Lack of safety standards jeopardizes grid stability

05.05.2025

Source: E & M powernews

The new DNV report reveals security gaps in solar systems connected to the internet. Outdated safety standards in particular are putting power grids at risk.

A recent report by the Norwegian testing and quality institute DNV, commissioned by Solar Power Europe, criticizes the fact that the current cyber security regulations are not sufficient to adequately address the threat posed by decentralized, digitally networked PV systems. New standards for solar systems are needed.

According to the authors of the report, the large number of small-scale systems with an internet connection poses a particular challenge to the stability of the European electricity grid. The report identifies significant weaknesses in the digital infrastructure of PV systems and shows that existing regulatory frameworks for centralized energy infrastructure are not transferable to decentralized systems.

In the risk analysis, the report highlights risks from direct controls of inverters, such as for the provision of grid services and updates. On the one hand, the DNV notes that utility-scale systems are safer. They are often managed by experienced utilities and covered by the EU NIS2 Directive.

Regulatory gaps for decentralized generators

On the other hand, small solar systems, which are often installed on roof terraces, lack strict cyber regulations. They are connected to the clouds of manufacturers, installers or service providers. While the impact of compromising a single installation is small, when aggregated for energy consumption efficiency, they become virtual power plants of large scale.

The authors therefore classify the existing risk as high, especially if targeted attacks affect several gigawatts of PV power at the same time. According to the DNV report, simulations have shown that a coordinated shutdown of 3,000 MW of PV power can have a significant impact on the European grid. The market is dominated by a small number of manufacturers, each of which has access to more than 10,000 MW of installed inverter capacity. A successful attack on one of these manufacturers or a compromise by state-controlled actors could lead to the destabilization of the grid.

According to the authors, a key problem is that many PV systems - especially in the lower power range - are not classified as critical infrastructure and therefore do not fall under the requirements of existing security regulations such as the NIS2 directive or the Network Code on Cybersecurity (NCCS). Operators of these systems are often private individuals or small companies without IT expertise. However, manufacturers, installers and aggregators are increasingly gaining remote access to these systems - often without appropriate security measures.

Current regulation assigns responsibility for cyber security to the operator. This structure is not applicable to small, decentralized PV systems. In the authors' view, there is a lack of clear responsibilities and mandatory security standards, particularly for remote access and cloud components, which are often hosted outside the EU.

On the one hand, the report recommends developing industry-specific guidelines for a secure PV infrastructure. Existing standards such as ISO 27001 or IEEE 1547.3 are not specific enough. There is a need for detailed European guidelines that include inverters, cloud systems and communication infrastructure.

And secondly, the report names the second main measure as restricting remote access and data storage outside the EU. The EU should only allow the control of aggregated systems above critical thresholds from secure third countries. This applies to direct controls as well as firmware updates.

The full report is available on the solarpowereurope.org website. Cybersecurity will also be addressed at this year's "The smarter E Europe" as part of the trade fair and conference.

Author: Heidi Roider