Cyber winter is a metaphorical concept describing a profound, structural shift in the nature of cyber threats and cyber-physical risks, particularly against critical infrastructure. The term was coined in 2022 by Yigal Unna, then head of Israel’s National Cyber Directorate, following an Iranian cyberattack on an Israeli water facility. The concept specifically refers to the growing ability of modern cyber threats to operate over prolonged periods and exhibit systemic, coordinated patterns.
“The attack to the Israeli aqueduct caused no immediate physical damage and its main goal was to spark panic among operators and the public,” cybersecurity expert Roberto Setola told pv magazine. “While the incident was contained before any tangible harm occurred, Unna’s warning emphasized a fundamental shift in the nature of cyber operations against critical infrastructure.”
This fundamental shift also defined a cyberattack on several power plants in Poland in December, including many solar PV facilities, allegedly carried out by Russian hackers.
Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned Industry experts will explore real-world cyberattack scenarios, highlight potential vulnerabilities in solar and storage systems, and share practical, actionable strategies to protect your energy assets. Attendees will gain valuable knowledge on how to anticipate, prevent, and respond to cyber threats in the rapidly evolving solar energy sector. “With this attack, the perspective has shifted,” Setola explained. “Previously, attacks targeted the central SCADA system – the heart of the operation – which, while difficult to breach, is easier to defend because it is unique and centralized. In contrast, in Poland, a series of coordinated attacks were carried out at the field level, suggesting a combination of automated and manual operations.” Essentially, the attackers focused on the plants’ remot terminal units (RTUs), which are field devices that collects real-time data from inverters, sensors, and meters, and sends it to the central control system. “A single attack on an RTU doesn’t do anything. From an energy balancing perspective, it’s negligible,” Setola said. “However, if hackers attack 100 RTUs simultaneously, the impact becomes significant.” Gaining this capability traditionally requires time to learn which commands to use and which variables to manipulate. Artificial intelligence, however, is accelerating the process. “Hackers can now attack a large PV plant through all its RTUs rather than going through SCADA, which allows them to cause far more damage,” he said. “Solar also has another vulnerability: many inverters come from the same manufacturer, so a flaw can be exploited across multiple units.” Setola added that many O&M operators often lack the resources – both quantitative and qualitative – to manage large PV parks effectively. “PV asset owners frequently rely on external suppliers, which paradoxically makes attacks easier,” he noted. “The first problem is that AI helps attackers carry out sophisticated operations. The second is illustrated by Poland: you don’t need to target a single player controlling 3 GW of power, which is the so-called ‘reference incident' used for sizing the frequency containment reserve (FRV) and represents the maximum sudden loss that a TSO must be able to absorb in Europe. You can attack 1,000 smaller operators managing 3 MW each. These smaller entities are far less protected because they lack the expertise and resources of larger operators,” Setola said. Poland’s case is particularly concerning because, while the attacks were not identical, they were carried out across multiple locations with greater sophistication. “The ultimate goal is unclear – maybe to create panic. These attacks didn’t involve extortion, so profit wasn’t the objective. But the consequences could have been severe, a massive blackout, for example. A blackout did occur, although its immediate impact on the population was limited because the threats were detected in time,” Setola explained. In the Poland attack, an AI-based system acted as an orchestrator to identify potential targets. Each target was then probed using a range of attack strategies. When a vulnerability was found, the attack disrupted the target’s communication capabilities; otherwise, the system moved on to the next target. “The PV plants continued to provide energy to the grid, so nothing happened. If there had been an imbalance, we could have seen grid problems similar to the incident in Spain in April,” he explained. “A single PV park can’t cause such a disruption, but a series of simultaneous events can.” Setola stressed that the attacks in Poland were essentially war-like, targeting the country rather than individual operators, and can cause extensive damage. “It’s not just about interrupting power generation. Hackers can block software configurations, force plant owners to reset all data, or even delete communication configurations entirely, causing economic losses. Machine downtime and potential fines under the EU NIS2 directive are also possible,” he stressed. Even small and mid-sized PV operators are at risk, according to the cybersecurity expert. “They may have financial resources but often lack cybersecurity awareness. That makes them likely targets for lucrative attacks,” he said. “Utilities can invest in expertise, technology, and knowledge to protect themselves. Small companies often don’t have a dedicated IT or cyber office.” He also sees cyber winter evolving into a permanent risk pattern for critical infrastructure, as the current geopolitical landscape is placing the energy sector under increasing scrutiny. “This suggests that, in the near future, attacks on energy infrastructure are likely to intensify, particularly in the cyber domain,” he concluded. “In my view, cyber risk should now be considered a core variable in the strategic assessments of renewable energy producers. This is especially important as a growing number of financial institutions are beginning to factor a company’s cybersecurity posture into their overall investment and risk evaluation frameworks.” This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.