On Monday, 11 U.S. senators sent a letter to Homeland Security Secretary Kirstjen Nielsen, calling on her to “consider a ban on the use of Huawei inverters in the United States”. These senators expressed concern over both large-scale PV plants and distributed, rooftop systems, without giving exact details regarding the nature of the threat posed.
We weren’t sure what to make of this proposed ban. Huawei has been blocked from the telecom market and specifically from participating in the 5G network in several Western nations over concerns that its equipment could be used for espionage, but inverters play a different role than telecommunications products. Furthermore, members of the legislative body that takes its name from the Latin for “old men” are often not the best at keeping up to date with technology (“series of tubes”, anyone?), and making good assessments in this realm.
But whether or not these senators – most of whom hail from the Republican Party – have a valid concern comes down to this question: could an inverter maker use its products to launch cyberattacks on the grid, or cause blackouts?
We contacted Tom Tansy, the chair of the SunSpec Alliance, and asked his opinion to help determine whether there is a technical basis for this concern, or whether this is paranoia and xenophobia talking.
The “kill switch”
The biggest concern in terms of using inverters to hack into systems involves the danger that all of these devices could all be shut down at once, causing blackouts. This is similar to the danger that was posed to Germany under the “50.2 Hz problem” and subsequent mass inverter retrofit starting in 2012, but focused on the potential for malignant intent by one manufacturer.
Tansy notes that it is possible to remotely control an inverter, including throttling its power, or limiting and steering real power. And if you could control one inverter, you could control a number of them.
Here it is important to remember that in 2018, solar only provided 2.4% of the electricity in the United States, with distributed solar (plants smaller than 1 MW), representing less than 1/3 of that, or 0.7% of all power. And although it is true that some states like California get a much higher share of their power from solar, and that we are planning for a future with a higher portion of solar and wind on the grid, any inverter maker has only a small part of the total systems online at any one time.
So even if one inverter maker, working on behalf of a foreign government, did shut off all of their inverters, it would be hard to have a big effect. This is particularly true if they were most active in rooftop solar markets.
Tansy says that if a foreign government or terrorist group did want to take down the grid, it would be much more effective to target large, centralized generators like coal or nuclear power plants, and not distributed solar.
Hacking the grid?
Which brings us to our next question: could inverters be used to hack the electric grid, and take down a big power plant? Tansy notes that the world’s power systems are all networked and didn’t rule out this threat, but again context is critical.
“The far more likely scenario, rather than using a solar system as your vector to try to get to a critical facility, like a nuclear power plant, would be to use your handheld iPhone or laptop or come over a common internet connection,” Tansy told pv magazine.
He also says that this would be much easier to do from an inverter accompanying a utility-scale plant than anything on the distribution grid, which is “pretty far away from the central generators, and physically isolated”.
Furthermore, if in a theoretical scenario a hacker could take a large power plant offline, this wouldn’t necessarily cause a blackout. Large power plants go offline without warning all the time, such as when the Pilgrim nuclear power plant in Massachusetts had to be take off during the January 2018 “bomb cyclone” storm. In this case as in others, other forms of generation filled in.
If the key to the vulnerability of the grid to cyberattacks is its network, that is also its strength.
Tansy says that there are frequent cyberattacks on the grid now, and so far they haven’t caused any major blackouts. “Attacks are made against critical infrastructure every single day,” states Tansy. “Just like attacks on the banking system happen 24/7.”
In fact, Tansy points out that the internet was basically invented by the U.S. military as a security mechanism. “The idea of the internet was to make a decentralized system, and build in mechanisms such that you can detect when you have adverse conditions happening on one small part of the network,” he explains. “Distributed energy resources, I would argue, shares that same characteristic. If something happens, you can isolate it.”
This is not to say that Tansy isn’t concerned about cybersecurity, and notes that the SunSpec Alliance is engaged in ongoing work on this topic, including in collaboration with Sandia National Laboratory, National Renewable Energy Laboratory (NREL), and other national labs. “The industry is taking great pains to get its house in order,” explains Tansy.
And while he confirms that there are national security concerns around cybersecurity and the grid, he does not endorse the concept of banning specific companies as a solution. “The idea of isolating a single company is folly,” states Tansy. “They are just one of many. This idea that we can isolate and surround Huawei, and that will solve our problems – it is naive.”
He also states that while the Senate Intelligence Committee tries for a ban on Huawei, that there is a much larger threat to our nation’s security in the form of climate change. This is a threat which many senators, particularly in the Republican Party, have been actively denying.
“Let’s deal with the true emergencies of the day, and not conflate whatever notion we have about politics and balance of trade with China,” states Tansy.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: firstname.lastname@example.org.