The utility industry is increasingly adopting and implementing cutting-edge cybersecurity technologies to safeguard against the growing threat of cyberattacks. Within the industry, the solar energy segment has proven to be unique because it is particularly vulnerable to cybercrime, necessitating the quick implementation of protective measures.
When it comes to cybersecurity in the solar industry, it’s important to consider more than just smart cities and homeowners with solar panels. Solar adoption has dramatically increased in recent years, with utility-scale solar installations alone reaching 182 GW (AC) in 2024. Additionally, the U.S. heavily relies on satellites for communication and military surveillance. Most satellites are powered by solar array systems, which convert sunlight into electricity. Because of this, the U.S. government has increasingly grown more concerned with solar cybersecurity, and the U.S. Department of Energy has prioritized the issue—describing secure, safe and reliable operation of solar energy as critical for the country’s national security and economy.
Recent surveys and reports have highlighted significant cybersecurity challenges in solar energy. A SecurityScorecard report released last year revealed that data breaches have impacted 90% of the largest energy companies globally, including all of the top 10 power companies in the U.S. Furthermore, a survey of professionals in the electric power and renewable energy sector by Applied Risk, a DNV company, indicated that only 54% of respondents believe their companies have strong visibility into cybersecurity vulnerabilities. In this same survey, alarmingly, only 36% of professionals consider cybersecurity a critical risk, and a mere 42% think their companies are adequately investing in protection against cyberattacks. These statistics emphasize the urgent need for effective cybersecurity technologies within the solar industry to prevent potential disruptions and financial losses.
Vulnerability of distributed energy resources
One key vulnerability that leads to challenges securing the solar energy segment against cybercrime comes from distributed energy resources (DER). DER technologies, including solar energy systems, produce and supply electricity on a small scale, which then is spread out over wide areas. DER devices are unregulated and have no mandated cybersecurity standards. Unlike centralized power plants, DER systems are often managed independently and connected directly to the internet for monitoring and control purposes. This internet connectivity introduces significant security risks, as many DER system managers do not have the expertise or resources to implement robust cybersecurity measures. Additionally, most DER devices are accessed by their owners remotely through cloud servers. While remote access is convenient for operations and maintenance of DERs, it opens a gateway for cyber threats. Hackers can exploit these access points to infiltrate DER networks, leading to their control of the entire system.
Cybersecurity challenges in IT and OT
Another area in which solar organizations are often targeted by hackers is the convergence of information technology (IT) and operational technology (OT). IT encompasses technologies that manage data and support administrative functions within solar institutions such as billing, customer service and accounting systems. OT involves programmable systems that interact directly with the physical environment such as solar arrays, inverters and building control systems that monitor and manage the production and distribution of solar energy. Like DERs, OT systems have become increasingly digital and connected to the internet without any regulation, introducing new security concerns.
One of the major challenges the solar sector faces with OT technology is the complexity of those systems and the high costs associated with upgrading or replacing equipment. Unlike IT systems, OT systems are designed for long-term use and are very infrequently replaced. This results in a mix of old and new technologies within the same infrastructure, creating gaps in cybersecurity coverage.
Barriers to achieving secure DER, IT and OT systems
Several barriers hinder secure DER, IT and OT systems in the solar industry. One of the most prominent challenges is the shortage of cybersecurity professionals with the necessary knowledge, experience and skills. Cybersecurity is a dynamic field where threats evolve rapidly. Hackers are continually developing new strategies and techniques to breach defenses, making it imperative for cybersecurity professionals to stay current with the latest developments. For the solar industry, this means not only securing existing systems, but also anticipating and mitigating future threats. However, many solar organizations lack the resources to provide ongoing training and professional development needed for their employees, further enlarging the skills gap.
Additionally, due to the nature of DER, IT and OT systems, the solar industry must be able to adapt quickly to the latest threat and implement innovative technologies. Some renewable energy organizations are implementing static, one-size-fits-all solutions in an environment where threats are continuously evolving. Solar companies must adopt adaptive, real-time security measures that can respond to new threats as they emerge. This requires a significant investment in advanced technologies such as artificial intelligence and machine learning, as well as skilled employees.
Regardless of the use of cutting-edge cybersecurity tools and artificial intelligence, employee education and behavior are critical. Even the best cybersecurity technology fails when an unsuspecting employee clicks on the wrong link embedded in an e-mail from a hacker posing as a legitimate entity. Solar companies must regularly train employees and communicate best practices to spot and identify bad actors.
Shaping the future of cybersecurity in solar energy
So, where is the industry headed? The future of cybersecurity will likely involve increased regulation and collaboration between global entities. For example, the European Union (EU) and the United States are currently working together to bolster mutual cyber resilience and foster a secure global cyberspace through ongoing dialogues and joint initiatives such as the Joint CyberSafe Products Action Plan.
While the EU implemented the Cyber Resilience Act (CRA) to enforce mandatory regulations for all digital products, the U.S. has taken a more voluntary approach with U.S. Cyber Trust Mark, which focuses specifically on the voluntary labeling of consumer Internet of Things (IoT) devices. Both initiatives are aimed at addressing the shared challenge of IoT security, and could dramatically change the landscape of cyberattacks by implementing cybersecurity standards for DER and OT devices. These regulations and programs could provide a framework for solar organizations to address current vulnerabilities and ensure the future security of critical infrastructure in the solar energy sector.
Moreover, the demand for solar energy is projected to continue rising – solar power is projected to remain the fastest-growing source of electricity, with BloombergNEF reporting that the world installed 600 GW of solar in 2024. This exponential growth coupled with rapid economic expansion within the utility industry resulted in an increase in stock values in 2024. As demand and stock prices rise, solar energy organizations will have more resources to invest in cybersecurity improvements. Financial capability combined with the anticipated regulations will drive significant advancements in the cybersecurity of solar energy systems, ensuring its reliability and safety.
Solar and renewable energy organizations face significant challenges in cybersecurity that must be addressed to establish consistent and secure operation. The increase in skilled professionals, adoption of cutting-edge cybersecurity technologies, increased regulation and continued economic growth will all be critical components to bolstering cybersecurity in the solar sector.
Wayne Tung is managing director of Sendero Consulting, a management consulting firm specializing in a variety of industries, including utilities, offering strategic IT and operational expertise to help organizations navigate complex challenges and drive transformation. Through more than 20 years of consulting and industry experience, Wayne has successfully delivered numerous consulting engagements for energy, manufacturing, and government clients, primarily involving large outsourcing initiatives with offshore components, spend optimization, technology implementations, and technology migrations.
The views and opinions expressed in this article are the author’s own, and do not necessarily reflect those held by pv magazine.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.