In May 2021, the cyberattack on the Colonial Pipeline made headlines across the country. After Colonial shut down their pipelines, gasoline shortages rapidly drove up the price of gasoline and spurred panic buying at fuel stations, particularly across hard-hit southern states. With cyberattacks on energy infrastructure increasing in frequency and severity, many are starting to wonder: what else could be at risk?
Unfortunately, the energy sector has already seen serious cyberattacks in the past–which could be an indicator of future risk. In 2015, Ukraine experienced the first known cyberattack on the power grid, which caused outages at 30 substations throughout the country and left about 230,000 people without electricity for up to six hours. People with solar-plus-storage systems would typically have the benefit of grid resiliency in such a situation and would be able to keep the power running–however, solar systems are not entirely immune to the risk of cyberattacks without proper protections.
Cyberattacks on operational technology and energy infrastructure are starting to increase
Hackers could attack solar systems via inverters, which could lower production or overload batteries in solar-plus-storage systems
Overall, hackers are more likely to attack utility-scale power plants than residential solar systems because it’s easier to make a larger impact
The Department of Energy is increasing research to make inverters more secure; in the meantime, there are steps to you can take to increase security for your system
Visit the EnergySage Marketplace to get multiple quotes from solar installers
What types of technologies are at risk of cyberattacks?
Historically, cyberattacks concentrated on information technology (IT)–software that stores, sends, or retrieves information. When you think of a typical cyberattack, an IT attack is probably what you’re picturing: a hacker accessing your computer’s data and holding it hostage until you pay a ransom fee. However, hackers are increasingly targeting operational technology (OT)–hardware and software that monitors and/or controls devices–especially as this technology becomes both more widespread and exposed to the internet. The attack on the Colonial Pipeline was technically considered an IT attack: the hackers attacked the pipeline’s computerized equipment, not the pipeline itself. However, it did have operational impacts as well: the company was unable to bill customers due to the attack and thus had to stop its operation, shutting down pipelines.
How could hackers attack your solar system?
Cyberattacks on solar panel systemssystems would be classified as OT attacks–a hacker could, in theory, gain control of a solar panel system by targeting the inverters. In solar energy systems, the primary function of inverters is to convert the direct current (DC) energy that’s generated by your solar panels into usable alternating current (AC) electricity. However, inverters can also be Internet of Things (IoT) devices, meaning they are physical devices that can connect to and exchange data with other devices over the internet. Most popular inverter companies, including Enphase and SolarEdge, make inverters with built-in monitoring systems that can send data about your system’s production to a desktop or mobile app.
Many companies are now also creating energy management system devices that provide more detailed monitoring and controls for your solar system; for example, with a solar-plus-storage system, your energy management system would allow you to turn on and off certain devices powered by your battery. While all of this is great for optimizing your electricity usage, it does introduce risks to OT cyberattacks. When your inverters are connected to the internet, their protection is only as strong as the weakest link–so hackers could (again, in theory) gain access to your internet through your computer and ultimately end up targeting your inverters.
What are the potential impacts of a solar cyberattack?
A cyberattack on your solar panel system could have various impacts, ranging in severity. If hackers were to gain control of your system’s inverters, they could reduce your system’s power output. If you have solar-plus-storage, they could also target your battery’s inverter and overload your battery so that it ultimately fails. On a larger scale, it’s possible that attacks on multiple solar systems could cause grid instability.
However, it’s important to keep in mind here that there are already cyberattacks that are occurring on the grid, and thus far, they haven’t caused any major blackouts in the United States. Residential solar is just one of the many energy sources that are at risk to hackers, and its risk is comparatively small because creating a large impact attack would be incredibly difficult. To cause widespread grid instability, it would be much easier for a hacker to target a utility-scale plant with a centralized generator, renewable or otherwise.
As a side note, you may have heard about the 2020 SolarWinds cyberattack, but this actually had nothing to do with solar!
Are inverters becoming more secure?
While utility-scale solar plants have to follow cybersecurity standards to become operational, small-scale, residential solar systems and other distributed energy resources (DERS)–electricity sources that are on the decentralized distribution grid–are not currently required to meet cybersecurity standards. However, as the United States becomes more electrified and the number of DERs grows, it’s increasingly important to find ways to secure DERs like residential solar against cyberattacks.
The Department of Energy (DOE) Solar Energy Technology Office (SETO) is funding research to find ways to make solar more secure against cyberattacks. In 2017, Sandia National Laboratory created a Roadmap for Solar Cybersecurity, funded by SETO, to help SETO and other DOE offices develop research strategies. The DOE Energy Efficiency and Renewable Energy (EERE) office published a Multi-Year Program Plan in 2020, which provides ways to improve cybersecurity across multiple infrastructure and energy sectors, including renewable energy. In addition, SETO has funded multiple other projects with the goal of improving cybersecurity, which can be found here.
How can you help protect your solar system from a cyberattack?
If you’re hoping to increase security for your solar system, there are a few steps that you can take right now. First, most inverter manufacturers will provide a guideline for how to monitor your solar system’s production, which will include information about how to maximize security. Often this will entail, at a minimum, changing the default username and password as soon as you set up your system.
Additionally, you can configure your network to be more secure. This could include setting up a strong firewall or potentially even creating a separate network for your inverters–these precautions are not necessary, but could add some peace of mind if you’re concerned about a cyberattack. Finally, as a best practice overall, you want to make sure that you have antivirus and/or antimalware software installed on your computers and are leery of any unknown websites or emails that you come across–by being cautious on your computer or mobile device you can protect both your own personal information, as well as your inverters!
Looking to go solar? Check out our Marketplace!
Like all forms of energy, solar systems are at some risk of future cyberattacks. However, as we discussed, there are steps that you can take to increase security of your system, and overall, your system is less likely to be attacked than a utility-scale power plant. If you’re interested in installing a solar system, check out the EnergySage Marketplace to get multiple quotes from local installers. By comparing quotes, you can find a system that meets your needs at the right price.