In July 2024, a software update from cybersecurity firm CrowdStrike caused Microsoft Windows systems to crash globally — grounding commercial airlines and halting credit card processing. The U.S. Government Accountability Office said it was potentially the largest IT outage in history, affecting a wide range of critical infrastructure like emergency services, financial institutions and communications.
Just as susceptible to hacks and tech-related outages is the distributed energy sector, as more internet-connected inverter-based resources like solar power come online. Renewables as a whole surpassed 30% of U.S. electrical generation for the first time in Q1 and will only keep growing.
Most distributed solar systems are run by just a handful of inverter brands — in 2023, the top five residential inverter suppliers represented 96% of the market, according to Wood Mackenzie. This streamlined market means any software update errors or hacks could affect a whole lot of systems.
“It’s a new technological phenomenon that you have completely decentralized, small systems in the millions that are becoming a big chunk of the energy mix, and that’s a different challenge to protect,” said Uri Sadot, cybersecurity program director for SolarEdge Technologies.
Utility-scale solar projects are governed by the North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection cybersecurity requirements, but smaller projects have had no similar standardized rules to adhere to until now.
“Imagine something similar in the solar industry, like a CrowdStrike [error]. If an inverter manufacturer has inverters covering 95% of residential solar … if one update can go wrong, what would be the impact to the entire neighborhood, then to the entire community and then to the entire grid?” said Danish Saleem, an electrical engineer and senior researcher in NREL’s Energy Security and Resilience Center.
Saleem has dedicated the past eight years to strengthening cybersecurity for distributed energy resources like residential solar power. He has built relationships with inverter manufacturers, utilities, aggregators, cloud service providers and other stakeholders to understand what’s needed to keep individual home systems and the grid safe.
This research has resulted in a multi-faceted approach to distributed solar cybersecurity, with the centerpiece being a new certification through UL Solutions.
“Most of the safety certifications — inverter safety, device safety, battery safety — those are UL certifications,” Saleem said. “It only makes sense to have cybersecurity certification also under the UL umbrella.”
The UL 2941 standard focuses on cybersecurity measures that should be included in every residential inverter to prevent widespread internal software crashes or hacks from outside entities. The standard lists 10 different domains that products must address to be listed as 2941-compliant, including access control, cryptography and encryption.
“The work we did with NREL really focused on the product-level, to say, ‘Let’s look at those critical attributes that can be designed into an inverter-based product to provide fundamental protection schemes that will help mitigate the possibility of a cyberattack and set the stage for all of those other systemic approaches that are required over the lifetime of the product to also be done successfully,'” said Ken Boyce, VP of principal engineering at UL.
Integrating these distributed resources into the grid is another step in the chain that’s susceptible to cyberattacks. Saleem, Boyce and others worked to address that aspect through a new guide included in IEEE 1547.3, the standard for interconnecting distributed energy resources into the power grid. The guide provides security recommendations for DER stakeholders and clarifies the broad requirements of cybersecurity for these resources.
The standards nonprofit SunSpec Alliance also released a voluntary DER Cybersecurity Initiative for inverters that is complementary to UL 2941. But the UL standard is expected to be the industry go-to as it rolls out and is adopted by different AHJs and other stakeholders.
“In some cases, that could be governed by a state utility commission. The utilities themselves sometimes will say, ‘In order for you to connect to my grid, you need to comply with this set of requirements, for example, including UL 1741 and IEEE 1547,'” Boyce said. “There are private-sector considerations where it may not be a law or a regulation that you need to comply with, but it becomes a best practice that’s specified, and people look for it as they implement these solutions to mitigate their risk.”
Solar manufacturers have been receptive to a cybersecurity standard for their products, although implementing the new programming and getting products listed to UL 2941 will come with additional costs. Many inverter companies have been working to reassure solar installers and consumers that their products are protected from attacks, but now they have UL to back up these claims.
“I think that there are a lot of companies who were really thinking about this, and saying, ‘What do we do?’ And that’s the power of developing a set of requirements. Now, you start to have a more consistent, codified approach to the way you’ll address these things,” Boyce said.
The committee that came up with UL 2941, made of manufacturers, cybersecurity experts, utilities and more, decided to create two levels of compliance within the standard — a basic level, which the committee thinks every inverter manufacturer can and should meet, and a more advanced level. The advanced level would include higher levels of encryption and multi-factor authentication for any administrative role.
“These would be slightly harder to meet at this point, but over time, we hope this would drive higher endpoint security throughout the industry,” SolarEdge’s Sadot said.
There’s no set timeline for uptake of UL 2941, but certification is available now to give homeowners and installers more peace of mind that devices are protected. The standard is expected to be revised every few years to align with evolving cybersecurity needs.
“We can’t wait to deploy solar. We just … we can’t. We’re past that point where we can afford to say, ‘Let’s wait and make sure it’s perfect,’ right? We have to deploy, and yet, there’s a lot of work going on to say, ‘Let’s try and make that deployment as cybersecure as possible,'” Boyce said.
Herve Billiet says
This article is crucial in highlighting the real threat at hand. Thank you for shedding light on this important issue!