The National Association of Regulatory Utility Commissioners and National Association of State Energy Officials have launched an initiative aimed at improving cybersecurity defenses in solar energy facilities.

The Cybersecurity Advisory Team for State Solar, which is also backed by the Department of Energy’s Solar Energy Technologies Office, will include experts on digital security, the electric grid and photovoltaic technologies. Leadership will be drawn from state-level policymakers and regulators — with additional expertise from the federal government and private sector — in order to create “model cybersecurity programs and actions for states to take in partnership with utilities and the solar industry.”

In a press release, NARUC and NASEO said “the rapid growth and importance of solar energy” to the bulk power system in recent years has introduced new weaknesses into the grid that must be addressed. New communication technologies have provided grid operators with considerable flexibility but also created more points of entry for malicious actors hoping to gain access to critical infrastructure.

“As energy systems become more integrated and cyber-connected, their vulnerability to malicious actions grows,” said Andrew McAllister, a member of the California Energy Commission and chairman of NASEO’s board of directors. “Solar technologies are no exception. New tools and a dedicated, multi-stakeholder approach should strengthen solar cybersecurity and, by doing so, enable states to make meaningful progress on climate and resilience goals.”

NARUC has a history of pushing state utility regulators to take seriously the cybersecurity implications of new grid technologies. The topic was a major theme of the organization’s 2019 Summer Policy Summit, where experts warned that the growth of distributed energy resources means utilities must protect many more generation facilities than they are used to. (See Experts Urge State DER Cybersecurity Standards.)

Such systems can be highly vulnerable to attack: One analyst described accessing a solar array and its microinverters through a webpage without having to enter any login credentials. Security factors are often overlooked because a lack of regulatory urgency on cybersecurity leaves it a low priority for utilities and equipment vendors.

NERC has also become increasingly concerned about the cybersecurity implications for rooftop solar panels and other DERs in recent years. At a meeting earlier this year of the System Planning Impacts from Distributed Energy Resources Working Group, Thomas Bialek, chief engineer for San Diego Gas & Electric, warned that not only does such equipment often contain security flaws overlooked by the vendors, but exploiting such openings may be easier for malicious actors because the systems are not protected by utilities’ existing cybersecurity measures. (See Rooftop PV’s ‘Hidden Loads’ Challenge Grid Planners.)

“We have our cybersecurity and our firewalls over our interfaces … but we don’t do that for any of the rooftop PV installations that are now using home Wi-Fi,’” Bialek said. He observed that more than 58% of rooftop solar installations in his utility’s territory are provided by just two vendors, which poses a significant risk because hackers can often use the same attack vector against multiple types of systems from a single manufacturer.