• The FBI issued a recent warning about the potential for cyberattacks on the renewable energy sector.
• The government law enforcement agency indicated that private ownership of renewable power systems is expanding rapidly in the U.S. due to government incentives like the Inflation Reduction Act.
• Infrastructure has become a more frequent target for cybercriminals, and new alternatives to the grid can lack traditional utility protocols and regulations.

As renewable energy generation expands across the U.S., the federal government is becoming more concerned about vulnerabilities in new systems being a target for cyberattacks. 

The FBI recently warned the private sector and individual owners of renewable power of the potential for hacks, saying that reductions in the cost of implementing energy infrastructure and increased clean energy incentives will not only attract investors but also the attention of cybercriminals.

Government incentives, including the Inflation Reduction Act, have encouraged individuals and private ownership groups to invest in clean energy systems. Renewable energy sources, including both wind and solar, generated about 21% of all U.S. electricity consumption in 2023, according to the U.S. Energy Information Administration.

The FBI did not issue the warning in response to a particular cyberattack, but it did note that as far back as 2019, a private operator of renewable energy systems "lost visibility" into approximately 500 megawatts of wind and solar sites across California, Utah, and Wyoming.

The FBI also said that while hacks against residential solar power have been "rare historically," microgrids — which local communities operate independent of a traditional utility — could also be vulnerable to attack. The EIA estimates that 73.62 billion kilowatts of electricity generation in 2023 came from small solar systems (mostly rooftop) where the power is consumed locally. By comparison, in 2023, about 4,178 billion kilowatthours of electricity were generated at utility-scale electricity generation facilities in the United States.

The pace of renewable energy growth is expected to pick up, with the FBI citing examples near the federal government, including the Metropolitan Washington Council of Governments' goal to install 250,000 solar rooftops by 2030, as well as Virginia's aim of 5,500 megawatts of wind and solar energy by 2030, and completely carbon-free energy sources for the state's electricity by 2050. The agency noted that federal agencies, such as the Department of Defense, which is the largest consumer of energy in the U.S. government, rely on local electric grids.

The renewable energy industry's rapid expansion in the U.S. in some cases is occurring without traditional utility protocols and regulations.

"It's on the edge of the grid," said Jim Hempstead, Moody's Ratings managing director. "It's not a utility company that usually owns, operates, generates and builds these things. It is usually a non-regulated utility, and so they're not regulated by the state utility commission the way (traditional) utility is. And, we know that regulation is a big benefit from a credit perspective because it provides that level of oversight." 

Solar Energy Industries Association, the major trade group for solar power in the U.S., said it has been focused on cybersecurity efforts in recent years, including a 2021 virtual summit it co-hosted with the Department of Energy Solar Energy Technologies Office to advise solar companies on best practices. In March 2023, SEIA hired Bheshaj Krishnappa, who previously worked as an information risk consultant for Freddie Mac, Constellation Energy and Reliability First Corporation, as director of cybersecurity policy and reliability.

Moody's noted in its 2023 Global Cyber Security Report that only eight percent of the infrastructure industry's budgets on average were allocated towards cybersecurity. The firm had warned of electrical grid modernization cyber risks starting in 2019, especially as electric, gas, and water utility companies increasingly use connected capabilities that allow for remote access and cloud computing.

The boom in renewable energy has also led manufacturers of products and services to ramp up their offerings.

"The entire industry is trying to rapidly go after potential funding sources that will help them bring their goods and or services to market quickly," said EY Americas Cybersecurity Leader Jim Guinn, II. "The unfortunate part of that is oftentimes product manufacturers in their exuberance to get something to market quickly don't always test for vulnerabilities in the most effective way – meaning software development, lifecycle testing, code scanning, vulnerability or penetration testing, embedded system testing – because those are additive costs." 

The FBI notice pointed to the risk in the solar power operational technology software and hardware, with hackers able to gain control over solar panels through equipment called an inverter, which converts direct current (DC) energy into alternating current (AC) electricity that can be consumed. Inverters connected to the internet, in particular, could be controlled by hackers to reduce output or overheat home energy systems.

The FBI encouraged companies to routinely monitor their networks for suspicious activity and to report any nefarious activity and unexpected site visits to law enforcement.

GE Vernova, a major developer of renewable energy products and services, declined to comment. Other major players in the U.S. utilities and renewable energy sector, including Next Era Energy, Constellation, Enphase Energy, First Solar and Sunrun, did not respond to requests for comment.

China has heavily subsidized its clean energy industry and many equipment manufacturers are based there — or technology sourced from other nations passes through China for final assembly — which could give a foreign nation access to U.S. power grids because of the widespread use of these components.

The FBI warning comes at a time when global rivals such as China, Russia and Iran have targeted critical U.S. infrastructure in cyberattacks, from local water systems to key U.S. ports, and research conducted in labs shows that hackers can physically damage or destroy infrastructure through software.

"Because you're that connected, it's a big attack surface for hackers to get you relative to some traditional forms of energy generation, which also can be disrupted but maybe don't have as much of the connection," Hempstead said.

Traditional power sources that have been in place for years have protocols that have been tested and are under other strict security regulations, Guinn said. However, renewables can't be assigned the same level of resiliency because they are newer technologies with less testing history.

"The time that it takes to do those sorts of testing versus the time that is necessary to get something into prototype and into the market, they're at polar opposites of one another," he said. "That's where the complication comes."

The average American who is using renewable energy at home is still more likely to be disrupted by an adverse weather event than a cyberattack, Guinn added, making the independent power source a wise decision. But as climate change increases unpredictable weather, it could provide a perfect storm for cybercriminals to take advantage of attacking and disrupting a large area during a vulnerable time.

"The more interconnected systems become and the tenure, age and the rapid adoption of them without adequate testing, we should have pause for concern that that can lead to other problems from various threat actor groups or various nation-state affiliates that might want to do us harm," Guinn said.