Mexico’s Solar Grid at Risk Due to Lack Cybersecurity Measures

Mexico’s growing number of solar panels could be at risk due to the lack of cybersecurity protections, leaving the door open to attacks from malicious actors. This security gap in Mexico's renewable energy infrastructure threatens the stability of the national grid as the adoption of distributed energy resources accelerates.

“The increasing digitalization in the energy system makes it smarter and enables consumers to better benefit from innovative energy services, but it also creates significant risks, as an increased exposure to cyberattacks and cybersecurity incidents can jeopardize the security of energy supply and the privacy of consumer data,” reads an European Union (EU) article on the topic. 

Forty five percent of solar panel systems in Mexico do not have cybersecurity defenses, exposing individual installations and the national power grid to potential attacks, reports Grupo Milenio. While distributed generation is rapidly expanding, the country lacks specific regulation pertaining to cybersecurity in energy infrastructure. This situation creates an environment where the responsibility for protection largely falls on the installer or the end user, who often does not possess the specialized expertise required to mitigate complex threats.

Researchers have demonstrated the relative ease with which it is possible to take control of these devices. According to Genbeta, an attacker with access to a significant number of inverters could not only interrupt a region's power supply but also manipulate energy flows to destabilize the grid on a large scale, cause blackouts or physically damage other components of the electrical system.

In Japan, for example, a group of cybercriminals compromised 800 remote monitoring devices from a solar energy company to steal banking data, showing that motives can be both economic and sabotage-driven.

The exposure of solar infrastructure in Mexico presents multifaceted risks. At the micro level, an attack can compromise a residential or commercial installation, resulting in economic losses or system inoperability. At the macro level, a coordinated attack against a large number of vulnerable systems could have systemic consequences for the National Electrical System, reports Grupo Milenio.

The manipulation of distributed energy generation could introduce unforeseen fluctuations. This would complicate the management of the load-generation balance and, in the worst case, lead to cascading failures.

The problem is exacerbated by deficient security practices that are common in the sector. These practices include using factory-default passwords on inverters and the lack of software and firmware updates that patch known vulnerabilities. The absence of a robust regulatory framework that mandates minimum cybersecurity standards for distributed generation equipment connecting to the grid is a determining factor.

Looking forward, the frequency and sophistication of these attacks are expected to increase. Therefore, the industry and authorities face the challenge of implementing a security-by-design approach. This involves integrating cybersecurity from the earliest stages of component development and manufacturing, not as a feature added later.