As smart inverter requirements proliferate, cybersecurity needs to keep pace.
The solar industry’s relentless focus on cost has been very effective. Most major global utility solar PV markets now have prices below $1 per watt. This is down from more than $1.50 per watt in 2015, thanks in large part to lower prices for components including modules, inverters and trackers.
According to the Solar Energy Industries Association (SEIA) and WoodMac Power & Renewables, the U.S. installed over 32 gigawatts of solar PV in the past three years. There are currently more than 10 gigawatts of solar forecasted to come online in 2018 alone, and the long-term growth is expected to be strong.
While this collective push to drive down solar prices is critical to the mainstreaming of clean energy, it allows for some emerging risks. One area needing greater attention is the advancement of cybersecurity measures on distributed energy resources (DERs), especially in solar.
But California’s smart inverter requirements, which other states and utilities are also adopting in some form, are often not accompanied by the necessary cybersecurity protections.
“It is concerning that other utilities seem to be jumping on the bandwagon and asking for remote grid support without requiring a certain level of cybersecurity, an understanding of where their generation data is stored, and from where it can be accessed and controlled,” said Emily Hwang, application engineering manager at inverter manufacturer Yaskawa Solectria Solar.
There is an increased focus on cybersecurity for these assets, but it is still in the early days. The National Renewable Energy Laboratory’s Energy Security and Resilience Center has a number of initiatives around DER cybersecurity, including electric vehicle and distribution grid security.
Inverters on the Frontline
Even with those initiatives, there is a mismatch between the growth of solar in the U.S. and the attention to cybersecurity requirements. The risks are significant and growing, whether it’s a utility-scale solar project or a residential installation.
For instance, the focus on keeping overall prices low, which has driven much of the industry’s growth, could lead to the use of low-cost but inferior networking equipment, such as routers. This opens the door to weak data encryption or security defects that go unaddressed because firmware updates are considered complicated or unimportant.
Some inverter manufacturers publish default passwords in equipment manuals, allowing insecure access to control parameters or potentially sensitive data. This practice was generally acceptable until remote access to internet-connected inverters became possible.
In utility-scale and large commercial projects, certain vulnerabilities go beyond the inverters, which most people consider the primary component that needs protection from cybercriminals.
“With larger-scale systems, it’s not just the inverters. It’s also the power plant controllers and aggregators that present a risk. In the past, solar was not grouped and not mandated to have remote control functionality, so hacking solar was very difficult and didn’t pose the same threat to the grid.
The risks are high. You open the site up to the possibility of someone hacking into a larger solar plant, changing the system’s settings to purposefully influence the grid, and potentially causing serious damage and loss. You could also have a denial-of-service attack that takes down the power system.
Ultimately, the development and enforcement of standards and mandates for DER cybersecurity will be critical.
Security is something we must think about every time. It should not be an afterthought; it should not only be layered on. During every step of PV site development, the designer should think: Where is the data going, how is it stored, and who and which country has access to control the system? We believe with inverters, controllers and aggregators, security should be baked in so that it is inherent to the product.
source: Green Tech Media