Cyber Risks of Photovoltaic Systems Under Review by NTC: Photovoltaics (PV) have become a cornerstone of Switzerland’s energy transition. Today, solar power already covers over 10% of national electricity demand. In 2024 alone, more than 56,000 new systems were installed, with a peak capacity of 1.8 GW—significantly more than the Gösgen nuclear power plant (1 GW).
Newly installed capacity per year
Yet as solar expands, so do the risks. While traditional power plants are highly secured and operated by specialists, the thousands upon thousands of PV systems in Switzerland are essentially small power plants. Often run by non-specialists, such as private homeowners, these systems are continuously connected to the internet and the manufacturer’s cloud. This creates new dependencies and a broad attack surface for cyber threats.
A single hacked system is manageable. The real danger arises when thousands—or even tens of thousands—of interconnected systems are compromised and disconnected from the grid simultaneously. If that much capacity suddenly drops, other plants can barely compensate. The result could be a cascading effect, with grid instability up to a nationwide blackout. Experts call this phenomenon MADIoT: Manipulation of Demand via IoT Devices.
That is why the National Test Institute for Cybersecurity NTC is currently conducting in-depth vulnerability analyses of inverters and energy management systems, which are key components of PV systems. The goal is to identify risks early on, highlight dependencies, and raise awareness of systemic threats. The findings will be published in a summary report with recommendations for action.
The Risks of Switzerland’s Energy Transition Are Most Visible in Three Areas:
Known Vulnerabilities and the Geopolitical Dimension
The risk is real. International reports document issues such as hardcoded passwords, insecure interfaces, and weak encryption. At the same time, market analysis for Switzerland shows an extreme concentration on a handful of non-European manufacturers. This creates not only technical but also geopolitically motivated threat scenarios.
An incident like the blackout in Spain and Portugal on April 28, 2025—driven largely by the unexpected behavior of numerous (PV) plants—could also be artificially induced in Switzerland through a targeted cyberattack against a single manufacturer’s fleet of systems.
Security Gap: Who Takes Responsibility?
Currently, there are few to no incentives to secure this decentralized PV infrastructure.
Because neither system owners nor grid operators see themselves as responsible for conducting systematic vulnerability analyses, a dangerous security vacuum remains—with potential consequences for the entire electricity supply.
The Role of NTC: Independent Testing Through Collaboration
Independent vulnerability testing of PV inverters is hardly feasible for individual stakeholders. High costs, difficult procurement process, complex testing setups, and significant safety risks when working with live components make such analyses difficult.
The National Test Institute for Cybersecurity NTC has the infrastructure, expertise, and resources to perform these tests systematically and safely. To broaden coverage, NTC works in collaboration with partner organizations that provide test devices and share costs. This joint approach spreads the effort and risks, and enables comprehensive analyses.
The urgency is clear: today’s PV investments will form the backbone of Switzerland’s power grid for decades to come. That makes it essential to act proactively during this critical expansion phase.
Conclusion and Outlook
Photovoltaics are indispensable to the energy transition—but their safe integration into the grid is a prerequisite for reliable supply. With its independent testing, NTC helps identify risks early and propose solutions. Policymakers, businesses, and society gain a solid foundation for securing Switzerland's future electricity supply.