New Cybersecurity Threats to Renewable Energy Generation

New cybersecurity threats in the renewable energy landscape

Around the world, renewable energy is on the rise as a result of rising electricity demand, decarbonization targets and industry innovation

This acceleration of renewable energy and the move toward a more distributed grid model with connected assets, software and new stakeholders introduce additional cybersecurity risks. All stakeholders must proactively address these risks.

Cyberthreats: Emerging challenges

Utilities already experience regular attacks as bad actors scour for vulnerabilities across all connected devices and systems under utility management. Sometimes they succeed. In 2023, the World Economic Forum estimated that more than 60% of energy companies experienced a significant cyber incident over the previous year.

Historically, utilities and energy companies have focused more on customer data concerns and physical attacks on infrastructure. For instance, Iberdrola, an international integrated energy company based in Spain, suffered a cyberattack in early 2024 that compromised the data of 1.3 million customers. Still, until recently, cybersecurity was less of an immediate concern for the traditional grid due to the isolated nature of legacy systems, which featured limited connectivity to the internet and significantly less automation.

However, looking to 2025 and beyond, the energy industry is entering uncharted cyber territory.

Intensifying cyber risks: Why now?

Cybersecurity risks — both domestic and foreign — are escalating for several reasons.

First, the surface area has expanded as more renewables and distributed energy generation assets are added to grids. For example, photovoltaic (PV) inverters, also known as solar inverters, are components that convert the direct current produced by solar panels into alternating current for the grid. Increasingly, manufacturers are making “smarter” inverters that connect and communicate with the utility and can be controlled dynamically. This automation presents new risks, and researchers have already uncovered cybersecurity vulnerabilities in these types of systems. In a worst-case scenario, malicious hackers could cause widespread blackouts if they seize control of many PV inverters.

Second, as more renewables projects and battery energy storage systems are rolled out, there’s a heightened need for software to actively manage these assets. Integrating renewable energy into the power grid requires all of these components and technologies to interact and interoperate, which introduces cybersecurity risk across the system. If cyber criminals gain control of an asset management software program, the power grid system-level risk increases. For instance, as more electric vehicles (EVs) come online, the software and internet-connected charging infrastructure required to support them also create new threat vectors to exploit.

Third, as renewables scale, there are more stakeholders involved in power production and management. Gone are the days when utility companies controlled most of the power production in a specific geography. According to the U.S. Department of Energy, utility-scale projects are more thoroughly scrutinized:

“… smaller PV systems and other [distributed energy resources] currently do not have any cybersecurity standards to follow, and they are usually connected by their owners to the internet for monitoring and control purposes. This can create vulnerabilities in the grid that hackers can exploit …”

For this reason, UL Solutions and the National Renewable Energy Laboratory collaborated to develop UL 2941 which addresses DER cybersecurity.

Mitigating cyber risks

There’s no room for complacency when it comes to cybersecurity risks to the energy value chain; these new threats demand a proactive approach. Industry leaders across the renewable energy ecosystem must make definitive moves to advance their cyber preparedness and get ahead of emerging security risks. Industry leaders can take steps to fortify security with essential leading practices:

• Risk assessments – Regular risk assessments can identify vulnerabilities, whether specific to hardware, software or conducted at the project or system level. UL Solutions has deep cybersecurity gap assessment and preventative advisory expertise to help organizations better identify and mitigate risk.
• New security protocols and technical capacity – Implementing or updating security protocols, from encryption and multi-factor authentication to security patches, can help stakeholders stay ahead of cybersecurity threats. Using a digital twin can help address cybersecurity risks through real-time monitoring, attack simulation, predictive analytics and enhanced situational awareness. Further, the ability to “island” or isolate compromised devices is an example of the type of technical capacity stakeholders can consider developing protocols for should breaches occur.
• Standards and certifications – Engaging in the certification process to support compliance with industry security standards can help organizations develop robust, up-to-date processes and systems to enhance cybersecurity. Certification to UL 2900, the Series of Standards for Software Cybersecurity for Network-Connectable Products, helps establish cybersecurity due diligence and demonstrates that a product or system aligns with relevant requirements.
• Ongoing education – The prioritization of training and education across the organization can help companies mitigate risks as they emerge, whether within a specific area of the organization or at the system level. UL Solutions offers training, workshops and other educational opportunities to support companies as they navigate the vast landscape of cybersecurity best practices and standards, assess cybersecurity objectives and processes, qualify risk, and expand their internal knowledge base to address cybersecurity in product development.

As cyber risks evolve, so do new guidelines, tools and technologies that can help organizations respond to and stay ahead of threats. Safety and certification initiatives designed to analyze and address cybersecurity concerns for new energy systems and evaluate include:

• IEEE 1547.3:2022: Guide for Cybersecurity of Distributed Energy Resources Interconnected with Electric Power Systems.
• The United States Department of Energy’s (DOE’s) “Cybersecurity Baselines for Electric Distribution Utilities and DER.”
• UL 2941, the Outline of Investigation for Cybersecurity of Distributed Energy and Inverter-Based Resources, developed specifically to address cybersecurity risks for renewable energy technologies.

New risks, whether focused on cybersecurity or other factors, add complexity to renewable energy manufacturing, deployment and grid maintenance. For many stakeholders, added complexity can be difficult to manage. Industry professionals can work with UL Solutions to assess cybersecurity risks and stay up to date on new standard development.