On July 1, the Federal Bureau of Investigations published a “Private Industry Notification” (PIN) warning of potential cyberattacks against small solar energy facilities.
Cybersecurity has historically not been a major concern or priority for the residential/C&I solar industry, and indeed cyberattacks on small solar facilities are rare—or at least have been to date. While the concern expressed in the PIN principally relates to microgrids and project bundles, the same reasoning applies equally to individual small systems. An attack on 50 small solar facilities is an annoyance, but an attack on 500,000 is a national security risk.
My colleague Steve Millendorf, who specializes in cybersecurity, describes the potential threat as a cross between an Internet of Things (IoT) attack and Stuxnet, and the potential harm is magnified further when we add residential/C&I battery installations to the mix.
This issue will only become more important as small solar systems continue to grow. When every house is a power plant, every house is a target. In many ways, the distributed nature of solar energy provides significant protection against catastrophic failures. But without sufficient protection at the project level, this strength quickly becomes a weakness.
While the PIN identifies the inverters as the likely point attack, I do not believe this is only a matter for inverter manufacturers. It is incumbent upon all of us, as an industry, to ensure that every project includes sufficient protection against malicious attacks—regardless of size.
A cyber attack against a solar panel system—residential or commercial—would likely focus on targeting the system’s operational technology (OT) software and hardware
View referenced article