zum Inhalt springen

    The Overlooked Risk on the Rooftop

    Tags:

    Cyber Risks of Photovoltaic Systems Under Review by NTC: Photovoltaics (PV) have become a cornerstone of Switzerland’s energy transition. Today, solar power already covers over 10% of national electricity demand. In 2024 alone, more than 56,000 new systems were installed, with a peak capacity of 1.8 GW—significantly more than the Gösgen nuclear power plant (1 GW).

    Newly installed capacity per year

    2025-pv-installed-capacity[Sources in german: BFE, Swissolar, KKG]

    Yet as solar expands, so do the risks. While traditional power plants are highly secured and operated by specialists, the thousands upon thousands of PV systems in Switzerland are essentially small power plants. Often run by non-specialists, such as private homeowners, these systems are continuously connected to the internet and the manufacturer’s cloud. This creates new dependencies and a broad attack surface for cyber threats.

    A single hacked system is manageable. The real danger arises when thousands—or even tens of thousands—of interconnected systems are compromised and disconnected from the grid simultaneously. If that much capacity suddenly drops, other plants can barely compensate. The result could be a cascading effect, with grid instability up to a nationwide blackout. Experts call this phenomenon MADIoT: Manipulation of Demand via IoT Devices.

    That is why the National Test Institute for Cybersecurity NTC is currently conducting in-depth vulnerability analyses of inverters and energy management systems, which are key components of PV systems. The goal is to identify risks early on, highlight dependencies, and raise awareness of systemic threats. The findings will be published in a summary report with recommendations for action.

    The Risks of Switzerland’s Energy Transition Are Most Visible in Three Areas:

      • Konzeptbedingte Schwachstellen
        International studies have revealed serious security flaws in leading manufacturers’ products. Of particular concern is remote access via cloud platforms: while useful for maintenance, it also creates an attack vector for manipulating—or even shutting down—entire fleets of systems at once.
      • Concentration Risk
        The Swiss market is heavily dependent on just a few, mostly non-European manufacturers. This concentration increases vulnerability: if one vendor fails due to technical problems or geopolitical tensions, tens of thousands of systems could be affected at the same time. Foreign authorities, such as Germany’s BSI, have already warned of these geopolitical risks (e.g., in the article by Deutschlandfunk dated January 18, 2025)
      • Threat to Grid Stability  
        A coordinated cyberattack targeting many systems—known as a MADIoT attack—could deliberately destabilize the grid and, in the worst case, trigger a large-scale blackout.

      2025-pv-blog

      Known Vulnerabilities and the Geopolitical Dimension

      The risk is real. International reports document issues such as hardcoded passwords, insecure interfaces, and weak encryption. At the same time, market analysis for Switzerland shows an extreme concentration on a handful of non-European manufacturers. This creates not only technical but also geopolitically motivated threat scenarios.

      An incident like the blackout in Spain and Portugal on April 28, 2025—driven largely by the unexpected behavior of numerous (PV) plants—could also be artificially induced in Switzerland through a targeted cyberattack against a single manufacturer’s fleet of systems.

      Security Gap: Who Takes Responsibility?

      Currently, there are few to no incentives to secure this decentralized PV infrastructure.

        • Anlagenbetreiber investieren selten in Cybersicherheit. Wird ihre Anlage gehackt, beziehen sie den Strom einfach weiter aus dem Netz – kurzfristig erscheint das günstiger, als präventiv in Schutzmassnahmen zu investieren.
        • Grid operators are responsible for overall stability and recognize the risks but lack authority to impose security requirements on small private systems. The binding ICT minimum standard only applies above 100 MW. Most PV systems in Switzerland have a capacity of under 50 kW, making them roughly 2,000 times smaller.

          Because neither system owners nor grid operators see themselves as responsible for conducting systematic vulnerability analyses, a dangerous security vacuum remainswith potential consequences for the entire electricity supply.

        The Role of NTC: Independent Testing Through Collaboration

        Independent vulnerability testing of PV inverters is hardly feasible for individual stakeholders. High costs, difficult procurement process, complex testing setups, and significant safety risks when working with live components make such analyses difficult.                                                               

        The National Test Institute for Cybersecurity NTC has the infrastructure, expertise, and resources to perform these tests systematically and safely. To broaden coverage, NTC works in collaboration with partner organizations that provide test devices and share costs. This joint approach spreads the effort and risks, and enables comprehensive analyses.

        The urgency is clear: today’s PV investments will form the backbone of Switzerland’s power grid for decades to come. That makes it essential to act proactively during this critical expansion phase.

        Conclusion and Outlook

        Photovoltaics are indispensable to the energy transition—but their safe integration into the grid is a prerequisite for reliable supply. With its independent testing, NTC helps identify risks early and propose solutions. Policymakers, businesses, and society gain a solid foundation for securing Switzerland's future electricity supply.