EN 
PT_BR 
That solar energy is in evidence in the world is no secret to anyone, but what is not talked about much is cyber security in these systems.
Is there a standardization of safety protocols in inverter communication systems today? How do manufacturing companies take into account the security behind their equipment? Is there a secure communication protocol between the inverters and the grid?
Encrypted communication in inverters is as important as in other technologies on the market, as the energy transition is becoming increasingly important in the direction of smart grids.
Smart energy grids – smart grids – are electrical networks fully integrated through communication technologies.
Inverters in photovoltaic systems also use these technologies, with the ability to control and monitor photovoltaic systems remotely.
The risk of invasion, espionage and sabotage has always existed in industrial data networks and this cannot but be a concern in the communication networks of photovoltaic systems.
The biggest concern in the security of data from inverters and control systems in general is the risk of intentionally caused “blackouts”, which could lead to the joint shutdown of large numbers of distributed generation systems or – even more worrying – solar plants centralized.
Apparently harmless, these blackouts can put the stability of electrical networks at risk as the participation of photovoltaic sources increases in the energy matrices of many countries.
The same risks also apply to wind systems, whose participation is already significant in electricity generation in many parts of the planet, including Brazil.
Perhaps the main reason to be concerned is the fact that photovoltaic inverters, as well as their hubs of communication, data loggers and monitoring platforms are based on the global internet communications infrastructure.
This is a fait accompli and a trend whose reversal would be difficult and costly. Furthermore, why avoid using the internet, a network with an almost global reach on the planet – especially now that companies like Starlink are starting to operate internet services with a global reach?
The internet offers a great communication environment for the growth of photovoltaic systems towards smart grids.
The level of data security required for inverters needs to be high, which can be guaranteed through the efforts of manufacturers, installers and operators, making network encryption play a fundamental role in this process.
In the context of smart grids, inverters can be used for functions that go beyond their original mission, which is the injection of active power into the electrical grid.
These new functions include communication with control centers to regulate the voltage of distribution networks, in addition to controlling the power factor in installations, limiting generation in special situations (such as in high impedance networks with excess generation ) and the management of generation and storage in hybrid networks (to carry out peak shaving, for example), among other things.
Cyber risk in the energy sector: fiction or reality?
Can inverters be used to sabotage the electrical grid? Would this be a real possibility or just a subject for spy plots in theaters?
Electrical grids have always been supported by communication systems, but there have never been reports of blackouts caused by cyber attacks orchestrated by belligerent nations or terrorist groups. Why should we care about this now?
Hackers or terrorists in control of the inverters can sabotage the control modes, disturbing the stability of the electrical networks and potentially causing blackouts deliberately or as a consequence of the action of existing protection mechanisms in the electrical networks.
Saboteurs can also simply cause, by changing inverter configurations, economic losses that may take a while to be noticed.
The expansion of the use of photovoltaic solar energy and the increase in the number of inverters connected to data networks can make these threats very serious. A small number of inverters would be unable to cause catastrophic disturbances in an electrical distribution network.
However, a large number of inverters commanded simultaneously to control the increase in voltage at different points in a distribution network could cause the electrical system to collapse.
At the local distribution level, this type of attack would already be a big problem. If we expand the area of reach of an attack we can reach the level of substations or transmission systems, causing major catastrophes.
The discussion about whether facts like these are still fiction or are close to becoming reality is irrelevant. Data security on power grids is something to worry about now, before the risk becomes more real than we could imagine today.
In some cases this risk is already very real. Although the energy supply was not compromised, in June 2020 the company Light, an electricity distributor in Rio de Janeiro, was the victim of a cyber attack that led to the kidnapping of administrative and financial data and demanded a ransom of around of R$ 37 million.
Recently in Brazil, other large companies such as Honda and Natura also suffered cyber attacks, including problems with production interruptions.
At the beginning of 2019, in a somewhat picturesque event, a group of North American senators requested a ban on inverters from the manufacturer Huawei, considering that its presence in the US market was a threat to national energy security.
The movement led by this group of senators did not present technical evidence, but used as a basis a law enacted in that country that prohibited state agencies and bodies from purchasing telecommunications products from Huawei and other Chinese companies.
Opinions found in the market indicate that political actions like these, even if they may be supported by technical evidence (which was not the case in this episode), are not very effective.
Banning one or another company from the market will not effectively raise the security standards of any communication or energy network.
Although it is one of the world's largest inverter manufacturers, Huawei is not the only one and its eventual ban from the market in some country would create a void that would be immediately filled by other companies.
Research and commercial solutions for the safety of photovoltaic systems
Research on encryption and data security is already a reality in the renewable energy segment. Since 2016, the University of Berkeley (USA) has been investigating solutions to mitigate cyber threats on photovoltaic inverters.
These threats become more relevant as inverters become smarter and communicate with data networks.
Possible solutions for cyber attacks of the future include the use of artificial intelligence in inverters, which, upon realizing that they are being tampered with (or are receiving strange orders) can carry out emergency control actions.
These intelligent algorithms would not be accessible to hackers and would be like an incommunicable compartment of the inverters' internal control systems.
In this way, inverters become at least partially immune to attacks and are able to make individual decisions when there are problems in the communication networks.
Inverter manufacturers find themselves at a crossroads. On the one hand, they are pressured by the market to open up their control algorithms or to provide functions in the inverters that can be controlled externally through standardized communication protocols.
On the other hand, they are already feeling the pressure of the need to increase the security of inverter communications in smart grids.
Companies like Morningstar, SMA and Enphase are committed to increasing data security on the networks their equipment is connected to.
The first is a recognized manufacturer of equipment for systems off-grid and is concerned with the security of systems, since even autonomous systems already connect to clouds on the internet and can be monitored and controlled by applications on cell phones.
The second company mentioned is an important manufacturer of type inverters. grid tie, being recognized as one of the precursors of inverter technology in the world.
The manufacturer uses a system called WebConnect, which offers encrypted communication between devices and your monitoring portal Sunny Portal.
This communication has been tested and proven effective thanks to its SEC communication system – Speedwire Encrypted Communication (Encrypted Communication Speedwire).
Enphase, a manufacturer of microinverters, has always treated its products as IoT (internet of things) units, that is, equipment that at its root is already connected to a communication network for monitoring and control purposes.
In products of this type, data security from the beginning of development has always been a concern. The company has software engineers specialized in security architectures, who investigate and develop constant improvements to reduce the risk of cyber attacks on products.
Enphase microinverters employ encryption features and intrusion blocking functions, in addition to having encrypted embedded software update capabilities.
As if all this were not enough, the company employs end-to-end encryption on all information exchanged between its microinverors and the cloud monitoring platform.
In addition to those mentioned, other global inverter manufacturers are part of the Sunspec / Sandia working group, whose objective is to support the development of resources for distributed energy generation and define best practices in cybersecurity, in addition to defining concepts that will integrate the standards international standards for data security in electricity networks.
One of the results of the working group is the 67-page report titled “Roadmap for Photovoltaic Cybersecurity”, published in 2017.
Guidelines for secure communication in the photovoltaic system
Most operational activities such as monitoring and control of photovoltaic systems can be carried out locally by the system operator without the need for data communication.
However, inverter communication and control activities require connection to a remote communication network.
Photovoltaic systems generally employ global communication systems that are based on existing internet infrastructures.
Data communication via the internet is economically viable and customer-friendly, as it facilitates easy access to monitoring for anyone with internet access.
Monitoring can be accessed on platforms such as Sunny Portal (from SMA), applications in smartphones or utility interfaces for network management services.
When using internet infrastructure, systems are entering an unsecured area. Potential attackers constantly look for vulnerable systems.
To effectively protect photovoltaic systems against unwanted attacks, the local network must be kept as secure as possible.
When a photovoltaic system or similar system is connected to the internet, the system operator has the following responsibilities:
- knowledge of all active devices on the local network;
- knowledge of communication requirements and capabilities of all devices;
- knowledge of possible vulnerabilities of all devices;
- knowledge of all accounts that access the system;
- use of secure passwords;
- installation and configuration of all security measures related to cybersecurity (router, firewall, proxy);
- risk analysis and continuous improvements in security measures.
Systems connected to the internet are not completely secure as they can be used to gain access to the customer's network. This can result in attacks on almost every device on the network.
The risks of these attacks involve spying on usernames, passwords and other confidential data, as well as access and control of all devices connected to the network.
Conclusion
Cyber attacks carried out by hackers or terrorist groups, although they may currently be considered fictional, could become serious threats with the expansion of the use of renewable sources such as solar and wind and the transformation (already underway) of networks electrical in the direction of smart grids.
Intelligent and communicable inverters will be increasingly present in photovoltaic systems, both in the distributed and centralized generation segments.
Concern about data security and encryption is a reality of the present and not a projection for the future.
Research centers and companies are already concerned with this problem and commercial solutions with data encryption are already commercially available and made available by inverter manufacturers.
A photovoltaic plant needs to correctly follow all safety guidelines provided by manufacturers for inverters, data loggers and monitoring and control portals.
Data encryption is necessary in communications between photovoltaic system components, mainly between inverters and data platforms.
New security standards will be increasingly important in systems as power grids become smarter and make greater use of the global internet infrastructure, which requires high security standards to ensure reliable operation and immunity to cyber attacks.
References
- Public Cyber Security, white paper produced by SMA
- New SMA password rules, white paper produced by SMA
- Statement by SMA technology AG: on the cyber security of PV inverters (horus scenario), white paper produced by SMA
- SMA Speedwire Encrypted Communication (SEC), white paper produced by SMA
- Jay Johnson, SANDIA REPORTSAND2017-13262, Roadmap for Photovoltaic Cyber Security, 2017
- Sunspec Alliance/Sandia DER Cybersecurity Working Group, https://sunspec.org/cybersecurity-work-group/
- Kelsey Misbrener, “Cyberattacks threaten smart inverters, but scientists have solutions”, Solar Power Word, 2019
