The new UL certification aims to protect solar inverters from cyberattacks

In July 2024, a software update from cybersecurity company CrowdStrike crashed Microsoft Windows systems around the world, grounding commercial airlines and halting credit card processing. The U.S. Government Accountability Office said it was potentially the largest IT failure in history, affecting a wide range of critical infrastructure such as emergency services, financial institutions and communications.

The distributed energy sector is equally vulnerable to hacks and technology disruptions as more and more internet-connected inverter-based resources like solar come online. In the first quarter, renewables as a whole exceeded 30% of total U.S. electricity generation for the first time and will continue to grow.

Most distributed solar systems are supported by just a few inverter brands – according to Wood Mackenzie, in 2023, the top five residential inverter suppliers represented 96% of the market. This streamlined marketplace means that any software update bugs or hacks can impact multiple systems.

“This is a new technology phenomenon where millions of small systems are becoming a large part of the energy mix, completely decentralized, and protecting that is a different challenge,” said Uri Sadot, cybersecurity program director at SolarEdge Technologies.

Utility-scale solar projects are subject to the North American Electric Reliability Corporation’s (NERC) cybersecurity requirements to protect critical infrastructure, but smaller projects have not previously had similar standardized policies to follow.

“Imagine something similar in the solar industry, for example CrowdStrike (error). If an inverter manufacturer has inverters covering 95% of a home’s solar system… if one upgrade can go wrong, what impact will that have on the entire neighborhood, then the entire community, then the entire grid?” said Danish Saleem, an electrical engineer and senior researcher at NREL’s Center for Energy Security and Resilience.

Salem has spent the last eight years strengthening the cybersecurity of distributed energy resources such as residential solar. He has established relationships with inverter manufacturers, utilities, aggregators, cloud service providers and other stakeholders to understand what is needed to ensure the security of individual home systems and networks.

This research has resulted in a multi-faceted approach to distributed solar cybersecurity, the centerpiece of which is a new certification issued by UL Solutions.

“NERC supports UL 2941 as a cyber certification for the industry. Most of the safety certifications – inverter safety, appliance safety, battery safety – are UL certified,” Salem said. “Having a cybersecurity certification under the UL umbrella also makes sense.”

The UL 2941 standard focuses on cybersecurity measures that should be included in every residential inverter to prevent common internal software failures or intrusions by third parties. The standard lists 10 different domains that products must address to be considered 2941 compliant, which includes access control, cryptography and encryption.

“The work we did with NREL really looked at the product level, saying, ‘Let’s look at these critical attributes that can be designed into an inverter-based product to provide the foundational protection systems that will help mitigate the possibility of a cyberattack and set the stage for all other system approaches that are required throughout the life of the product to also be successfully implemented,” said Ken Boyce, vice president of principal engineering at UL.

Integration of distributed resources with the network is the next stage of the chain susceptible to cyber attacks. Saleem, Boyce and others have worked to address this aspect in a new guide included in IEEE 1547.3, the standard for connecting distributed energy resources to the power grid. The guide provides security recommendations for DER stakeholders and explains the general cybersecurity requirements for these assets.

The non-profit standards organization SunSpec Alliance also launched a voluntary DER Cybersecurity Initiative for inverters, which complements UL 2941. However, the UL standard is expected to become an industry standard as it is implemented and adopted by various AHJs and other interested parties .

“In some cases, it may be regulated by the state public utilities commission. Utilities themselves will sometimes say, ‘In order to connect to my grid, you have to meet this set of requirements, like UL 1741 and IEEE 1547,'” Boyce said. “There are private sector considerations where it may not be a law or regulation that needs to be followed, but it becomes a specific best practice that people look for when implementing these solutions to reduce their risk.”

Photovoltaic panel manufacturers are open to the cybersecurity standard of their products, although implementing new software and obtaining products compliant with the UL 2941 standard will involve additional costs. Many inverter companies have sought to assure solar installers and consumers that their products are protected against attacks, but now they have UL to back up these claims.

“I think there are a lot of companies that have really thought about this and asked, ‘What do we do?’ And that’s the power of developing a set of requirements. Now you’ll start to have a more consistent, codified approach to how to solve these problems,” Boyce said.

The committee that developed the UL 2941 standard, made up of manufacturers, cybersecurity experts, utilities and more, decided to create two levels of compliance within the standard – a basic level that the committee believes can and should be met, and a more advanced level. The Advanced level would include higher levels of encryption and multi-factor authentication for any administrative role.

“It would be a little more difficult to meet these requirements at this stage, but we hope that over time this will increase endpoint security across the industry,” SolarEdge’s Sadot said.

There is no set timeline for the implementation of UL 2941, but certification is available now to provide homeowners and installers with greater peace of mind that devices are protected. The standard is expected to be updated every few years to adapt to changing cybersecurity needs.

“We are looking forward to implementing solar energy. We just…can’t. We’re past the point where we can afford to say, “Let’s wait and make sure it’s perfect,” right? We have to implement, and yet a lot of work goes into saying, ‘Let’s try to make this implementation as cyber-secure as possible,'” Boyce said.