We consulted with cybersecurity specialists regarding the implications and proposals encompassed in the recent bill.
‘A Growing Sense of Risk’
The Cybersecurity Strategy for the Digital Age (CSA) articulates a framework aimed at identifying “high-risk” nations and suppliers, subsequently excluding them from vital EU digital supply chains.
This initiative largely mirrors existing prohibitions on 5G technology, notably the barring of Huawei, and attempts to diminish dependency on singular nations or suppliers. In the realm of renewable energy, this predominantly pertains to China.
“The EU’s approach to risk mitigation in the 5G sector provides a viable template for enhancing cybersecurity in renewable energy systems,” asserts Rafael Narezzi, Chief Executive Officer and co-founder of Cyber Energia.
Uri Sadot, the founder of SolarDefend and chair of the digitalisation workstream at SolarPower Europe, anticipates that the updated cybersecurity legislation will be robust and enforceable.
Europe finds itself on a novel security paradigm, as military and defense expenditures surge in response to escalating geopolitical tensions and an imperative for self-sufficiency.
“There’s an increasing awareness of risk, a mounting perception of threat, and an exceptional depth of expertise within the European Commission to grasp this transformative shift from centralized to decentralized power generation,” states Sadot, who is involved in the technical risk assessment group working to formulate recommendations pertinent to the CSA’s energy measures.
The CSA document denotes concerns around solar inverters, cautioning that “kill switches could disrupt communication networks and electricity grids,” referencing a report from Reuters this year. This denotes a significant commitment, suggests Sadot, particularly given the accelerated timelines for implementation outlined by the Commission.
Existing Infrastructure
The current risk assessment paradigm must address the cybersecurity vulnerabilities intrinsic to solar infrastructure already in place across Europe. Inverters remain pivotal in this context. For utility-scale solar projects, technical remedies are likely feasible, according to Sadot.
“Consider firewalls, networks, electrical switches, inverters, and meters… inverters are merely one component of a larger ecosystem,” he elaborates.
“If an inverter is deemed unreliable, compensatory measures such as fortified firewalls or enhanced inspection protocols can be implemented.”
The United States has executed a similar strategy by prohibiting Huawei inverters while leaving many in situ, imposing restrictions around their operation.
“I believe a ‘rip and replace’ strategy—removing high-risk inverters—will be the last resort that the Commission seeks to avert,” he adds. “There’s a concerted effort to minimize disruption across the industry and business sector. More likely, solutions from cybersecurity firms will be developed instead.”
“However, envision a large facility with numerous components being condensed into a compact package, akin to a residential inverter,” he remarks. “In this scenario, introducing additional safeguards becomes considerably more complex.”
This conundrum could present considerable challenges for risk assessment and political decision-makers, possibly leading to “rip and replace” initiatives for small-scale photovoltaic installations.
Politicians may hesitate to inform constituents—potentially numbering 100,000—that they must replace their inverters or home batteries due to cybersecurity vulnerabilities, regardless of the soundness of such recommendations.
For instance, the Lithuanian government limited its 2024 ‘rip and replace’ initiatives for inverters to 100 kW to mitigate backlash from environmentally conscious voters during an election cycle.
“I harbor limited optimism regarding solutions for residential and commercial settings; addressing these challenges will likely be a formidable technical hurdle,” Sadot concedes.
Nevertheless, the cybersecurity risks associated with small residential and commercial systems are profound. Suppliers of residential inverters, such as SMA Solar and SolarEdge, oversee millions of installations across Europe from centralized control points.
Virtual power plant (VPP) operators can manage multiple gigawatts of capacity distributed across numerous small installations. “It’s paradoxical, yet small systems are governed from a centralized hub,” elucidates Sadot, “It resembles ‘one ring to rule them all’; a single data center orchestrates countless systems.”
PV Tech has received indications that the Commission may contemplate extending its regulatory oversight to photovoltaic systems below 1 MW. However, solid evidence of this proposition within the CSA document remains unverified.
Should this transpire, it could substantially alter the regulatory landscape for residential and distributed photovoltaic systems, bringing hundreds of thousands of inverters from manufacturers like Enphase, SolarEdge, and SMA Solar.
Under the scrutiny of the European Commission’s Network and Information Systems (NIS) directive, a cybersecurity legislative framework was established in 2016. Efforts are underway to seek clarification from the European Commission regarding these speculations.
US-Europe Relations
A particularly contentious issue could arise from cybersecurity threats originating in the West rather than the East. The EU’s digital ecosystem is substantially reliant on software and networks from the United States, yet relations between the two have soured in recent months.
Although specifics about “high-risk” dependencies remain elusive, active cyber incursions on Europe via American technology seem improbable. Nonetheless, U.S. tech firms with deep-rooted connections to Europe’s infrastructure could provoke apprehensions.
Changes concerning U.S. entities likely won’t commence with solar inverters, owing to the intertwined nature of the two sectors, observes Sadot: Should a decoupling of European and American technology be contemplated, it will probably not initiate with inverters.
The interdependence between Europe and America is significant; numerous Fronius and SMA inverters operate in the U.S. market, alongside European companies like Siemens and Schneider Electric. The economies—and their electrical grids—are inextricably linked.
More plausible subjects for scrutiny include firms like Palantir and Oracle, which have explicit affiliations with the U.S. administration, along with the interconnected nature of both nations through cloud computing services, artificial intelligence, and various essential technologies.
Should a broader disentanglement of the EU from U.S. technological hegemony materialize, the solar sector may eventually be affected, theorizes Sadot.
New Certificates
The CSA also proposes expedited EU-wide cybersecurity certifications, planning to establish a certification within a year, extending its breadth to encompass corporate cybersecurity practices alongside government initiatives.
Narezzi previously contended that an effective certification framework should emulate that of the banking industry, in which cybersecurity is regarded as a “core operational risk,” with the organization’s license to operate intrinsically tied to regulatory compliance.
“If energy systems constitute critical infrastructure, cybersecurity cannot merely be a cursory consideration,” he continued.
“There’s an imperative to correlate cybersecurity obligations with operational rights, necessitating board-level accountability for cyber risks, mandatory governance and reporting protocols—not solely audits—and enforcement mechanisms that prioritize prevention over reactive measures.”
While the Commission’s certification ambitions have not yet reached this extent, a comprehensive EU-wide certification framework endowed with substantive authority and technical mandates could indeed effectuate a significant impact.
Yet, similar to many certification processes, there’s a risk it might devolve into a mere emblem of good intentions rather than a substantive contributor to industry security.
Nonetheless, Sadot, expressing his frustrations with existing standards and certifications, argues that integrating technical requirements and possibly scrutinizing non-EU companies might culminate in robust regulatory efficacy.
Source link: Pv-tech.org.
