Without rigorous vetting and consistent cybersecurity standards across all suppliers, even a single weak link can compromise an entire solar farm’s operations.
Legacy systems and outdated protocols often complicate matters. Some vendors no longer provide patches or regular updates, while others have archaic processes that create friction in maintaining secure configurations. Given that operational downtime to patch critical systems can be both time-consuming and expensive, many providers delay or forgo crucial updates. This oversight only emboldens cyber threat actors, who keep a keen eye out for known vulnerabilities in connected technologies across supply chains.
The makeup of Australia’s PV systems
Today’s PV infrastructure is far more than arrays of panels. Many of these systems incorporate inverters, battery storage technologies, monitoring portals, and communications networks that link field devices to operational hubs. Layered on top is the integration with smart grids, where data analytics, real-time decision-making, and predictive maintenance come together for improved efficiency.
Energy sector networks typically combine traditional IT systems with industrial control systems (ICS). ICS are specialised systems that run critical processes controlling energy generation, distribution, and monitoring. In the PV industry, these might look like SCADA (Supervisory Control and Data Acquisition) systems monitoring solar panel output and controlling inverters, or proprietary software regulating power flows and grid connection.
Historically, ICS environments were designed primarily for reliability and continuity. Security features were often secondary, added only as systems were brought online and connected to corporate IT networks or the internet at large. Over time, ICS and IT networks have become increasingly integrated, creating a larger attack surface for cyber criminals to exploit.
The risks at hand
Many ICS platforms were never intended to be internet-facing. Vendors have gradually abandoned older models, leaving operators without security patches or manufacturer support. Even where updates do exist, rolling them out can disrupt service continuity. Large-scale solar farms must ensure every site and device remains properly secured – no small feat when dozens or even hundreds of inverters are spread across vast distances.
Meanwhile, modern cyber adversaries have grown adept at evasion. Rather than relying on flashy malware or brute-force hacks, attackers often prefer ‘living off the land’ – using legitimate network tools and administrative privileges to hide in plain sight. This stealthy approach means an attacker can spend months, even years, inside a network before detection, undermining energy production or harvesting valuable operational data.
Lessons from overseas
Recent attacks on energy assets globally offer sobering insights for Australia’s PV community. In the northeastern United States, ransomware actors in 2021 infiltrated a major pipeline operator’s IT systems using stolen credentials. Because the pipeline’s ICS network lacked segmenting security measures, operators had no choice but to shut down energy flows and spend millions in ransom and remediation costs. The disruption led to fuel shortages and broader economic ripples.
Similarly, in Ukraine in 2022 cyber attackers took control of integrated industrial control systems, then wiped connected IT systems in a coordinated campaign that disrupted electricity distribution. The strategic use of legitimate system tools, a hallmark of living off the land, made the intrusion especially difficult to stop. As the PV sector grows in Australia, it must heed these international wake-up calls, as adopting a ‘we’re too small or insignificant’ mindset can be a costly gamble.
Strengthening our defences
To combat these evolving threats, Australia’s solar industry must focus on collective defence, not isolated silos. One critical measure is the sharing of Cyber Threat Intelligence (CTI). Initiatives such as the Critical Infrastructure – Information Sharing and Analysis Center (CI-ISAC) provide a secure forum to exchange timely threat data, best practices, and real-world incident insights. By coordinating defences, the entire sector stands a better chance of detecting and repelling attacks before they spread.
Meaningful security improvements go beyond intelligence sharing. Stakeholders should demand robust cybersecurity commitments from manufacturers and service providers, including routine penetration testing, patch management, and transparent reporting on security vulnerabilities.
Operators must maintain clear boundaries between IT and ICS networks, minimising the impact if an adversary breaches one environment. Dry run incident response drills can help solar operators refine processes for containment, recovery, and communication. As past incidents show, time is of the essence when shutting down or restoring critical operations.
Finally, relying solely on compliance or fear of fines is insufficient. Regulators and industry bodies can reward operators who adopt advanced cybersecurity frameworks, embed secure design principles from the outset, and consistently invest in personnel training.
None of these solutions is quick or cheap. However, the cost of inaction dwarfs these investments, with the industry facing crippling operational losses, reputational damage, and potential risk to national energy stability.
The bottom line is the PV sector sits firmly in the crosshairs of increasingly capable cyber adversaries. By forging a unified front focused on transparent intelligence sharing, strong supply chain governance, and modernised ICS protections, solar operators can harness the sun’s power without inviting digital storm clouds.
Image: CI-ISAC
Author: David Sandell, co-founder and CEO of CI-ISAC, a not-for-profit organisation providing cyber threat intelligence sharing services to members across Australia’s 11 critical infrastructure sectors, government and suppliers. It provides a cyber ‘neighbourhood watch’ that allows the energy and renewables industry and other sectors to share relevant information on cyber threats, while also benefiting from insights gained from across other critical infrastructure sectors.
The views and opinions expressed in this article are the author’s own, and do not necessarily reflect those held by pv magazine.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.