Solutions for data security in photovoltaic inverters

Encrypted communication in inverters is as important as in other technologies on the market

11 minute(s) of reading

In the article Cybersecurity in photovoltaic systems We generally address the problems, risks and needs that exist in the world of solar energy regarding data security and the prevention of cyber attacks.

The internet offers a great communication environment for the growth of photovoltaic systems towards smart grids. The level of data security required for inverters needs to be high, which can be guaranteed through the efforts of manufacturers, installers and operators, making network encryption play a fundamental role in this process.

Encrypted communication in inverters is as important as in other technologies on the market, as the energy transition is becoming increasingly important in the direction of smart grids. Smart energy grids – or smart grids – are electrical networks fully integrated through communication technologies. Inverters in photovoltaic systems also use these technologies, with the ability to control and monitor photovoltaic systems remotely.

In the context of smart grids inverters can be used for functions that go beyond their original mission, which is the injection of active power into the electrical grid. These new functions include communication with control centers to regulate the voltage of distribution networks, in addition to controlling the power factor in installations, limiting generation in special situations (such as in high impedance networks with excess generation ) and the management of generation and storage in hybrid networks (to carry out peak shaving, for example), among other things.

Perhaps the main reason to be concerned is the fact that photovoltaic inverters, as well as their hubs of communication, data loggers and monitoring platforms are based on the global internet communications infrastructure. This is a fait accompli and a trend whose reversal would be difficult and costly. Furthermore, why avoid using the internet, a network with an almost global reach on the planet – especially now that companies like Starlink are starting to operate internet services with a global reach?

Commercial solutions for the safety of photovoltaic systems

Companies like SMA are committed to increasing data security on the networks to which their equipment is connected. The inverter manufacturer uses a system called WebConnect, which offers encrypted communication between devices and your monitoring portal Sunny Portal. This communication has been tested and proven effective thanks to its SEC communication system – Speedwire Encrypted Communication (Encrypted Communication Speedwire).

SMA was the first manufacturer to develop technical innovations in the field of communication systems. The latest inverter software versions enable fully secure and encrypted inverter communication, offering customers superior protection against hacker attacks. For many years, SMA has employed data encryption in communications between inverters and the Sunny Portal, which is the largest photovoltaic system monitoring portal in the world, currently with more than 400,000 registered users. The portal is regularly evaluated by external data security experts.

SMA is actively involved with international associations to seek cybersecurity solutions for inverters and power grids. The company participates in working groups such as Association for Electrical, Electronic and Information Technologies (VDE), the SunSpec Alliance and the Open Web Application Security Project (OWASP). The Sunspec / Sandia working group aims to support the development of resources for distributed energy generation and define best practices in cybersecurity, in addition to defining concepts that will integrate international data security standards in electricity networks. . One of the results of the working group is the 67-page report titled “Roadmap for Photovoltaic Cybersecurity”, published in 2017.

The SMA encrypted communication system

To increase product security, the local system can be encrypted and protected against unauthorized access by third parties. As with data communication over wide area networks, SMA WebConnect now also offers encryption of data communication on local networks. To do this, it is necessary to add an SMA data recorder to the system (data logger) linked to Sunny Portal to activate SEC.

Operating diagram of the SMA data encryption and security system, which can be applied to the local area network (LAN) and external network (WAN) layers.

SEC technology provides two different levels of security: basic and advanced. The basic function significantly increases the security of data communication. In the future this function will be standard for all new products, such as data loggers It is gateways from SMA.

For installers or system owners there will be no additional effort in activating these functions. After system activation, data communication is automatically encrypted. This basic function is available for the data loggers from version 1.6.8 R.

The advanced level allows communication to be made even more secure with small changes in the way of installation, as unlike basic security it is necessary to configure encryption between devices manually, inserting PIC/RID codes (product identification codes/registration identifier) for each device.

It is possible to encrypt the systems network only if all devices Speedwire on the network support this encryption. SEC technology cannot be used with data loggers from other manufacturers. Only the software Sunny Explorer supports advanced security, but this function will be available soon for SMA Data Manager M.

O Data Manager M it is a hub SMA data system that optimizes communication, monitoring and control of photovoltaic systems with up to 50 devices. Based on a new IoT (internet of things) platform for energy management, the Data Manager M is equipped to deal with the new business models of the energy market of the future. For example, it is the ideal interface for electrical service companies, direct marketers, service technicians and photovoltaic system operators.

Tips for secure network communication in the photovoltaic system

Most operational activities, such as monitoring and controlling photovoltaic systems, can be performed locally by the system operator without the need for data communication. However, inverter communication and control activities require connection to a remote communication network.

Photovoltaic systems generally employ global communication systems that are based on existing internet infrastructures. Data communication via the internet is economically viable and customer-friendly, as it facilitates easy access to monitoring for anyone with internet access. Monitoring can be accessed on platforms such as Sunny Portal, applications in smartphones or utility interfaces for network management services.

When using internet infrastructure, systems are entering an unsecured area. Potential attackers constantly look for vulnerable systems. To effectively protect photovoltaic systems against unwanted attacks, the local network must be kept as secure as possible. When a photovoltaic system or similar system is connected to the internet, the system operator has the following responsibilities:

Knowledge of all active devices on the local network
Knowledge of communication requirements and capabilities of all devices
Knowledge of possible vulnerabilities of all devices
Knowledge of all accounts that access the system
Using secure passwords
Install and configure all necessary security measures related to cybersecurity (router, firewall, proxy)
Examine and, if necessary, improve security measures

Systems connected to the internet are not completely secure as they can be used to gain access to the customer's network. This can result in attacks on almost every device on the network. The risks of these attacks involve spying on usernames, passwords and other confidential data, as well as access and control of all devices connected to the network.

Basic requirements for a secure internet system

Check if the firewall and the server proxy are configured correctly
Make sure to use physically separate network segments for PV system network connections
Ensure that unauthorized persons can physically or vertically access inverters and other devices connected to the grid (data loggers)
Prevent physical manipulation of the local network system by unauthorized persons
Avoid using devices spyware on the local network
Prevent your product registration ID (RID) from being illegally collected
Keep all passwords secret
Regularly check the activity history files of all your devices
Do not connect unknown memory devices (USB, memory cards)
Create regular system backups
If you suspect or detect that an attack has occurred, immediately inform your inverter manufacturer's technical support

Secure passwords

Concerned with this entire digital transformation, SMA also created new rules for the passwords used, aiming at security and protection against unauthorized access. Since August 2019, new devices that have received the firmware they had to obey the new password rules, both for the user and the installer. But it is important to note that on devices already installed and configured with access credentials before the update, the passwords remain valid even after the update.

The new rules for passwords are listed below:

8 to 12 characters
At least one lowercase and one uppercase letter
At least one number
At least one of four special characters: (?, _, !, -)

User passwords from the “installer” group are used for communication between data loggers, inverters and the system WebConnect. This is why the installer password is called the system password – proper system-wide communication is only possible if all inverters have been assigned the same password. An example of this:

SMA password system.

With these new rules, SMA devices guarantee a certain level of security. What is very important when choosing a secure password is to avoid using personal data, such as your name or number combinations. Avoid using letters that are side by side on the keyboard and never use the same password for different systems. And if you forget the inverter password, you can unlock it with a personal unlocking key (PUK). Simply request this key directly from SMA technical support.

Inserting an inverter into the system

An inverter can be inserted into a communication system through a data logger, such as a data logger. If the system does not have a data logger, it is possible to assign passwords through the user interface on the inverter, in accordance with the new rules mentioned.

An example of this configuration for the Sunny Boy:

Set up a connection to the device
When you open the inverter interface a user group password is requested
Select the language and enter the user group password twice. Compliance with new password rules is checked (five green checkmarks)
Press “Save”
You will be asked for an installer password
Select the language and enter the password for the installer group (i.e. system password) twice. Compliance with new password rules is checked (five green checkmarks). Check that the assigned password is not the same as the user's password;
Save entries and access
The user interface for the remaining inverter commissioning steps opens