Is the Solar Industry Secure Enough for Smarter Technology?
As smart inverter requirements proliferate, cybersecurity needs to keep pace.
The solar industry’s relentless focus on cost has been very effective. Most major global utility solar PV markets now have prices below $1 per watt, according to Wood Mackenzie Power & Renewables. This is down from more than $1.50 per watt in 2015, thanks in large part to lower prices for components including modules, inverters and trackers.
According to the Solar Energy Industries Association (SEIA) and WoodMac Power & Renewables, the U.S. installed over 32 gigawatts of solar PV in the past three years. There are currently more than 10 gigawatts of solar forecasted to come online in 2018 alone, and the long-term growth is expected to be strong.
While this collective push to drive down solar prices is critical to the mainstreaming of clean energy, it allows for some emerging risks. One area needing greater attention is the advancement of cybersecurity measures on distributed energy resources (DERs), especially in solar.
Uncharted territory
DER cybersecurity is becoming an increasingly critical issue, with leading clean energy states, such as California, implementing requirements for distributed solar plants to deliver communication-based grid services. California’s Rule 21, for example, currently requires autonomous grid support functions and will soon require communication-based functionality.
But California’s smart inverter requirements, which other states and utilities are also adopting in some form, are often not accompanied by the necessary cybersecurity protections.
“It is concerning that other utilities seem to be jumping on the bandwagon and asking for remote grid support without requiring a certain level of cybersecurity, an understanding of where their generation data is stored, and from where it can be accessed and controlled,” said Emily Hwang, application engineering manager at inverter manufacturer Yaskawa Solectria Solar.
There is an increased focus on cybersecurity for these assets, but it is still in the early days. The National Renewable Energy Laboratory’s Energy Security and Resilience Center has a number of initiatives around DER cybersecurity, including electric vehicle and distribution grid security.
Sandia National Laboratories and the SunSpec Alliance have also spearheaded the DER Cybersecurity Workgroup, whose primary goal is to come up with a collection of best practices that can inform the development of national and international DER cybersecurity standards. California’s Rule 21 has also spawned the creation of the Smart Inverter Working Group, a collaboration meant to ensure that inverter manufacturers can meet grid support functionality and cybersecurity requirements within a reasonable timeframe.
Inverters on the frontline
Even with those initiatives, there is a mismatch between the growth of solar in the U.S. and the attention to cybersecurity requirements, argues Hwang. The risks are significant and growing, whether it’s a utility-scale solar project or a residential installation.
For instance, the focus on keeping overall prices low, which has driven much of the industry’s growth, could lead to the use of low-cost but inferior networking equipment, such as routers. This opens the door to weak data encryption or security defects that go unaddressed because firmware updates are considered complicated or unimportant.
Some inverter manufacturers publish default passwords in equipment manuals, allowing unsecure access to control parameters or potentially sensitive data. This practice was generally acceptable until remote access to internet-connected inverters became possible.
In utility-scale and large commercial projects, certain vulnerabilities go beyond the inverters, which most people consider the primary component that needs protection from cybercriminals.
“With larger-scale systems, it’s not just the inverters. It’s also the power plant controllers and aggregators that present a risk,” explains Hwang. “In the past, solar was not grouped and not mandated to have remote control functionality, so hacking solar was very difficult and didn’t pose the same threat to the grid.”
The risks are high. “You open the site up to the possibility of someone hacking into a larger solar plant, changing the system’s settings to purposefully influence the grid, and potentially causing serious damage and loss. You could also have a denial-of-service attack that takes down the power system,” said Hwang.
It’s not a theoretical threat. In 2015 hackers took control of the grid in Ukraine and caused a blackout for over 230,000 people. Preventing hackers from doing this kind of damage (or much worse) requires decisive action. “At the end of the day, we are providing critical infrastructure to our nation,” said Hwang. “With that comes a serious responsibility.”
Basic best practices are a crucial starting point
Acting on that responsibility is not as burdensome or expensive as some might imagine. Often it comes down to best practices in cybersecurity that apply to every industry. Simple steps like not publishing or sharing passwords and system owners creating their own unique passwords upon installation can greatly reduce security threats.
Ensuring that data transmitted by inverters and other equipment is encrypted is an additional security measure that should be required of manufacturers. Yaskawa Solectria Solar has joined the National Renewable Energy Laboratory and Sandia in the development and testing of a cost-effective way to do this for DERs that doesn’t involve as much memory or processing as would be required with centralized energy production.
Ultimately, the development and enforcement of standards and mandates for DER cybersecurity will be critical. In the meantime, Hwang believes incorporating security into the early stages of any DER project is necessary.
“Security is something we must think about every time. It should not be an afterthought; it should not only be layered on,” she said. “During every step of PV site development, the designer should think: Where is the data going, how is it stored, and who and which country has access to control the system? I believe with inverters, controllers and aggregators, security should be baked in so that it is inherent to the product.”