Cybersecurity must be a priority as solar and storage technologies are deployed in record-breaking numbers on the grid. Photo courtesy of National Renewable Energy Laboratory (NREL).

The U.S. Department of Homeland Security defines the power grid as critical infrastructure, but the grid was not built to support the current complex and interconnected structure that it has become, making it vulnerable to potential cyber-threats. As solar and storage technologies are deployed in record-breaking numbers, it’s important for the industry to prioritize cybersecurity to ensure clean energy resources are the safest and most secure technologies on the grid.  

The Solar Energy Industries Association (SEIA) is at the forefront of strengthening the solar industry’s resilience to cybersecurity threats. Recently, SEIA and the Department of Energy Solar Energy Technologies Office (SETO) hosted a half-day virtual summit on the state of cybersecurity in the industry, emphasizing how these issues must be baked into clean energy technologies and operations from the start. To this end, there are several steps that solar and storage businesses can take now that will set them up for cyber-success.  

The power grid is a potential target for hackers that have found ways to monetize cyber-attacks on energy companies as well as foreign adversaries seeking to disrupt America’s critical infrastructure. When cyber-attacks are successful, they interrupt the electricity that powers the economy. If one company succumbs to a cyber-attack — from ransomware, malware, or a data breach — it could set off a chain reaction and compromise the operations of many other industries.  

Cyber threats pose a financial and reputational risk for the entire energy sector, and these actions could have ripple effects for clean energy technologies like solar and storage. If a hacker gains access to clean energy technologies or disrupts energy delivery, customers may lose faith in the ability of clean energy to serve their needs. Financial risks range from lost revenue, costs to regain access to data from ransomware hackers, and hefty investments in cyber solutions after an attack occurs.  

It’s far more cost-effective to mitigate risks now than to pay the price after the fact. There are simple, low-cost steps that businesses can take to strengthen their cybersecurity and prevent future attacks, including password protection solutions, multi-factor authentication, and keeping software up to date. In addition, companies should proactively implement a strong data governance strategy. Data can fall into the wrong hands if it isn’t handled properly, and companies should dispose of data that isn’t necessary to keep, like old customer credit reports. Find more easy tips for small businesses in the Cybersecurity and Infrastructure Security Agency’s (CISA) cyber security toolkit. 

Clean energy businesses should regularly audit technology like photovoltaic inverters (PV) or energy storage systems (ESS) to identify and patch vulnerabilities before an attack happens. Companies should also conduct risk management assessments to inventory their critical systems and prepare procedures to limit the control of assets in the case of a cyber-threat to minimize the damage.   

Ensuring communications with distributed energy resource (DER) devices are encrypted is also an important best practice. The decentralized nature of DERs is beneficial for the grid but poses a challenge as the devices must be internet connected to communicate with grid operators. If communications are unencrypted, they can be intercepted and bad actors can remotely take control of devices and disrupt the flow of power.  

The wide variety of utilities, independent power producers, private companies and fuel sources that operate on the power grid have varying cybersecurity standards. There is no industry-wide standard, which makes these entities vulnerable to a multitude of potential attacks. There are many different cybersecurity frameworks that organizations use, but without an industry-wide approach, some organizations will remain vulnerable to attacks that could jeopardize others operating on the grid. SunSpec and the Sandia National Laboratories lead a distributed energy resource (DER) Cybersecurity Workgroup to create an industry standard for cybersecurity from the competing frameworks. Interested companies can join the working group to contribute to the development of these critical industry standards and best practices. 

Clean energy companies can join a public-private partnership to work together with other businesses and the government to identify vulnerabilities, triage cyber issues, and develop scalable solutions to secure the grid. The Department of Energy’s (DOE) Cyber Testing for Resilient Industrial Control Systems (CyTRICS) is one such partnership between many of the national labs and private businesses. Through the partnership, the businesses share problems affecting technology across models, brands, and equipment with the CyTRICS program, and researchers can simulate attacks in a virtual lab to create and deploy solutions.  

Companies should strive to strengthen cyber practices as part of their everyday business activities to ensure they are prepared and protected. To learn more about cybersecurity in the solar industry, watch SEIA’s archived Cybersecurity Summit, or visit SEIA’s webpage on cybersecurity.  

A modern and resilient grid requires the clean energy industry to be proactive about cybersecurity. As solar grows to become the dominant form of electricity in the United States, it’s important for the industry to take steps now that prevent cyber-attacks from interrupting the flow of this clean, reliable power.