Investment in enhanced cybersecurity is becoming essential as more companies and home owners use solar solutions to meet their energy needs. These systems are increasingly vulnerable to cybercriminals who view the sector as an attractive target, according to Renaldo Jack, Group Head of Cybersecurity at Globeleq.

Jack was speaking at an industry breakfast hosted by SolarEdge in Stellenbosch on September 11.

“The rise in digitalisation makes the energy sector more vulnerable to cyberattacks. From the Internet of Things to smart grids and WiFi, the growing integration of solar systems introduces more potential entry points for cybercriminals. The risk of becoming a target is increasing exponentially,” he said.

While no sector is immune to cyber risks, the energy sector is particularly vulnerable, Jack stated. “Energy is the backbone of economies and the loss of power for an extended period of time can have devastating effects.

“It’s not just about the systems – mobile phones and other personal devices used to monitor performance, for example, can pose a risk. If these devices are connected to insecure websites or inadvertently download malware, they could compromise your energy systems.”

The sector faces similar threats to other industries and countries including ransomware and data breaches. One of the prominent energy threats is a denial-of-service attack. “Attackers flood the system with information, causing it to fail and halt power generation. In other instances, cybercriminals can take control of a plant and refuse to release it. The rise of AI is also a growing concern across industries. With its increased use, we are likely to see more attacks with increasing frequency and scale,” said Jack.

Small companies are often targeted by these criminals due to lack of dedicated cybersecurity budgets. Once compromised, accessing larger projects through these small companies becomes much easier, he pointed out.

Chairperson of the City of Cape Town's Energy Directorate Zimkhitha Sulelo said cybersecurity is a priority for the city. “We are constantly under attack and, while we do our best to protect our system, we are by no means immune to cyberthreats.”

Challenges emerge with solar surge

Solar installations in South Africa have been on a solid upward trajectory over the past eight years with the total installed capacity now estimated at 8 500 MW. “The market experienced a significant boost during the Covid-19 pandemic as more people began working from home. We saw a major shift from commercial to residential installations, particularly as the country faced extensive load shedding. The need to shield against long power shortages became a key driving force,” said Warren Pollard, National Sales Manager for SolarEdge.

Rapid growth in solar installations brought new challenges. “It’s not just about individual projects or locations. We’re seeing hackers infiltrate brands with multiple installations worldwide. For instance, a site in Europe recently experienced a breach where 100 000 systems were compromised with malicious firmware, effectively shutting them down. With everything connected to the internet, hackers are becoming increasingly sophisticated,” Pollard said.

While current photovoltaic technology does not always consider cybersecurity risks, it requires attention, he added. “End users need to invest in robust cybersecurity measures and ensure the companies providing protection are not only safeguarding energy systems but also securing their entire network infrastructure.”

Insurance and cybersecurity measures are critically important for anyone introducing solar solutions. Best practices for solar installations should include understanding warranties and liabilities in the event of an attack. “It's essential to ensure that you have appropriate insurance coverage and to inquire about the cybersecurity measures implemented by your manufacturers and engineering, procurement and construction contractors as part of your due diligence,” said Pollard.

Defining employer requirements is also necessary. “This involves specifying the cybersecurity controls you expect and the acceptable technology standards. Regular checks and raising awareness among employees, especially engineers, are vital. For instance, introducing unsecured laptops or USB sticks into a system can unintentionally spread malware and pose significant risks,” Jack pointed out.

Criminal organisations are more sophisticated than ever. “Cybercrime has surpassed the drug trade in industry size and profitability,” Jack said. “Keeping software and systems updated is crucial to mitigate risks.”