Businesses are increasingly turning to onsite energy generation systems as a solution to rising energy costs and concerns over the stability of electric grids. These systems, known as distributed energy resources (DERs), typically consist of solar panel arrays paired with batteries for energy storage. By connecting to the grid, businesses can sell excess electricity to utilities, creating new points of vulnerability that need to be addressed when evaluating risks.
One crucial component of solar DERs is the smart inverter, which manages the flow of energy between the DER and the grid. These inverters are IoT devices that rely on cloud-based services for monitoring and management, exposing them to cybersecurity threats. With no industry-accepted standards for DER security, organizations face varying levels of compliance and must take proactive measures to ensure the safety and reliability of their systems.
The race to the bottom for pricing in the solar energy industry has led to a lack of cybersecurity standards, making smart inverters vulnerable to attacks. Default passwords and poor security practices make these devices attractive targets for hackers, especially given the large number of solar installations across the US. Vulnerabilities in smart inverters can have widespread consequences, as demonstrated by past attacks that hijacked hundreds of inverters.
Small to medium-sized businesses (SMBs) may lack the expertise to properly secure their DERs, especially when it comes to one-off solar projects. Risks associated with smart inverters extend to control panels, management software, and third-party networks, providing multiple entry points for attackers. Vulnerabilities in monitoring and management software have been exploited in the past, highlighting the importance of thorough security assessments.
Manufacturers are increasingly prioritizing cybersecurity in smart inverters, but the threat landscape continues to evolve. Best practices for securing solar DERs include vetting product and service providers, assigning security responsibilities to capable staff, and implementing strong access control measures. Monitoring event logs, protecting communications connections, and keeping software/firmware updated are essential steps in maintaining the security of smart inverters.
The potential impact of a cyberattack on solar DERs extends beyond individual businesses, with the potential to disrupt the electric grid during high-demand periods. Nation-state adversaries and cybercriminals alike could leverage smart inverters to target critical infrastructure, posing a significant threat to grid stability. Collaboration between industry stakeholders and regulatory bodies is needed to establish robust security baselines and mitigate risks associated with solar DER vulnerabilities. By implementing best practices and staying vigilant, businesses can better protect their energy generation systems from cyber threats.