The growing digitalization of the energy industry presents major opportunities – but also new risks. Nowadays, photovoltaic installations and storage systems are considered critical infrastructure. However, in order to reliably supply electricity, they must be protected against cyberattacks. The webinar Cybersecurity: Building Robust IT Infrastructure for PV Systems (Cyber Security – IT-sicherer Betrieb von PV-Anlagen), organized by Intersolar Europe in collaboration with the German Solar Association (BSW-Solar), featured four expert presentations from the areas of law, awareness, technology and standardization. Together, they showed how PV system operators and manufacturers can future-proof their IT security.
Karla Klasen, lawyer and Senior Associate at the commercial law firm Osborne Clarke, outlined the key legal guidelines for operators of critical energy infrastructure. Under the KRITIS Regulation, power plants with a net nominal power of 104 megawatts or more are classified as “critical infrastructure.” Operators of such infrastructure are legally required to implement measures to safeguard functional capability and protect against system failures or attacks. This means establishing an Information Security Management System (ISMS) in accordance with ISO 27001, implementing attack detection systems and reporting security incidents to the German Federal Office for Information Security (BSI).
The level of obligation will expand significantly with the implementation of the European NIS2 Directive (Cybersecurity Strengthening Act 2.0). In the future, small operators, direct marketers, plant managers and manufacturers of control and communication systems will also be required to meet binding security standards. Compliance will be regularly monitored, with violations leading to fines of up to ten million euros or up to two percent of the company’s global annual turnover from the previous financial year. Klasen went on to explain that managing directors and board members can also be held liable, meaning they must be able to actively demonstrate that they have implemented, monitored and documented safety precautions.
In the second presentation, Charline Kappes, Program Manager Public at software developer SoSafe, illustrated the dynamic evolution of cyber attack methods. Cybercriminals are increasingly using artificial intelligence (AI) to create highly convincing phishing emails, manipulated voices (“voice cloning”) and deepfake videos. These AI-driven attacks are becoming nearly indistinguishable from legitimate communications and are increasingly targeting energy producers. In addition to traditional attacks via email, perpetrators are now often turning to messaging services, collaboration tools and social media platforms. Supply chain attacks, in which vulnerabilities of service providers or software suppliers are exploited to gain access to interconnected PV or storage systems, are particularly dangerous. Kappes emphasized the importance of a strong security culture, stating that employees are a company’s “human firewall.” Regular training, clear reporting channels and awareness programs could play a decisive role in detecting attacks early on. Private environments – such as remote access points or cloud services – must also be more thoroughly integrated into a company’s security strategies.
In the third presentation, Peter Sode, Head of Data Management and Security at project developer juwi Group, explained how IT safety precautions can be practically implemented into power generation. He showed how operators can protect their systems from attacks with multi-layered security architectures, network segmentation, secure remote maintenance solutions and continuous monitoring. Sode placed particular emphasis on integrating security-by-design strategies into the planning of new PV systems. This includes regular software and firmware updates, clearly defined interfaces between systems control technology, inverters and operations management software, as well as the use of certified components that comply with BSI and ISO standards. According to Sode, security is not a one-time project but an ongoing process – one that can only work with close collaboration between manufacturers, operators and grid operators.
Finally, Marc Ratfeld, Senior ISMS Consultant at systems provider Pure ISM, spoke about the role of certifications and organizational security structures in the energy sector. He emphasized that establishing a resilient information security management system (ISMS) is about more than just earning a formal certification. It must be lived as an integral part of company culture. Ratfeld presented proven assessment and audit methodologies that help operators identify security gaps early on. Regularly reviewing communication channels, access rights and maintenance processes is especially crucial in complex, decentralized plant structures. He also pointed out that IT security is becoming an increasingly important factor in insurability, financing and tenders – providing a clear economic incentive for operators to invest in robust security measures.
The webinar made it clear that cybersecurity is fundamental for the secure and cost-effective operation of photovoltaic and storage systems. As the importance of decentralized power generation continues to grow, so do the requirements for IT security, transparency and prevention. Only by combining legal, organizational, technical and human measures can the solar industry safeguard its key role in a secure, digital energy future in the long term.
You were unable to attend the event or missed a session? No problem! Most of the presentations are available for you on The smarter E Digital.