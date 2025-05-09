From pv magazine France

As solar energy becomes a strategic pillar of the energy transition in Europe, another less visible but equally critical challenge is emerging: the cybersecurity of photovoltaic installations.

A report published on April 29 by SolarPower Europe, in collaboration with DNV and the European Inverter Forum, highlights worrying gaps in the sector's digital security. Entitled “Solar sector proposes solutions to mitigate critical cybersecurity risks,” the document makes a straightforward observation: smart inverters, a key component of solar power plants, represent a vulnerable gateway for increasingly sophisticated cyberattacks.

A regulatory framework and management that are still inadequate

Unlike traditional energy infrastructure, solar inverters are often designed and used as connected objects. They are remotely accessible by several stakeholders involved in managing the installation: manufacturers, installers, energy aggregators, network operators, etc. To this end, information, data, and certain functionalities are hosted online, based on cloud services. The increasing number of stakeholders with direct or indirect access to these inverters increases the risk of security breaches. The rapidly growing sector is therefore becoming a prime target for ransomware (which blocks access in exchange for a ransom) or other threats, sometimes even physical ones, such as remote shutdown or disruption of the infrastructure.

Although the European Union has strengthened its legislation in recent years with the NIS2 directive, the Cyber ​​Resilience Act (CRA), the Network Code on Cybersecurity (NCCS), or, more simply, the General Data Protection Regulation (GDPR), these regulations are designed for all critical infrastructure and do not always address the specific needs of solar energy. For example, small residential or commercial PV installations often fall outside the thresholds defined by the regulations. Furthermore, the lack of a single operator responsible for security makes it difficult to apply robust standards across each project.

While nearly 70% of residential and commercial installations are now connected to the internet, the cybersecurity knowledge of installers and service providers remains limited given the sophistication of potential attacks. Bad practices — default passwords, lack of firewalls, insecure configurations — are common. Poorly informed end users are often unaware of the risks associated with remote access or data storage in non-EU data centers, sometimes in less protective jurisdictions.

Scaling up: The need for proportionate measures

The situation becomes even more worrying when considering the scale of the capacities involved. In 2023, seven inverter manufacturers each had the potential to remotely manipulate more than 10 GW of installed capacity. A compromise of just one of these players could potentially affect the stability of the European electricity grid. Sensitive data, whether in real time or involving user information, can also be exposed to risks of espionage or sabotage, particularly if the servers are hosted outside the EU.

Faced with these findings, SolarPower Europe advocates for the adoption of a “harmonized cybersecurity framework for photovoltaics,” particularly for smart inverters. The report stresses the need to assess distributed solar systems according to their real level of risk, to define clear governance for security throughout the life cycle of installations, to raise consumer awareness and promote systems that are secure by default, and to address the lack of a European standard dedicated to the entire decentralized system, including its digital infrastructure.