For decades, Europe’s energy grid was centralized and analogue, powered by large, highly regulated plants. However, the rapid growth of solar and other renewables has created a decentralized, digital network of smaller sources, the majority of which lack the same security oversight.
While large utility-scale solar plants of over 100MW are typically subject to stricter rules, the majority of European solar power coming from Utility scale plants is from sites of less than 100MW.
According to data analytics company Wood Mackenzie, half of that power comes from plants which produce less than 25MW each. The smaller the site, the less likely it is to fall under existing cybersecurity regulations.
Solar systems have also become more digitally connected. When installed in residential and most commercial settings, the inverters, which convert solar energy into usable electricity, are connected to the internet to enable remote monitoring, software updates and troubleshooting.
In a utility scale solar plant, dedicated services will be put in place to manage remote monitoring, battery usage optimization or production curtailment in case of grid surplus and negative pricing.
However, as with many new technologies, the rapid scale-up of solar has outpaced cybersecurity considerations. Many low cost systems, including residential, commercial and utility scale, are still accessible over the public internet with default or weak passwords, making remote takeover of unsecured PV inverters not just possible, but in some cases, alarmingly easy.
Making cybersecurity more robust with new regulation
Growing awareness across the EU has resulted in many developments in regulation and industry action. The European Radio Equipment Directive (RED) Article 3.3 and the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act made a good start in 2024 on improving the security of connected devices, introducing basic standards like unique and complex passwords, and protections for user data. While these rudimentary requirements apply to a broader set of connected devices, and not just solar, they have helped to raise the bar for our industry as well.
More robust regulation is on the way. The Cyber Resilience Act will impose stricter security requirements on manufacturers of connected devices than RED or PSTI.
The EU’s NIS2 Directive is expected to be fully transposed into national laws across all member states within the next year. While the specifics of implementation will vary, the drafts make clear that it will assign clearer responsibility and liability for cybersecurity risks to asset owners, operators and critical service providers.
In the solar industry, this means the management of EPCs, developers, asset owners and even investors or insurers, are expected to carry legal accountability for their solar arrays, and any results of a cybersecurity breach, including potential outcomes such as blackouts.
Tightening cybersecurity regulations is a positive development for the industry, but tailored measures are still needed to fully safeguard solar infrastructure.
For example, oversight remains limited when it comes to how device manufacturers manage communications with installed devices such as inverters, a matter in which residential scale solar products are unique from any other connected devices.
Even greater opportunities for improvement exist in utility-scale setups, as there is no regulation on firewall access management for small solar plants, which constitute the majority of solar power generation in Europe.
What can be done in the meantime
While we await clearer, more robust regulations, the solar industry must take proactive steps now.
For owners of utility scale solar plants, and the O&M companies which service them, it’s important to understand regulations may soon assign you with legal liability over the cybersecurity of your asset portfolio.
Just as you’re now required to install fences, security cameras and fire safety measures, in the near future, you will likely be required to invest in both software and hardware cybersecurity solutions beyond a simple firewall and VPN connection.
Asset owners are advised to onboard the expertise needed to ensure compliance with developing requirements beyond just NIS2, and to understand what contractual obligations you will need to require from your O&M providers and EPC partners.
You must also understand that components such as inverters, BESS or your PV monitoring provider may be subject to varying levels of compliance requirements. At minimum, updated inventories of physical components should be maintained.
Reducing Risk
As regulations evolve, every part of the solar value chain has an opportunity to strengthen its cybersecurity readiness. Proactively addressing potential vulnerabilities can help avoid costly retrofits, compliance penalties, or product recalls down the line.
Given that long lifetime of solar systems, choosing more secure, future-minded solutions would be wise, as is standard in other areas such as fire safety, electricity safety, or durability, where more durable solar panels are chosen to withstand extreme weather events.
Choosing an inverter with strong access controls such as unique passwords and encrypted communication should be standard practice, and is likely to become enforced. Inverter manufacturers must embed cybersecurity into every level of product design, while avoiding added complexity to users or installers. As authentication technologies evolve, manufacturers should move beyond traditional passwords and adopt best-in-class methods common in other industries, like biometric verification.
For utility scale sites, asset owners and Operations & Maintenance companies must start managing access and control to solar plants of any size as if these were already regulated as critical infrastructure.
Crucially, industry professionals must anticipate regulation rather than react to it. With growing awareness among installers, system owners, and regulators, the era of treating cybersecurity as a cost to be minimized is over. It’s as outdated as viewing seat belts or airbags as superfluous costs in the automotive industry.
Instead, it should be seen as a non-negotiable way to reduce liability and risk. Companies that fail to adapt to this paradigm shift will risk being regulated out of the market – or worse, becoming the weak link in a national infrastructure attack. Investing in cybersecurity now will help ensure the continued growth of our industry, and will prevent costly retrofits later.
As the old saying goes, prevention is better than a cure.