Better protection for critical infrastructure – cyber security for PV systems

By:
Vivian Bullinger, Solar-Log GmbH, Product Marketing
Max Miller, Solar-Log GmbH, Information Security Officer (ISO)

28 July 2025 • 4 min read

The digitalization of photovoltaic systems is steadily increasing and offers users and operators enormous advantages: Remote monitoring, performance optimization, predictive maintenance. However, networking increases the security risks. Various scenarios are conceivable if adequate protection is not provided. For example, hackers could target unprotected PV systems, tap into access data, manipulate systems or even destabilize the power grid.

Current studies show that over 76% of PV systems in Europe are unintentionally publicly accessible on the internet. In Germany and Greece, around 20% of PV systems are affected. (Source: www.forescout.com, www.forescout.com/resources/sun-down-research-report )

However, there are ways to actively protect your PV system and sensitive data.

 

Attack points for PV systems

There are various points of attack for unauthorized access to PV systems. In order to protect them effectively, it is important to know and identify these in advance. We have summarized the biggest vulnerabilities here: Inadequate password protection Some inverters, monitoring devices or gateways are publicly accessible via standard passwords or without VPN and are therefore vulnerable.

Weak authentication Weak authentication hides the general password problem. Simple passwords without additional authentication procedures are a major point of attack. Two-factor authentication (2FA) is increasingly being used for passwords. Here, the user must select a second option in addition to the actual password, which they can then use to log in.

Firmware updates Firmware updates from manufacturers are often ignored. Manufacturers regularly release new updates for their systems. In addition to new functions and bug fixes, these updates often contain cyber security-relevant innovations. In addition, the lack of the latest updates may allow backdoors through which Trojans or so-called malware can be infiltrated.

 

Main risks of cyber attacks for PV systems

If unauthorized persons have gained access to the PV system, there are various options as to how they can misuse this access. The targets can be very different. Knowing these helps to protect the systems.

Manipulation of power & grid stability Successful attacks on PV systems can influence feed-in power and, in extreme cases, lead to grid instability or power outages. Of course, a large number of individual PV systems or a few very large ones must be attacked here, but the impact in such a case would be serious. In the case of smaller systems or individual systems, it is primarily the operators who are affected by the negative effects.

Ransomware and sabotage Ransomware attacks can encrypt the data of entire PV control systems. The operator is then often blackmailed with the shutdown of the system, which is then only released again after payment of high demands.

 

Effective protection of the points of attack

So how do you protect yourself against attacks and the possible consequences? The responsibility here lies not only with the manufacturers but also with the operators. They must implement the manufacturer's measures and constantly keep an eye on whether the systems are up to date.

  • Network segmentation PV components should be strictly separated from the home or company LAN and ideally only accessible via dedicated VPN channels. Remote access to monitors etc. must never be unencrypted or public.
  • Strong authentication Standard passwords must be changed immediately. All applications should use multi-factor authentication (MFA) to prevent identity theft.
  • Regular updates & patches Firmware and software updates are mandatory. Manufacturers are continuously working on so-called manufacturer patches, i.e. updates for software that address security vulnerabilities. The patches are included in the firmware updates and must be installed by the operators.
  • Monitoring & logging All access and configuration changes must be auditable. Special monitoring tools help here by detecting anomalies and unauthorized access at an early stage.
  • Backup & incident response An emergency plan for data leaks or system failures is essential. Data must be backed up and those responsible must know how to react correctly to incidents.
  • Employee training It is important that technical employees and operators are regularly trained in cyber security and sensitized accordingly - for example, about phishing attacks, social engineering or social media risks.
  • Data protection & GDPR Always make sure that manufacturers have a corresponding data protection regulation. Live electricity data contains personal information and therefore requires special protection. It may only be passed on on a contractual and legal basis, in accordance with GDPR regulations.

Security measures in PV monitoring

In principle, the points listed above apply to all PV system systems that allow attackers to access the system. In addition to inverters and gateways, this also includes PV monitoring and PV management systems. The so-called "energy managers" in particular, such as those from Solar-Log, form the interface between the PV system and the energy suppliers and must be protected accordingly.

The example of Solar-Log shows how such systems are protected - both by the manufacturer and by the operators.

A key issue in protecting the PV system is securing data transmission. Solar-Log relies on modern encryption standards such as TLS (Transport Layer Security) to ensure secure communication between devices, portals and mobile applications. In addition, data in the cloud is also protected by encryption. The cloud service providers used are certified in accordance with ISO 27001, which guarantees high standards of security and availability.

Another focus is on user and access management. Solar-Log uses the principle of least privilege and introduces role-based access control. Users must use strong passwords and two-factor authentication (2FA) is offered on request. Access processes are fully logged and can be analyzed if required.

Strict security principles are also followed in software development. The source code is checked internally, regularly scanned for vulnerabilities and checked by external penetration tests. This is to ensure that vulnerabilities are discovered and eliminated at an early stage. Customers are informed about security-relevant updates and receive clear instructions on how to install new firmware.

In the event of a security incident, Solar-Log has its own incident response team. This team analyzes and evaluates detected security problems, coordinates countermeasures and informs affected users as quickly as possible. The response processes are documented and regularly tested. Particularly noteworthy is the response to known vulnerabilities such as CVE202247767 (backdoor in older firmware versions), which have been rectified by corresponding updates.

In addition, Solar-Log already pays attention to security aspects during product development ("Security by Design"). This includes, for example, the use of PKCE (Proof Key for Code Exchange) for web authentication. The integration of secure technologies and the protection of local device interfaces against unauthorized access are also standard.

In summary, it can be seen that a holistic approach to cyber security is being pursued. This combines technical measures with organizational processes and focuses on transparency and continuous improvement.

 

The image shows the network communication of the Solar-Log™ Base PV energy management system in a secure customer network. Here, data is transferred to the Solar-Log WEB Enerest™ online portal and firmware and bundle updates are carried out. This architecture ensures secure, structured communication between local devices, cloud services and optional partners such as direct marketers or external servers.

Supplementary measures by manufacturers and authorities

In addition to users and manufacturers, the topic of "cyber security in PV systems" is also an important issue for public authorities.

National recommendations

The German BSI expressly warns against allowing grid-serving control via internet-enabled components from abroad. Instead, decentralized technologies such as smart metering systems are recommended in order to minimize possible backdoors (source: pv-magazine.de).

Classification as critical infrastructure

Large PV parks of 104 MW or more are classified as KRITIS. Operators must comply with IT security standards, enable regular audits and take special measures against sabotage.

Recommended Guidelines:

  • NIST Cybersecurity Framework: is a voluntary collection of guidelines and best practices developed by the National Institute of Standards and Technology (NIST) to help organizations manage and mitigate their cybersecurity risks. It provides a structured approach to cybersecurity risk management that integrates existing standards, guidelines and best practices.
  • CISA Recommendations: issues recommendations and guidance on various aspects of cybersecurity aimed at organizations and individuals. These include general cybersecurity practices as well as specific recommendations for critical infrastructure protection and secure technology procurement.
  • Zero Trust Architecture (ZTA): Assumption that every device on the network is considered potentially compromised. It is a cybersecurity framework based on the principle of "never trust, always verify". It assumes that no user or device, even within a conventional network, should automatically be classified as trustworthy.

Conclusion

Today, photovoltaic systems are far more than just modules made of glass and silicon - they are part of complex cyber-physical systems. Increasing digitalization offers many opportunities, but the risks range from data breaches to critical disruptions to the energy infrastructure.

Users should be vigilant, secure systems and actively deal with updates and employee training. Providers such as SolarLog offer a solid technical basis: role-based access, MFA, pen tests, IDS and incident response are cornerstones of their security concept.

Last but not least, politicians and authorities have also made their contribution: The BSI demands decentralized control and trustworthy technologies; large systems are subject to KRITIS standards.

Only a holistic approach - from hardware, software and networking to organizational and compliance aspects - can make PV systems future-proof and resistant to threats.

 

 

More about Solar-Log

At the beginning of the 2000s, we started our activities in the field of solar energy as pioneers. Looking to the future, we recognized even then the increasing importance of alternative energy sources.

In view of the finiteness of fossil energy sources and the emerging increase in energy demand, we set the course for ourselves. In order to secure an independent power supply with photovoltaics, we continuously pushed the development of innovative and customer-specific energy system solutions.

Today, as an independent partner, we enable companies worldwide to efficiently and profitably manage the energy of their photovoltaic systems with reliable monitoring, and high-quality "Made in Germany" products. By these means, we are able to support them in making an active contribution to the energy turnaround and to protecting the environment.

Learn more