Cybersecurity and solar: Why it's important

In May 2021, the cyberattack on the Colonial Pipeline made headlines across the country. After Colonial shut down their pipelines, gasoline shortages rapidly drove up the price of gasoline and spurred panic buying at fuel stations, particularly across hard-hit southern states. With cyberattacks on energy infrastructure increasing in frequency and severity, what else could be at risk?

Unfortunately, the energy sector has already seen serious cyberattacks in the past–which could be an indicator of future risk. In 2015, Ukraine experienced the first known cyberattack on the power grid, which caused outages at 30 substations and left about 230,000 people without electricity for up to six hours. People with solar-plus-storage systems would typically benefit from grid resiliency in such a situation and would be able to keep the power running–however, solar systems are not entirely immune to the risk of cyberattacks without proper protections.

Historically, cyberattacks concentrated on information technology (IT)–software that stores, sends, or retrieves information. When you think of a typical cyberattack, an IT attack is probably what you're picturing: a hacker accessing your computer's data and holding it hostage until you pay a ransom. However, hackers are increasingly targeting operational technology (OT)–hardware and software that monitors and controls devices–especially as this technology becomes more widespread and exposed to the internet. The attack on the Colonial Pipeline was technically considered an IT attack: the hackers attacked the pipeline's computerized equipment, not the pipeline itself. It also had operational impacts: the company couldn't bill customers due to the attack and thus had to stop its operation, shutting down pipelines.

Cyberattacks on solar panel systems would be classified as OT attacks–a hacker could theoretically gain control of a solar panel system by targeting the inverters. In solar energy systems, the primary function of inverters is to convert the direct current (DC) energy generated by your solar panels into usable alternating current (AC) electricity. However, inverters can also be Internet of Things (IoT) devices, meaning they are physical devices that can connect to and exchange data with other devices over the internet. Most popular inverter companies, including Enphase and SolarEdge, make built-in monitoring systems that send data about your system's production to a desktop or mobile app.

Many companies are also creating energy management system devices that provide more detailed monitoring and controls for your solar system; for example, with a solar-plus-storage system, your energy management system would allow you to turn on and off certain devices powered by your battery. While all of this is great for optimizing your electricity usage, it does introduce risks to OT cyberattacks. When your inverters are connected to the internet, their protection is only as strong as the weakest link–so hackers could (again, in theory) gain access to your internet through your computer and ultimately target your inverters.

A cyberattack on your solar panel system could have various impacts, ranging in severity. If hackers were to gain control of your system's inverters, they could reduce your system's power output. If you have solar-plus-storage, they could also target your battery's inverter and overload your battery so that it ultimately fails. On a larger scale, it's possible that attacks on multiple solar systems could cause grid instability.

However, it's important to keep in mind that cyberattacks are already occurring on the grid, and thus far, they haven't caused any major blackouts in the United States. Residential solar is just one of the many energy sources at risk to hackers, and its risk is comparatively small because creating a large-impact attack would be incredibly difficult. To cause widespread grid instability, it would be much easier for a hacker to target a utility-scale plant with a centralized generator, renewable or otherwise.

As a side note, you may have heard about the 2020 SolarWinds cyberattack, but this had nothing to do with solar!

While utility-scale solar plants must follow cybersecurity standards to become operational, small-scale, residential solar systems and other distributed energy resources (DERS)–electricity sources on the decentralized distribution grid–are not currently required to meet cybersecurity standards. However, as the United States becomes more electrified and the number of DERs grows, it's increasingly important to find ways to secure DERs like residential solar from cyberattacks.

The Department of Energy (DOE) Solar Energy Technology Office (SETO) funds research to make solar more secure against cyberattacks. In 2017, Sandia National Laboratory created a Roadmap for Solar Cybersecurity, funded by SETO, to help SETO and other DOE offices develop research strategies. The DOE Energy Efficiency and Renewable Energy (EERE) office published a Multi-Year Program Plan in 2020, which provides ways to improve cybersecurity across multiple infrastructure and energy sectors, including renewable energy. In addition, SETO has funded numerous other projects to improve cybersecurity, which can be found here.

If you're hoping to increase security for your solar system, there are a few steps that you can take right now. First, most inverter manufacturers will provide a guideline for how to monitor your solar system's production, which will include information about how to maximize security. Often this will entail, at a minimum, changing the default username and password as soon as you set up your system.

Additionally, you can configure your network to be more secure. This could include setting up a strong firewall or creating a separate network for your inverters. These precautions aren't necessary but could add peace of mind if you're concerned about a cyberattack. Finally, as a best practice overall, you want to make sure that you have antivirus and antimalware software installed on your computers and are suspicious of any unknown websites or emails that you come across–by being cautious on your computer or mobile device, you can protect both your personal information, as well as your inverters!

Like all forms of energy, solar systems are at some risk of future cyberattacks. However, as we discussed, there are steps that you can take to increase the security of your system, and overall, your system is less likely to be attacked than a utility-scale power plant. If you're interested in installing a solar system, check out the EnergySage Marketplace to get multiple quotes from local installers. By comparing quotes, you can find a system that meets your needs at the right price.