Ukraine War Highlights Solar’s Vulnerability to Cyber Threats

Decentralized Power Grid Faces New Security Risks

The resilience of Ukraine’s energy infrastructure during Russian attacks in 2022-2023 demonstrated the value of distributed solar power. However, emerging cyber security concerns, particularly regarding Chinese-manufactured components, pose a significant new threat to energy grids worldwide.

Solar’s Strategic Advantage in Conflict

During the autumn and winter of 2022-2023, Russia targeted Ukraine’s energy system, damaging or destroying 30 percent of its power plants. The Swedish Defence Research Agency (FOI) noted Ukraine’s remarkable flexibility in restoring capacity, with solar energy playing a crucial role. The distributed nature of solar facilities makes them harder to attack effectively than a few large power plants, and solar panels with batteries can be quickly deployed.

Hidden Risks in Solar Technology

Despite these advantages, vulnerabilities in the hardware and software of solar energy systems require serious attention. In May, Reuters reported that U.S. energy sector officials discovered undocumented communication equipment within Chinese inverters and batteries. Experts fear this equipment could be exploited to bypass security measures and remotely control these installations, potentially leading to severe disruptions.

European countries have issued warnings about “backdoors” in inverters. The EU’s NIS2 Directive aims to bolster cyber security for critical infrastructure, but it currently excludes small-scale, private solar installations, leaving a significant security gap.

In Sweden alone, solar cell capacity stands at nearly five gigawatts, with almost 60 percent comprising facilities under 20 kilowatts. In 2023, Chinese manufacturers supplied 70 percent of the inverters sold in Europe. The potential to remotely control and disable thousands of these smaller plants simultaneously could cause widespread disruption to national electricity grids.

“We must safeguard the integrity even in smaller facilities.”

The current situation necessitates a dual approach: learning from Ukraine’s experience to build a more decentralized electricity grid while simultaneously enhancing the security of its components. As of 2023, over 30% of new solar installations in the EU were in Germany and Spain, underscoring the scale of distributed energy systems across the continent.

Recommendations for Enhanced Security

To address these vulnerabilities, the following proposals are put forth:

• Small-scale solar facilities should be included under the NIS2 Directive, mandating risk assessments for equipment sourced from regions with potential security risks or backdoors.
• Sweden and the EU should prioritize domestic production of solar energy equipment. For instance, Austria offers a 20 percent subsidy for solar and energy storage projects using at least 60 percent EU-manufactured components. Similar incentives could be applied in Sweden to access green technology tax reductions.
• Broader support for investments ensuring the resilience of essential services during prolonged power outages should be established, mirroring the support provided to farmers for robust primary production.

A robust, decentralized electricity grid and improved cyber security are intrinsically linked. It is vital to extend protective measures beyond large production facilities to encompass smaller installations, preventing the potential weakness inherent in a decentralized system from being exploited.

Mats Balkö, Head of Innovation and Sustainability at Varberg Energy, and Kent Jonsson, CEO of Ferroamp, authored this opinion piece.