SolarPower Europe Statement
In anticipation of the increasing digitalisation of the energy sector, SolarPower Europe have published a new position paper on cybersecurity (here).
Alongside the position paper, SolarPower Europe has issued an accompanying statement.
Dries Acke, Deputy CEO of SolarPower Europe (he/him):
"The digitalisation of the energy sector is a no-brainer. It increases power plant efficiency and allows for better managing of distributed energy to match demand and grid capacity. A digital, electrified, energy system will cost Europeans 160 billion less by 2040.
However, like technological revolutions before, it also comes with new challenges, like cybersecurity. We didn't need anti-virus protection for a typewriter - but we do need it for our laptops.
Today, the risk of an impactful cyberattack on Europe's grid via solar plants is limited.
Project developers and manufacturers already implement cybersecurity measures in their interest.
And new world-leading EU cybersecurity legislation like the updated Network and Information Security Directive and the Cyber Resilience Act come with new mandate requirements.
However, we're a future-looking sector, on our way to providing the majority of Europe's electricity. We take that responsibility seriously.
There are clear steps to be taken on the lower voltage levels, including improving cyber risk assessments, setting a new EU standard for product security for distributed energy resources, and empowering consumers to manage their device security.
Any centrally co-ordinated or managed devices (for example, aggregated rooftop solar installations) should have an EU or nationally authorised layer of monitoring."
Notes:
- SolarPower Europe's recent modelling suggests digital flexibility solutions would lower energy system costs by 32bn EUR by 2030 and 160bn EUR by 2040. Savings are compared to a scenario with little digitalised flexibility and electrification.
- The point of reference for SolarPower Europe's position remains the published document. For ease, the overview of policy recommendations is shared below, but should be considered in the context of the wider paper.
- Enhance governance requirements in NIS2 implementation and increase risk visibility on low-voltage grids in EU and national framework.
2. Reinforce cybersecurity at the product level, via Cyber Resilience Act (CRA) compliance requirements and a dedicated standard for distributed energy resources.
3. Strengthening cybersecurity for power plant operation
Like personal data handling under GDPR, operational PV power plant data should remain in the EU, or in jurisdictions that can ensure similar security levels.
A list of secure operation best practices for large power plants should be mandatory and standardisation bodies should implement a cybersecurity baseline for the operation of small, IT-connected, remote-controlled distributed energy resources
The EU or national governments should introduce a security layer which monitors relevant commands where aggregators and manufacturers centrally coordinate distributed energy resource devices like inverters.
4. Users and installers of small-scale PV installations must manage the cybersecurity of their devices by setting strong passwords and installing security updates.
Contact
Bethany Meban
Head of Press and Policy Communications
b.meban@solarpowereurope.org