A report by the European solar association SolarPower Europe highlights cybersecurity challenges for photovoltaic installations in the European Union. The main issues are the vulnerability of connected inverters and data management via cloud services outside Europe.
As solar energy becomes a strategic pillar of Europe's energy transition, another less visible but equally critical challenge is emerging: the cyber security of photovoltaic installations.
A report published on 29 April by SolarPower Europe in collaboration with DNV and the European Inverter Forum highlights worrying gaps in the digital security of the sector. The document, entitled ‘The solar sector proposes solutions to mitigate critical cyber security risks’, contains a clear finding: smart inverters, a key component of solar power plants, represent a vulnerable gateway for increasingly sophisticated cyber attacks.
Still inadequate regulatory framework and governance Unlike traditional energy infrastructure, solar inverters are often designed and used as connected objects. They are remotely accessible to several entities involved in the management of the installation: manufacturers, installers, energy aggregators, network operators, etc. To this end, information, data and some functions are hosted online via cloud services. The growing number of entities with direct or indirect access to these inverters increases the risk of security breaches. This rapidly growing sector is therefore becoming a primary target for ransomware (which blocks access in exchange for a ransom) or other threats, sometimes even physical ones, such as remote shutdown or infrastructure disruption.
Although the European Union has strengthened its legislation in recent years with the NIS2 Directive, the Cyber Resilience Act (CRA), the Network Code for Cybersecurity (NCCS) or, more simply, the General Data Protection Regulation (GDPR), these regulations are designed for all critical infrastructure and do not always take into account the specific needs of solar energy. For example, small residential or commercial photovoltaic installations often do not meet the thresholds set by the regulations. In addition, the absence of a single operator responsible for security makes it difficult to apply robust standards in individual projects.
While nearly 70% of residential and commercial installations are now connected to the internet, the cyber security knowledge of installers and service providers remains limited given the sophistication of potential attacks. Poor practices – default passwords, absence of firewalls, unsecured configurations – are common. Poorly informed end users are often unaware of the risks associated with remote access or data storage in data centres outside the EU, sometimes in less secure jurisdictions.
The need for adequate measures The situation is even more worrying when we consider the scale of the capacities involved. In 2023, seven inverter manufacturers had the potential to remotely control more than 10 GW of installed capacity. Compromising just one of these players could potentially affect the stability of the European electricity grid. Sensitive data, whether real-time or relating to user information, may also be at risk of espionage or sabotage, particularly if servers are hosted outside the EU.
In light of these findings, SolarPower Europe is pushing for the adoption of a ‘harmonised cybersecurity framework for photovoltaics’, particularly for smart inverters. The report highlights the need to assess distributed solar systems according to their actual level of risk, define clear security management throughout the lifetime of the equipment, raise consumer awareness and promote systems that are secure by default, and address the lack of a European standard covering the entire decentralised system, including its digital infrastructure.