As more companies integrate solar energy systems to meet their power needs, it is essential that they invest in cyber-secure technologies to protect against cyberthreats and ensure continuous power, says.solar technology specialists SolarEdge Technologies cybersecurity programme director Uri Sadot.

The integration of solar energy systems, specifically unsecured inverters, can expose companies to cybersecurity vulnerabilities such as ransomware attacks, data breaches and remote control by cybercriminals.

South Africa’s unique market conditions have driven many businesses towards energy independence by installing solar systems, says SolarEdge Technologies Middle East and Africa GM Laurence Lipjes.

Lipjes explains that owing to cost constraints, many people tend to choose cheaper systems that, in his view, may lack adequate cybersecurity protections or traceability. He believes that although these lower-cost options might seem appealing at first, they often “do not hold up”, potentially failing within two to three years and resulting in higher expenses over time.

Further, insecure solar systems can become a doorway for cybercriminals to infiltrate a company's financial or procurement systems, potentially accessing sensitive bank account information, he explains.

Sadot explains that the most cyber-sensitive component of a solar system is the inverter – the "brain" of the system that communicates with the Internet. Ensuring the security of this single component can drastically reduce the risk of cyberattacks on solar systems.

While high-quality, secure solar systems might slightly increase upfront costs, both Sadot and Lipjes argue that the long-term benefits far outweigh the expense.

Four Pillars of Protection
To ensure the highest levels of safety and reliability, SolarEdge employs a four-pillar strategy in its inverters. These include protecting the device, securing data, implementing network safeguards and ensuring visibility and control.

To that end, SolarEdge’s devices adhere to industry best practices for security. This includes rigorous testing and the integration of safety measures directly within the manufacturing process, ensuring that the devices are resilient against potential threats.

Recognising the sensitivity of energy data, SolarEdge protects energy usage patterns information, as it could reveal private details about users. It also takes steps to safeguard this data by using encryption, managing data storage in European facilities compliant with General Data Protection Regulation standards, and continuously monitoring for anomalies.

Sadot explains that SolarEdge prioritises ensuring that its systems integrate securely with customer networks. Whether connecting with electric vehicle (EV) chargers, batteries, or other devices, SolarEdge is transparent in how its systems interface with these networks, prioritising security at every connection point.

It also provides real-time data on system performance and alerts users to any suspicious activity. This ensures that security teams are always informed and able to act swiftly in the event of irregular behaviour, such as overheating or continuous system restarts.

Further, Sadot explains that SolarEdge places a strong emphasis on securing its supply chain. Consequently, the company has a vetting process for component vendors, and it manufactures some of its own microchips, which ensures no "backdoor vulnerabilities" are on the chip. 

Additionally, SolarEdge partners with cybersecurity firms to respond effectively should a breach occur, preparing leadership through regular drills and ensuring that they are ready for any incident.

“Cybersecurity is a quality, not just a set of features,” says Sadot, warning that low-cost alternatives often lack critical safeguards.

Regulatory Concerns
Sadot emphasises the need for regulators to understand the cybersecurity risks associated with low-cost, insecure solar systems and subsequently introduce regulations that help to safeguard users. Theoretically speaking, if a large number of inverters were to malfunction by accident, or by a coordinated and malicious cyber-attack, the disturbance would easily be large enough to impact the entire South African grid for a prolonged period, he says.

Lipjes adds that South Africa is “behind the curve” in implementing regulations both in terms of safety and cybersecurity in PV systems. He explains that the country’s demand for PV systems has often been viewed as short-term solution to loadshedding, which has resulted in lack of regulation.

This lack of regulation has resulted in a flood of substandard products entering the market, raising concerns about the long-term sustainability and safety of these installations.

As more emphasis is put on ensuring long-term energy independence and renewable-energy integration, Lipjes calls for higher standards in installation practices and system requirements.

Sadot urges companies investing in solar systems to carefully consider future regulatory changes, as the costs and complexities associated with retroactive compliance could become substantial.

He explains that regulatory frameworks are likely to evolve within the next five to ten years, potentially dictating what can and cannot be connected to the national grid.

“Just as all traditional power plants fall under strict cybersecurity regulation, it is inevitable that solar inverters will account for large enough share of the energy on the grid, to warrant dedicated regulation.”

Therefore, the risk of having to remove and replace equipment owing to new regulations is a significant concern that business owners should start addressing now.

Customer Considerations
Sadot urges consumers to take an active role in their solar energy system purchases to ensure cybersecurity. In today's market, decisions about which solar panels, inverters and batteries to use are often made by the installer or contractor, leaving customers with a packaged solution, he explains.

He encourages end-users to ask three critical questions to protect themselves.

End-users must gain clarity on whether anyone can remotely access or control their solar system, such as sending software updates or restarting the system. Consumers should also inquire about where their energy data is being stored and how securely it is protected.

Further, end-users should ask what measures the inverter manufacturer has taken to ensure cybersecurity. This includes inquiring about standards, procedures and any technical documentation that demonstrates their commitment to protecting the system from cyberthreats.