From the Summer 2023 Issue

Capturing The Sun: Solar and Cybersecurity

Henry J. Sienkiewicz
Faculty | Georgetown University

Thelonious K. Walker II
Alumnus, 2023 | Georgetown University

Burning mirrors.

Since the seventh century BCE, man has tried to harness the power of the sun. Burning mirrors, magnifying glasses, were used to concentrate the sun’s rays.[1] These burning mirrors were positioned to focus sunlight onto a specific target. The concentrated heat was initially used to light fires; they eventually generated steam, heated fluids, and, even, liquefied metals. Today, the modern equivalent of these burning mirrors are found in solar power plants and industrial settings capturing the sun.

As the number of solar energy devices continues to grow, utilities and individual homeowners face several daunting challenges in integrating solar energy devices into the electric grid securely and reliably.

From those early crude uses, solar panels have become a cost-effective and viable solution to the ever growing demand for energy. Growth within the solar sector has been impressive. Over the last ten years, there has been an average annual growth rate of 24%. Concurrently with this growth rate, the cost to install solar has halved.[2]   An average-sized residential system has dropped from a pre-incentive price of $40,000 in 2010 to roughly $25,000 today, while recent utility-scale prices range from $16/MWh – $35/MWh, competitive with all other forms of generation.[3] According to statistics, the global solar energy market is expected to grow at a Compound Annual Growth Rate (CAGR) of 20.5% during the forecast period from 2021 to 2026.[4]

Solar energy investment in the United States has experienced significant growth in recent years due to a combination of factors including improvements in solar panel efficiency, cost reductions, supportive government policies, and increased public awareness of the need for clean energy sources. The Federal Investment Tax Credit (ITC) and the Inflation Reduction Act (IRA) provide tax incentives for individuals and businesses that install solar energy systems. In addition, many states have enacted renewable portfolio standards which require utilities to obtain a certain percentage of their energy from renewable sources including solar. These policies should create a stable and predictable market for solar energy a market that will attract investors, drive growth, and provide targets for bad cyber actors. This expected surge in investment has the potential to transform the energy landscape.

As the number of solar energy devices continues to grow, utilities and individual homeowners face several daunting challenges in integrating solar energy devices into the electric grid securely and reliably.   Specifically, utility companies must find ways to support the use of solar energy devices while maintaining the economics and reliability of their existing infrastructure, which includes ensuring that there is sufficient capacity for baseline and peak demand and in all weather conditions.  Homeowners face the challenge of securely operating their solar panels while monitoring their consumption and production. 

History and Growth 

As a response to the 1970’s energy crisis, the United States government offered incentives to use renewable energy. According to the United States Department of Energy, the first solar panels designed for residential use were commercialized by Solarex Corporation in 1973. The University of Delaware was the developer of Solar One, one of the first residential photovoltaic (PV) systems. At that time, a silicon solar cell cost $30 per watt.[5]  With a typical U.S. home using 1214 watts per day, solar was not cost-effective.[6]  Due to these high costs only a few homeowners could afford them.

Starting in the 1990s, significant advances in technology made it more efficient and cost-effective. In those early days, solar panels were mainly used in niche applications, such as a remote power source or simply in a calculator. In 1993, Pacific Gas & Electric successfully installed the first grid-tied photovoltaic system in the city of Kerman, California. This system, which had a capacity of five hundred kilowatts, was the first instance of distributed power.[7]

By the 2000s, however, technological advances made larger installations and home use possible. The increased availability of solar panels coincided with a growing awareness of climate change and a desire for more sustainable energy sources. This led to government incentives and subsidies for solar panel installation, which further drove the market. As a result, the solar industry experienced significant growth during this period with more companies entering the market and increased competition driving down costs. Overall, the 1990s and 2000s marked the beginning of a shift toward more sustainable energy sources and was a transformative time in the availability and demand for solar panels.

More recently, technological advances and manufacturing processes have increased the availability of solar panels on the market. Solar panels are becoming increasingly popular for businesses and homeowners due to their environmental friendliness and cost-effectiveness. In addition, solar panels are readily available in different sizes, capacities, and prices, making them more accessible to a wider range of consumers.

While there is a common goal to drive solar adoption and overcome barriers to widespread deployment, each side of the meter faces unique obstacles.

Integrating Solar Into the Grid: In Front of and Behind the Meter

To understand the problem of integrating solar into the power grid, it may be best to simplify the discussion into Front-of-Meter (FTM) and Behind-the-Meter (BTM) challenges. FTM refers to the infrastructure before the meter – the infrastructure installed, operated, and maintained by a utility provider.  BTM refers to the equipment behind the home meter – equipment routinely provided and maintained by the property owner. The FTM and BTM challenges for solar refer to different issues in deploying and integrating solar at different scales and in different contexts. While there is a common goal to drive solar adoption and overcome barriers to widespread deployment, each side of the meter faces unique obstacles.[8] While identifying some of the FTM challenges, BTM challenges is the focus of this article. 

FTM challenges mainly affect large-scale solar systems often owned and operated by utilities or independent power producers. These challenges include:

  • Grid integration: As solar capacity increases, grid integration becomes more complex. The intermittent nature of solar power poses a challenge to grid operators in maintaining grid stability and balancing supply and demand. Effective grid integration requires sophisticated forecasting, energy storage, and grid management.
  • Transmission and distribution infrastructure: Construction and upgrading of transmission and distribution infrastructure to accommodate increased solar generation can be expensive and time-consuming. Significant investment and regulatory approvals are required to expand and strengthen the grid to deliver solar power from remote solar farms to urban areas.
  • Policy and regulatory frameworks: In some regions, outdated or complex regulatory frameworks can impede the development of large-scale solar projects. The streamlining of permitting processes, the establishment of clear interconnection standards, and the provision of supportive policies such as feed-in tariffs or renewable portfolio standards can facilitate the deployment of front-of-the-meter solar.
  • Remote locations: An added difficulty is that many solar energy systems are deployed in remote locations making them difficult to secure and monitor against cyber threats.[9]

Grid integration, infrastructure issues, and policy and regulatory frameworks directly impact the BTM installations.  There are some specific BTM challenges that are related to the smaller-scale solar installations typically found on residential, commercial, or industrial buildings. These challenges include:

  • Rooftop space and structural limitations: Installing solar panels on buildings can be challenging due to limited rooftop space, shading issues, and structural limitations. Adequate space, orientation, and structural integrity are critical factors in maximizing solar generation potential.
  • Financing: The upfront cost of solar installation, including solar panels and related equipment, can stifle adoption. Financing options such as solar lease agreements, power purchase agreements (PPAs), and government incentives such as tax credits or grants can mitigate these costs.
  • Grid connection and net metering: The connection of Behind-the-Meter (BTM) solar systems to the grid and the establishment of net metering policies allow excess solar power to be fed back into the grid to offset energy consumption and potentially earn credits. However, inconsistent or disadvantageous net metering policies in some areas can discourage solar deployment.
  • Maintenance and Performance Monitoring: Regular maintenance and monitoring are essential to ensure optimal performance and maximize the generation of energy. System efficiency and reliability can be compromised by a lack of awareness or limited access to maintenance services.[10]

Solar energy systems become more vulnerable to cyber-attacks as they increasingly connect with other systems. Cybersecurity risks can arise at different stages including during the solar energy system’s manufacture, design, installation, operation, and maintenance. The remainder of this article will address solar energy cybersecurity guidance, threats and vulnerabilities, enabling technologies and identified challenges. Regretfully, there are few industry heuristics.

Solar Cybersecurity Guidance

The U.S. Department of Energy (DOE) has not provided a great of guidance in this area. “Historically, cyber risk for solar was relatively minor given how few systems were deployed and because most solar inverters did not communicate for monitoring or control. However, as more solar is installed and inverters become more advanced, this risk grows.”[11] The 2015 Energy Sector Specific Plan, revised December 2020, published by the Cybersecurity & Infrastructure Security Agency (CISA), did not address the FTM challenges much less the BTM challenges within the solar industry.[12]  

Further, the Idaho National Laboratory’s (INL) August 2016 report, entitled “Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector,” also did not specifically address the solar energy sector. One of the Department of Energy’s national research laboratories, the Idaho National Laboratory (INL) is at the forefront of cybersecurity research and analysis. As part of its mission, INL conducts comprehensive assessments and produces reports to address cyber threats and vulnerabilities in critical infrastructure sectors, including the U.S. Electric Sector. INL’s 2016 report provided a comprehensive analysis of the cybersecurity landscape in the electric industry. The report aimed to identify potential risks and vulnerabilities that could be exploited by malicious actors to compromise the U.S. electric grid and recommended strategies to enhance the sector’s resilience against cyber-attacks. However, again, the topic of solar energy cyber security was not specifically addressed. [13]

There is some limited guidance. On the webpage entitled, “Solar Cybersecurity Basics,” the DOE only outlined three areas of cyber risk in the solar industry:

  • “Inverters are the interface between solar panels and the grid. If the inverter’s software isn’t updated and secure, its data could be intercepted and manipulated. An attacker could also embed code in an inverter that could spread malware into the larger power system.
  • A cyber-attack that introduces instabilities or false information into the power system can cause physical as well as financial damage. For example, a security breach could make an unauthorized change in power delivery. Unauthorized changes to inverter controls or communications like these are called cyber-physical security breaches because the result is a change in the voltage or the electric current that the inverter injects into homes or the grid.
  • Microgrids are also a potential target for cyber-attacks. Microgrids are local power systems that can operate independently of the larger grid in case of a power outage. Protecting them from cyber-attacks becomes part of an overall resilience strategy to maintain critical electrical infrastructure in emergencies[14]

While these three are important, there are additional areas of risk. These areas of risk are very broadly grouped and addressed under the category of “Smart SCADA.”

Solar Cyber Threat & Vulnerability Mitigation

Conceptually simple, threat modeling is the identification of those assets that the organization believes has value; value to the attacker, value to the organization, or value as a stepping stone to something else.

While there is limited specific guidance, there are some best practices within the energy sector that can be used to identify and mitigate solar cyber threats and vulnerabilities. The use of threat modeling, supply chain risk management, and the adoption of a zero-trust approach should be the starting point.[15] 

Conceptually simple, threat modeling is the identification of those assets that the organization believes has value; value to the attacker, value to the organization, or value as a stepping stone to something else.  The model then identifies what the organization is building or has built, what can go wrong, and what should be done about it.[16] The threat model should be used in conjunction with the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework[17] and DHS’s Cyber Security Evaluation Tool (CSET)[18] in order to provide a comprehensive view of the organization’s entirety.[19] 

A comprehensive understanding of the supply chain will also help identify and mitigate risk. The U.S. Defense Department defines Supply Chain Risk Management (SCRM) as the “systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities and threats throughout DoD’s ‘supply chain’ and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).” SCRM has four aspects:  security, integrity, resiliency, and quality of information.[20]

Finally, the use of zero-trust principles during the implementation and operation phases, specifically verify, least privilege, micro-segmentation, assume breach, continuous monitoring, encryption, comprehensive access controls and automation.[21]  

Emerging Solar Technologies:  Smart Supervisory Control and Data Acquisition Plus (Smart SCADA)

The implementation of emerging operational and other technologies is making solar energy products more efficient, sustainable, and affordable. These emerging technologies may be categorized under an overall very broad label of Smart SCADA systems. This category includes solar tracking systems, remote monitoring and control, blockchain integration, and Artificial Intelligence-based predictive maintenance.

Supervisory Control and Data Acquisition (SCADA)

Primarily within a solar plant, Supervisory Control and Data Acquisition (SCADA) systems are the interconnected hardware and software components that allow the plant to be monitored and controlled from a central location. The SCADA systems provide real-time data on the performance of the solar plant. This enables operators to make quick and informed decisions on operations and maintenance.

Similar to other industrial plants, the SCADA system of a solar power plant or the IoT devices within a smaller installation typically includes components such as Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and Remote Terminal Units (RTUs). A PLC is a specialized digital computer that automates plant processes and receives data from sensors and other inputs. PLCs serve as the link between the SCADA system and the equipment being monitored and controlled.

These SCADA systems form an integral part of running a solar plant or a smaller installation. They provide real-time data and analysis. They improve plant performance, increase efficiency, and enable remote monitoring and control. As the world moves toward cleaner energy sources, the use of smart SCADA systems in solar power plants will continue to grow. SCADA systems enable plant operators to maximize efficiency and ensure reliable, cost-effective, and sustainable energy production.

Smart SCADA

Smart SCADA refers to the integration of advanced technologies and intelligent features into traditional SCADA systems.  Smart SCADA builds upon the capabilities of traditional SCADA systems by incorporating additional features enabled by modern technologies such as the Internet of Things (IoT), cloud computing, Artificial Intelligence (AI), data analytics, and advanced network capabilities.  These technologies enhance the efficiency, reliability, and intelligence of SCADA systems enabling better decision-making and improved operational performance. Smart SCADA system attributes include the ability to provide for remote monitoring and control, advanced data analytics to include  AI and Machine Learning (ML), integration with IoT devices, and integration into a cloud-based infrastructure.  Further, given the consumerization of IoT devices, these Smart SCADA systems are widely available to the individual homeowner. 

With Smart SCADA systems, operators can anticipate and correct faults. This improves plant efficiency and minimizes downtime. These systems are critical in helping to ensure that solar plants can consistently perform at optimal levels.

Smart Meters

FTM and BTM, what about the meter itself?  Traditionally, the meter simply provided a means by which to measure the consumption of energy, water, gas, or some other resource. The meter was installed and ran. It was periodically checked and the consumer was billed. 

A Smart Meter, a form of an IoT device, is an advanced utility meter that does the same measuring and monitoring. However, unlike traditional meters, Smart Meters have built-in communication capabilities that enable two-way communication between the meter and the utility company. These meters provide near real-time data, which, in turn, can support features such as time-of-use pricing.

As a connected device, a Smart Meter brings with it cyber risks. The first concern is the unauthorized access, which can enable malicious actors to manipulate energy data, disrupt services, or even cause physical damage. Weak authentication and encryption mechanisms, as well as unpatched software vulnerabilities, can serve as entry points for cyber-attacks.

Second, smart meters collect and transmit sensitive data about energy consumption patterns, raising privacy concerns. If not properly secured, this data can be intercepted, analyzed, and exploited by cybercriminals for various purposes, including identity theft or targeted phishing attacks.

The final risk involves the potential for a widespread attack on the power grid through compromised smart meters. If a vulnerability exists in the meter’s firmware or communication protocols, attackers may use it as a stepping stone to infiltrate the larger energy infrastructure, leading to cascading outages or operational disruptions.

The integration of smart meters into the broader smart grid infrastructure enables utilities to monitor and manage energy distribution more effectively, optimize load balancing, and respond to outages or emergencies more efficiently.

Solar Tracking Systems

The first BTM Smart SCADA systems are the solar tracking systems. Solar tracking refers to the monitoring of the exposure of solar panels to the sunlight that generates electricity. For maximum efficiency, the panels must be positioned at the optimal angle to the sun. This can be accomplished with intelligent solar tracking systems. These systems include sensors that detect the position of the sun. They then adjust the panel’s orientation in real-time. Implementing this technology can increase power generation by 30-40%. However, it increases installation and maintenance costs.

There are two types of solar tracking systems based on their movement: single-axis and dual-axis.

  • Single-axis solar trackers: Moves panels on one axis of movement, usually aligned with north and south.
  • Dual-axis solar trackers: Move panels on two axes, both north-south, and east-west. 

The biggest benefit of a solar tracking system is that it offers a boost in electricity production. While usually reserved for large-scale ground-mounted solar systems, solar tracking systems are becoming more available for the smaller installation market. A solar tracker system helps maximize your solar production by following the sun throughout the day. Generally, a solar panel system with a single-axis solar tracker installed sees a performance gain of 25 to 35 percent. A dual-axis tracker bumps performance up by another five to 10 percent.

The solar tracking cyber risks center upon the software chain, the communications protocols and interfaces, and supply chain. Compromises within supply chain present opportunities for bad actors to exploit the systems. While potential the impact of a software compromise in the FTM is large, there is a smaller impact BTM.

The control software has potential vulnerabilities in the software/source code, in the communications protocols and interfaces, and in the supply chain. Software source code vulnerabilities and the potential mitigation have been addressed by the industry in other forums. 

The second vulnerability, communications protocols and interfaces, focuses on the principle that if not properly secured the protocols and interfaces can be exploited for unauthorized access or data interception. These risks can be mitigated through strong access controls, encryption, and regularly updating the software.[22]

As previously noted, a comprehensive understanding of the supply chain will also help mitigate risk. The identification of suppliers and their components will allow for the risk managers to baseline, assess, monitor, and correlate threats and vulnerabilities within their operational context.[23]

Remote Monitoring and Control Software

The second BTM Smart SCADA trend is remote monitoring and control. Similar to the invertor risks identified by the DoE, the smooth operation of PV installations relies on remote monitoring and control capabilities, with a very heavy reliance on the control software within solar power plants, and lesser reliance on the software within smaller installations. Smart SCADA systems enable real-time monitoring and control of processes anywhere using connected devices such as smartphones or tablets. 

Two such devices will be used to illustrate how remote monitoring with smart SCADA can work.  The first device is the PowerAMR (Automatic Meter Reading). PowerAMR combines advanced hardware and software systems to provide real-time monitoring and control of solar power systems. It is designed to improve operational efficiency and reliability and the collection of accurate energy analysis and optimization data.[24]

PowerAMR technology involves the installation of smart meters on solar panels to track the performance of each unit and transmit the data to a monitoring system.[25] These smart meters collect real-time data on energy produced, consumed, and system performance and transmit it to a monitoring system. This system provides a detailed analysis of the collected data including energy usage, system faults, and performance trends.

SolarEdge is another example of a remote control and monitoring system. This device is a standard tool for remote monitoring and control of solar panels optimizing the conversion of DC to AC solar energy and ensuring that each panel operates at its maximum power point using individual Maximum Power Point Trackers (MPPTs). 

The cyber risks associated with the control and monitoring systems are similar to the risks for the control software. As noted above, the risks include vulnerabilities in the software/source code, in the communications protocols and interfaces, and in the supply chain.

Blockchain Integration

The next technology is blockchain. While not generally considered a SCADA system nor a BTM system, blockchain is an enabler within the solar ecosystem. As a distributed ledger technology rather than a cryptocurrency, blockchain has the potential to transform the solar power industry by creating a secure and decentralized platform for energy transactions. Its potential applications include peer-to-peer trading of solar energy, creating a solar energy credit system, and grid management. Securing transactions is where blockchain technology can play a significant role.

In parallel with the growth of solar energy, there is also an ever-increasing demand for secure and transparent green energy transactions. As a public ledger, blockchain technologies allow all parties involved in the solar power transaction to view the transaction history. A blockchain implementation allows for the verification of the energy source’s origin and the energy’s carbon footprint. Second, the use of smart contracts can further enhance security by automating transactions and enforcing predefined rules. Finally, blockchain technology can provide a transparent and auditable record of energy consumption, enabling consumers to track their energy usage and ensure they use only renewable energy.[26]

As with other aspects of the solar industry, there is a great deal of investment in this area. Companies leading blockchain efforts in solar energy include GridPlus, Powerledger, Electron, and eCharge.[27]

As with other Blockchain instances, there are some potential cyber risks. Specifically, two possibilities should be addressed:  a 51% attack, and smart contract vulnerabilities.

A 51% attack is an attack where an entity controls the majority of the network’s computational power at the time of the attack allowing them the ability to inject an altered blockchain at the required specific point in the blockchain. For the larger Blockchain network, i.e. Bitcoin, the amount of computational power necessary to successfully conduct this type of attack is enormous.[28] For small Blockchain networks, especially those operated by smaller entities for specific purposes, there is a probability of success.  However, in either scenario the number of resources and the amount of planning required is exceptionally large. 

The other Blockchain risk lies within the smart contract software code itself.  Not to overly simplify the issue, as with any software, smart contract software code flaws can be exploited. 

By eliminating intermediaries, enhancing security, and creating a transparent and auditable record of energy production and consumption, done properly blockchain technology can make a more efficient and cost-effective solar energy market.[29]

Artificial Intelligence (AI)-Based Predictive Maintenance

AI-based predictive maintenance harnesses the power of Smart SCADA to constantly monitor equipment and identify any potential failures that may occur in the future.

Being proactive with maintenance is crucial in avoiding potential issues. Traditionally, maintenance activities have been reactive with equipment repaired or replaced after a failure occurs; or scheduled, with the potential of wastefulness due to over-maintenance, under-maintenance, or the inefficient allocation of resources. 

Predictive maintenance involves closely monitoring several different parts of the solar panels and other equipment to detect any performance problems before they become significant. Using sensors and other monitoring devices to track temperature, voltage, current, and power output, critical data that can be gathered can then be analyzed using predictive analytics tools. The goal is to identify patterns and trends that may indicate equipment failure and predict when and where maintenance will be necessary. This information helps ensure that any maintenance is done at the right time, reducing downtime and maximizing the efficiency and lifespan of the equipment.

The benefits of predictive maintenance include increased reliability, cost savings, improved safety, and efficiency. Solar power operators can predict the need for maintenance work to ensure reliable equipment and minimize downtime. This reduces the number of power outages and prevents unnecessary maintenance tasks, resulting in significant cost savings. Furthermore, predictive maintenance can identify potential equipment failures before they become hazardous improving safety. By utilizing predictive analytics, solar power operators can optimize maintenance schedules and reduce equipment downtime ultimately increasing efficiency and productivity.

Similar to the utilization of blockchain within the social ecosystem, AI is a technology enabler. AI-based predictive maintenance harnesses the power of Smart SCADA to constantly monitor equipment and identify any potential failures that may occur in the future. AI-based preventive maintenance relies on the analysis of vast amounts of data collected from equipment sensors, historical maintenance records, and other relevant sources. The algorithms can be trained to identify patterns, anomalies, and failure indicators in the data thus enabling predictive insights. These insights can then be used to determine the optimal timing for maintenance activities, detect early signs of equipment degradation, and recommend appropriate actions to prevent failures.

To achieve effective predictive maintenance, it is imperative to establish appropriate sensors and monitoring systems, implement advanced analytics, develop maintenance plans, and continuously monitor and secure equipment. The precision and dependability of predictive maintenance hinges mainly on the quality of data collected from sensors and monitoring systems. Therefore, it is crucial to have reliable and accurate sensors and monitoring systems that can provide quality data. Operators must use advanced predictive analytics tools to analyze sensors and monitoring systems data, identify potential equipment failures, and accurately predict maintenance needs. Before executing predictive maintenance a maintenance plan must be in place outlining which equipment to monitor, which sensors to use, and how to analyze data. To guarantee the successful implementation of predictive maintenance operators must perpetually collect and analyze data, adjusting maintenance schedules accordingly.

The implementation of AI-based preventive maintenance does require careful planning and investment. This includes the necessary sensors, connectivity infrastructure, data security and storage capabilities. This also includes the need to establish appropriate data governance frameworks to manage and protect the data and the AI model. 

As with any AI implementation, the model(s) and data used need to be protected. AI models are those representations of learned patterns and relationships from data and are highly dependent upon the reality, quality, and diversity of the training data, the algorithms, and the design choices. 

The cyber risk revolves around protecting the model and data. This protection involves several considerations including data security, model access control, infrastructure security, intellectual property considerations, and any ongoing updates.  There should be awareness, but this risk is almost always outside the direct ability of the end user to impact. 

It shifts the focus to proactive and data-driven strategies enabling organizations to anticipate and address potential issues before they lead to costly breakdowns or downtime. By leveraging AI technologies, organizations can optimize maintenance schedules, enhance equipment reliability, and reduce operational costs.

In The Wild:  Identified Solar Cybersecurity Challenges

As a conference, DEFCON provides security researchers the opportunity to present the results of their investigations.  In 2016, DEFCON revealed severe security weaknesses in solar panel technology underscoring the urgent need for more robust cybersecurity measures. A cyber-attack on renewable energy infrastructure could devastate the environment and the economy. Solar panel makers and developers should assess and enhance their security protocols to minimize the risk of cyber threats. This discussion provides valuable insights into the security challenges associated with this technology emphasizing the importance of increased awareness and proactive measures to prevent any disruptions to the energy supply that could cause widespread harm to society.

The first weakness discussed was in how the solar panel module communicates with the solar inverter system. This weakness is due to the Modbus protocol which has weak authentication mechanisms making it vulnerable to attacks. Researchers could exploit this vulnerability by gaining unauthorized access to the solar panel system and controlling it remotely. The consequences of such attacks can vary from minor disruptions, such as slowing down energy generation, to more severe issues, such as the entire system shutting down. According to a discovery by researcher Fred Bret-Mounet, a vulnerability was found that could allow him to stop operations for a mid-sized power generation company. He could also use the hacked devices as a trojan horse to gather more data over time[30]

Another vulnerability presented at DEFCON was in the solar panel technology’s cloud-based monitoring and control software. The software, accessible by the internet, is exposed to several cyber threats such as hacking, malware, or Distributed Denial-of-Service (DDoS) attacks. Malicious actors can exploit this vulnerability to access sensitive data, interfere with system operations, or even issue malicious commands to the systems. Such attacks can be devastating as they could halt renewable energy production leading to power outages, economic loss, and environmental damage.[31]

The third vulnerability to solar panel technology presented at DEFCON is related to supply chain security. Solar panels are built using several components manufactured by different suppliers making them vulnerable to counterfeiting, malicious tampering, or software manipulation. Malicious actors can insert hardware components with backdoors or malicious firmware at any stage in the supply chain leading to concerns about product authenticity and system security. Attackers can exploit this vulnerability to perpetrate cyber-attacks, malware intrusion, or DDoS attacks, leading to system disruption, data theft, and revenue loss.[32]

While the DEFCON discussion was theoretical, actual attacks on solar energy products have occurred. First reported in March of 2019, bad external actors exploited a known firewall of one of the North American Electric Reliability Corporation (NERC). This firewall attack caused unexpected O.T. device reboots resulting in communication outages.[33] This cyber event resulted in a Denial-of-Service (DoS) condition at a low-impact control center and multiple remote low-impact generation sites.[34] This singular event directly affected several states and brought significant urgency to uncover the severity of how the NERC manages its cybersecurity.

As a result, energy-related companies have begun to withhold information about “how it happened” to protect themselves from future bad actors. EEI Executive Vice President Phil Moeller mentions that “even seemingly innocuous self-reported information can be exploited by sophisticated adversaries to target the energy grid.”[35] It is vital to safeguard this information as more companies entertain adding solar energy to their existing power grids. If the bad actors had instructions on how to do so, energy companies would not be able to integrate cost-effective products into their power grids.

Conclusion

Overcoming these challenges requires a multifaceted approach. With technological advances, policy support, financial incentives, and stakeholder collaboration, the continued research and development in energy storage, grid management, and smart grid technologies will improve solar cybersecurity. Governments and regulatory bodies have a critical role to play in establishing supportive policies and streamlining the regulatory process. Utilities, solar industry stakeholders, and consumers will need to collaborate to overcome barriers and accelerate the safe adoption of solar both before and after the meter. lock

References

Balean, S. (2019, August 30). Decentralized solar using blockchain technology. Retrieved from Medium: https://medium.datadriveninvestor.com/decentralized-solar-using-blockchain-technology 751e424439b4

Constantin, L. (2016, September 13). Hackers found 47 new vulnerabilities in 23 IOT devices at DEF CON. Retrieved from CSO Online: https://www.csoonline.com/article/3119765/hackers-found-47-new-vulnerabilities-in-23-i ot-devices-at-def-con.html

Department of Homeland Security (CSET). (2023, June 15). https://www.cisa.gov/forms/csetiso. Retrieved from CSET Download: https://www.cisa.gov/forms/csetiso

Ferry, H. (2017, April 3). Supply Chain Risk Management (SCRM): Changing the Program Protection Paradigm. Retrieved from Defense Acquisition University: https://slidetodoc.com/supply-chain-risk-management-scrm-changing-the-program/

Frankenfield, J. (2023, June 7). 51% Attack: Definition, Who Is At Risk, Example, and Cost. Retrieved from https://www.investopedia.com: https://www.investopedia.com/terms/1/51-attack.asp

Knapp, E. D. (2014). Industrial Network Security, Second Edition: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems 2nd Edition.

Lendardic, D. (2023, April 30). History. Photovoltaics – historical development. Retrieved from www.pvresources.com: https://www.pvresources.com/en/introduction/history.php

Mai, H. J. (2019, September 9). NERC finds First Remote Hacker interference on US grid from Cyberattack. Utility Dive. Retrieved from UtilityDrive: https://www.utilitydive.com/news/nerc-finds-first-remote-hacker-interference-on-us-grid from-cyberattack/562478/

Marsh, J. (2023, April 30). . How many Watts does it take to run a house?:. Retrieved from EnergySage Blog.

MITRE (ATT&CK Framework). (2023, June 15). https://attack.mitre.org/. Retrieved from ATT&CK: https://attack.mitre.org/

National Institute of Standards and Technology Special Publication (NIST SP) – 800-207. (2023, June 15). Zero Trust Architecture. Retrieved from National Institute of Standards and Technology: https://www.nist.gov/publications/zero-trust-architecture

PowerAMR. (2023, May 1). Solar Remote Monitoring. Retrieved from https://poweramr.in/remote-monitoring#:~:text=An%20Integrated%20Platform%20comp rising%20of,efficiency%20of%20Solar%20PV%20Plants.

Richardson, L. (2023, April 26). EnergySafe. Retrieved from EnergySage: https://news.energysage.com/the-histor-and-invention-of-solar-panel-technology/

Shostack, A. (2014). Threat Modeling. Wiley.

Sienkiewicz, H. J. (2017). The Art of Cyber Conflict. Indianapolis, IN : DogEar Publishing .

Sienkiewicz, H. J. (2023). Lecture notes, Additional perspectives in cyber security.

Solar Industries Energy Association. (2023, June 19 ). Solar Industry Research Data. Retrieved from Solar Industries: https://www.seia.org/solar-industry-research-data

SolarEdge. (2023, May 3). Residential catalogue – solaredge. SolarEdge Residential Offering for Installers. Retrieved from SolarEdge.com: https://knowledge-center.solaredge.com/sites/kc/files/residential_catalogue_eng.pdf

United States Department of Energy Idaho National Laboratory (INL) . (2023, June 15). https://www.energy.gov/. Retrieved from Cyber Threat and Vulnerability Analysis: https://www.energy.gov/sites/prod/files/2017/01/f34/Cyber%20Threat%20and%20Vulnerability%20Analysis%20of%20the%20U.S.%20Electric%20Sector.pdf

United States Department of Energy Solar Energy Technologies Office. (2023, June 15). Solar Security Basics. Retrieved from https://www.energy.gov/eere/solar/solar-cybersecurity-basics: https://www.energy.gov/eere/solar/solar-cybersecurity-basics#:~:text=Solar%20energy%20technologies%20can%20be%20vulnerable%20to%20cyberattack,at%20higher%20risk%20relative%20to%20stand-alone%20OT%20devices.

United States Department of Homeland Security. (2023, June 15). Energy Sector Specific Plan (2015, revised 2020) . Retrieved from https://www.cisa.gov: https://www.cisa.gov/resources-tools/resources/energy-sector-specific-plan-2015

[1] (Richardson, 2023)

[2] (Solar Industries Energy Association, 2023)

[3] (Solar Industries Energy Association, 2023)

[4] (Solar Industries Energy Association, 2023)

[5] (Lendardic, 2023)

[6] (Marsh, 2023)

[7] (Lendardic, 2023)

[8] (Sienkiewicz, 2023)

[9] (Sienkiewicz, 2023)

[10] (Sienkiewicz, 2023)

[11] (United States Department of Energy Solar Energy Technologies Office, 2023)

[12] (United States Department of Homeland Security, 2023)

[13] (United States Department of Energy Idaho National Laboratory (INL) , 2023)

[14] (United States Department of Energy Solar Energy Technologies Office, 2023)

[15] (Sienkiewicz, 2023)

[16] (Shostack, 2014)

[17] (MITRE (ATT&CK Framework), 2023)

[18] (Department of Homeland Security (CSET), 2023)

[19] (Sienkiewicz, 2023)

[20] (Ferry, 2017)

[21] (National Institute of Standards and Technology Special Publication (NIST SP) – 800-207, 2023)

[22] (Knapp, 2014)

[23] (Sienkiewicz H. J., 2017)

[24] (PowerAMR, 2023)

[25] (PowerAMR, 2023)

[26] (Balean, 2019)

[27] (Balean, 2019)

[28] (Frankenfield, 2023)

[29] (Balean, 2019)

[30] (Constantin, 2016)

[31] (Constantin, 2016)

[32] (Constantin, 2016)

[33] (Mai, 2019)

[34] (Mai, 2019)

[35] (Mai, 2019)

Henry J. Sienkiewicz  Thelonious K. Walker II

Leave a Comment