The digitalisation of the energy sector is a big opportunity for the energy sector. It increases power plant efficiency and allows flexibly orchestrating decentralised energy resources. Recent modelling suggests digital flexibility solutions save 32bn EUR by 2030 and 160bn EUR by 2040. However, like the technological revolutions before, it comes with new risks - in this case, cybersecurity.
Similar risks are in other sectors, like the automotive industry, electricity grids, wind energy and non-renewable power plants. Cyberattacks can lead to data theft or manipulation, disrupt power plant operations, and destabilise the electricity system. With the current level of solar penetration, the risk of impacting the grid remains limited, with no known incidents as of now. Many companies already take comprehensive security measures, ensuring resilience against cyberattacks. The EU has adopted world-leading cybersecurity and data protection policies. However, as a future-looking sector – on its way to a majority share in the energy mix – the solar industry is calling on regulators and policymakers that the EU approach translates into a sector-specific, harmonised cyber-preparedness baseline. This position paper lays out recommendations for such sector-wide security measures.
A Harmonised Cybersecurity Baseline for Solar PV
Improving cyber risk assessments. Setting a new EU standard for product security for distributed energy resources, and empowering consumers to manage their device security. Setting an EU or nationally authorised layer of monitoring.
Read the paperThe point of reference for SolarPower Europe’s position remains the published document. For ease, the overview of policy recommendations is shared below, but should be considered in the context of the wider paper.
Establishing Governance & Risk
Enhance governance requirements in Network and Information Security (NIS) 2 Directive implementation and increase risk visibility on low-voltage grids in EU and national frameworks
Securing Products
Reinforce cybersecurity at the product level, via Cyber Resilience Act (CRA) compliance requirements and a dedicated standard for distributed energy resources.
Securing Operations
Like personal data handling under GDPR, operational PV power plant data should remain in the EU, or in jurisdictions that can ensure similar security levels.
A list of secure operation best practices for large power plants should be mandatory and standardisation bodies should implement a cybersecurity baseline for the operation of small, IT-connected, remote-controlled distributed energy resources.
The EU or national governments should introduce a security layer which monitors relevant commands where aggregators and manufacturers centrally coordinate distributed energy resource devices like inverters.
Empowering Users & Installers
Users and installers of small-scale PV installations must manage the cybersecurity of their devices by setting strong passwords and installing security updates.
Header Image
© Shutterstock