Recently a Dutch hacker was able to take control of 4 million solar panel installations (FTM (Dutch), Euractiv, Victor Gevers). And this wasn’t the first time something like this has happened either (PV Magazine).

As usual, huge thanks are due to the many beta readers and experts who helped improve this article with their feedback, valuable insights and knowledge! This post was machine translated (not too well) from the original Dutch version, which was also more focused on The Netherlands. What follows mostly applies to EU countries, but if you squint, you can also read it from a more international perspective.

The short version: most consumer and business solar panels are centrally managed by a handful of companies, mostly from countries outside of Europe. In the Netherlands alone, these solar panels generate a power output equivalent to at least 25 medium sized nuclear power plants. There are almost no rules or laws in Europe governing these central administrators. We pretend that these companies only deserve the regulation we’d apply to (say) an online birthday calendar.

These cloud-based management platforms could, by accident, after a hack, or intentionally, simultaneously shut down all their millions of solar panels (permanently). And then the entire European electricity grid would collapse. Given the recent findings of fine ethical hackers (DivD) and the confirmation from Dutch electricity network manager (TSO) TenneT, this is not a theoretical scenario.

We’ve sleepwalked into this situation – individual solar panels can’t cause much damage, and didn’t need too many rules. But over time, the number of installations has increased enormously, and their management (needlessly) has become concentrated on just a few places, with lots of new risks as a consequence.

Things can’t go on like this. The central capability to shut down gigawatts of power must be removed, or we need to regulate the central administrators as energy companies. It is one or the other.

We are now more vulnerable than ever, since in a country like The Netherlands, 15 GW of power is currently controlled from far-off places, and we don’t even know exactly by whom. And those parties fall under virtually no law or regulation. The same thing goes for heat pumps, home batteries, and EV charging points, by the way.

The upcoming EU NIS2 directive offers some opportunities for improvement, but it’s necessary to make this explicit. Otherwise the concentrated solar power suppliers will claim not to fall under this regulation. Industry group SolarPower Europe has also called for explicit NIS2 rules for solar.

The longer story

I’m not telling anything new on this page, but I would like to summarize this terrible situation. First of all, we must thank Willem Westerhof who has been trying to get attention for this problem since 2016.

Willem worked together with his employer Secura on a recent large report for the Dutch “Topsector Energie” about the problematic situation.

German hacker Sebastien has also published impressive research. By all means watch his 2023 presentation “ Decentralized energy production: green future or cybersecurity nightmare?”. According to his research, most popular brands were vulnerable.

So, what’s going on. The Synchronous Grid of Continental Europe is a massive achievement, integrated over most of Europe and even beyond. It enables us to share the capacity of thousands of large power stations (solar panels, wind turbines) with each other.

Besides these large power generators, there are also tens of millions of European households and companies that contribute to the grid with solar panels.

The power grid must be balanced at all times. Exactly as much energy must be fed into the network as is used in that instance. If too much power goes onto the network, it leads to an elevated frequency and possibly excess voltage. And vice versa, too little power leads to a depressed frequency. To protect the European network, parts of countries or entire countries could then be disconnected, with devastating consequences. Getting the network back on track afterwards is quite a challenge.

Recently, for example, there was an international outage in Albania, Montenegro, Bosnia and Croatia, and that was no fun at all.

That’s why we set high standards for large power providers. Their power plants are under surveillance, their equipment must meet many requirements, and personnel must have the right diplomas and certifications. Incidents are investigated, and fines can be levied. European networks and providers are continuously working together to keep the network stable and safe.

But who regulates the gigantic power output from Europe’s solar panels?

What we do regulate

A solar panel can not be connected directly to the grid; there’s an inverter between the panel and the network. This device converts the power from the panel into a form that the electrical grid can handle.

These devices must meet rules, including rules that say when an installation should disconnect itself from an over-full local network (see article 13 of the Rules for Generators). There are also rules on how inverters should be connected physically So, this part is (in theory) well taken care of. A single inverter can’t do much damage to the broader power grid. It might blow up your fuses though.

In the Netherlands, we have decided that only inverters approved by the Belgian Synergrid may be installed (see publication from NetbeheerNederland). However, insiders tell me that we never enforce this and lots of stuff is connected to the grid.

What we are not regulating

Most inverters are directly or indirectly linked to the internet. The setup makes a connection with its manufacturer, and uploads statistics about the solar panels and power production.

The owner of the panels and inverters can meanwhile establish a connection with that manufacturer using an app or website, and via the manufacturer see how their own panels are doing:

It wasn’t necessary from a technical standpoint to let everything run through the manufacturer’s servers, but it was chosen to do it this way. Almost all consumer devices now work like this. Compare surveillance cameras or modern cars. Everyone seems to want to do something with your data somehow!

Through the website or app, the owner can not only see how things are going with the panels, but these can also be turned on and off. It’s also possible to install new software (firmware) on the inverters via the manufacturer, either automatically or manually.

Turning the power on or off can also happen if your own app doesn’t have a button for it. There is support to do so for use by installers/mechanics.

And that’s when things get exciting

Because everything runs through the manufacturer, they are able to turn all panels on and off. Or install software on the inverters so that the wrong current flows into the grid. Now, a manufacturer won’t do this intentionally, but it is easy enough to mess this up.

As an example, computer security company CrowdStrike also installs new software automatically for users, and recently an error in an update caused millions of computers worldwide to crash, costing days and billions to fix.

It’s also possible that the manufacturer gets hacked, and subsequently sends out attacker controlled and wrong software updates to the inverters, with possibly dire consequences.

There are also people that claim that the many Chinese companies managing our power panels for us might intentionally want to harm us. Who knows.

In these exciting times, this situation is not robust or trustworthy enough.

What can happen then?

Above, we saw that the electrical network is very sensitive. There must be exactly as much power going in as out. To make this possible, various generators stand by to add more power, or remove it, when imbalances occur.

Beyond this “fine tuning”, there is also larger capacity available to relatively quickly (for example) absorb a failed power plant.

The three levels of balancing. Source: TenneT.

This is managed so well that we even account for partial solar eclipses (which lead to a predictable reduction in solar power). It’s really very impressive.

The exciting thing is that manufacturers of solar inverter panels can switch the power on or off for millions of installations at people’s homes, or on the roofs of businesses.

And if you turn all those panels off at the right moment, half of the European power grid collapses. The largest players manage far more power than the balancing methods (FCR, aFFR, mFFR) could ever handle. TenneT, the Dutch transport operator, has indicated the grid could absorb a 3 GW disruption. In total (including large installations), there are now over 25 GW of solar panels installed in the Netherlands, much more than that 3 GW. There is a single inverter manufacturer that globally controls 195 GW, with probably half of that located in Europe.

Also very alarming is that Dutch ethical hackers Wietse Boonstra and Hidde Smit (impressive people) managed to modify software in solar panel installations, without permission from the manufacturer. This makes the damage you can cause much greater, and also much slower to resolve. Because that software can seriously mess with the power grid, or possibly even permanently disrupt an installation.

Oh no

If you had a control panel to switch off dozens of nuclear reactors simultaneously, you’d have to comply with all kinds of safety regulations, and inspectors would come by to check if you were doing it right. This applies also to large solar and wind installations, by the way.

Because inverters and solar panels at home are “ordinary” consumer appliances, there is no inspection and no legislation. This makes sense since a single installation can’t cause that much damage.

But because we didn’t pay attention, the management of those “consumer appliances” has now moved to just a few suppliers who, on sunny days, even measured individually, control a significant part of our power supply.

The power of 25 medium-sized (“Borssele”) nuclear reactors all in one handy app!

And we regulate these large suppliers just as strictly as an online birthday calendar, which is to say: almost not at all.

And now?

Some steps are being taken. The recent Secura report commissioned by the Dutch Topsector Energie is very valuable in determining just how bad things are.

This all screams for legislation of course. For now, the big central management platforms mostly escape legislation. The panels in the field must individually comply with (lightweight) rules. And the website where you manage those panels is considered to be just a website, and not part of the power grid.

At least, that is how we look at things now. To improve this situation quickly, it might be possible to start regarding these central management companies as “grid managers” instead of as birthday calendar managers. You’d have to read some laws very creatively to make this happen, I fear.

Furthermore, a new directive is emerging at the European level, NIS2, which is being implemented in EU countries right now, but is not quite there yet.

This is a general directive that applies to all kinds of service providers. The directive states that “energy” falls under the category of “Very Critical Sectors”. So, there should be some room to improve things.

Crucially, when EU member states implement this directive, they should make it very explicit that solar panel managers fall under its scope, as long as they have the ability to install updates or switch many panels on or off.

Additionally, there is another European law in the making, the Cyber Resilience Act (CRA). This law focuses on devices (inverters, panels), but I suspect that the accompanying central control panel, app and services will also be included (since your device won’t function without them). The CRA has strong hooks to require a high level of security.

SolarPower Europe, an interest group, has also thought about it and writes in this document: “In the context of the broad cybersecurity principles established in NIS2, requirements specific to the solar sector should be in place for its implementation. Such requirements should apply to entities that control sufficient capacities to disrupt the grid”. It also mentions that Australia and Germany already have rules, although at least Australia doesn’t enforce them. SolarPower Europe also mentions the Cyber Resilience Act in their report.

Incidentally, why are all those panels centrally connected anyway? I’d like to know what my panels are doing, but you don’t need the internet for that. My (now somewhat older) panels have never been connected to the internet. Despite this, I have beautiful graphs. This requires a different way of working, but it is technically perfectly possible to connect directly with your own installation to get graphs. It would also be a good idea for cameras, washing machines, heat pumps, cars/charging stations, and home batteries. Since the last three also have the ability to disrupt the electricity grid.

As an interim step, we might need to demand that control panels stick to providing pretty graphs, and make it impossible to remotely switch panels/loaders/batteries on or off.

Conclusion

We are sleepwalking into a terrible situation where a few parties have almost complete control over our entire energy supply, while these parties don’t fall under any energy law. We regulate them as if they were a normal website, which means we hardly regulate them at all.

We could creatively examine existing legislation to see if it offers possibilities to do something about it, but that looks to be tricky.

New laws are emerging that could help subject these parties to stricter rules. NIS2 and the Cyber Resilience Act appear suitable for this purpose. And to remove any doubt, it could be explicitly stated in the member state implementations that central management parties indeed fall under its scope, something SolarPower Europe also advocates for (article in Euractiv).

Because gigantic non-EU companies might not be impressed by individual country laws, it is essential to collaborate within the EU.