Information Sharing Program (CRISP) to collect data from SCADA and industrial control systems. NERC plans to use this data to monitor the hacking and strengthen network security. In addition, NERC’s E-ISAC (Electricity Information Sharing and Analysis Center) works to protect itself from malicious activity on utility company networks.

The pilots will help advance the collection and dissemination of information through CRISP and will help identify threats to the industrial control systems of utilities by collecting “raw and / or refined operational data” and comparing it to data that the utilities send to you.

On behalf of our customers, Merit Controls monitors the daily ICS-CERT warnings from the Cybersecurity & Infrastructure Security Agency in order to stay up to date on new vulnerabilities and attacks. We recommend that those involved in the project do the same. It is also important to ensure that the SCADA and PPC firmware is always up to date.

It is difficult to say what the next cyberattack on power generation systems will look like or where it will come from. What we do know is that security measures now ensure the best possible protection for inverters and other important components of solar systems. At Merit Controls, protecting the components that power our grid is not just our ethos, it’s our responsibility as a provider in this industry. An intelligent cybersecurity framework protects solar and other distributed energy resources, ensures the security of our critical infrastructure and enables the further development of a cleaner, safer and more resilient grid.

Tom Kuster is the CEO of Merit Controls. Merit has partnered with Sungrow to provide turnkey technology solutions to cybersecurity issues.


Please enter your comment!
Please enter your name here