The growing connectivity of power technologies has granted greater control over how distributed energy resources (DERs) interact with both the grid and energy loads behind the meter. But as these devices connect with more avenues of electrical distribution, there are rising implications for proper cybersecurity measures within them.
The solar industry is trying to establish a standard for cybersecurity in solar inverters. Inverter cybersecurity has become paramount, because as their features expand — such as remote access through web portals — so does the risk for breach.
This concern extends beyond ensuring the device itself isn’t susceptible. Guaranteeing inverters and DERs are cybersecure means ensuring every step along the supply chain is secure.
“While global sourcing in the energy sector has enabled cost-savings and technological advancements, an overreliance on foreign sources could introduce new cybersecurity risks,” wrote the Solar Energy Industries Association (SEIA) in the report “Inverter & Supply Chain Cybersecurity” published in February. In it, SEIA advocates for growing a domestic solar inverter manufacturing presence to mitigate foreign cybersecurity concerns.
SEIA also recommends several existing cybersecurity standards for DERs, including the recently published UL 2941.
In 2023, the National Renewable Energy Laboratory (now the National Laboratory of the Rockies) and UL Solutions debuted UL 2941, a cybersecurity standard for DERs and systems using inverters, such as solar projects and wind farms. Danish Saleem, senior cybersecurity engineer with the National Laboratory of the Rockies (NLR), and his team developed the concept that would become UL 2941 before engaging UL and industry members to build the standard.
“At NLR, we recognized early on that as more inverter-based resources are integrated with the grid, traditional ‘set it and forget it’ approaches to inverter security were no longer adequate for a modern grid having bidirectional communication and power flow,” he said.
The groups are trying to make UL 2941 mandatory for DERs and inverter systems. Together, they developed a certification for the standard that published in February. UL 2941 establishes methods for testing devices such as PV inverters for cybersecurity defense and recommends measures that can be implemented by manufacturers.
It uses a multi-layered approach to affirming cybersecurity, covering system details such as requiring the proper credentials to digitally access a PV inverter, using cryptography to entrench system data, detecting login attempts and abnormal monitoring incidents, verifying software updates and having measures to stop physical tampering of a device.
Saleem said cybersecurity is an active practice — one that needs involvement from system owners, utilities and aggregators.
“Several years ago, the main concern was protecting individual inverters,” he said. “But today, with increasing aggregation of distributed systems into virtual power plants and other aggregated assets, a single compromised DER can pose new and uncertain risks to grid reliability.”
UL 2941 complements other safety standards, like UL 1741, which was developed in response to grid modernization. With increasing interconnected DERs, such as EV chargers and renewable energy sources, UL 1741 was published to test inverters for proper grid functionality.
“If you think about a Venn diagram between appropriate connection to the grid and safe operation of the inverter, both are coordinated to address that,” said Ken Boyce, VP, principal engineering, industrial, at UL Solutions. “2941 is another circle in the Venn diagram that addresses connecting to the grid safely and in a cybersecure fashion.”
DERs and inverter risks
Someone with unauthorized access to solar inverters could cause grid instability and outages. This risk of impact is higher in larger-scale solar projects, but residential solar inverters are still susceptible. Separate from grid dangers, breached inverters can affect economic returns, insurance plans and an inverter brand’s reputation.
“The vulnerability with my home rooftop solar not being able to produce isn’t a threat to national security,” Boyce said. “But those inverters appear over and over again. The aggregate effect of those things can be significant, and if you’re the homeowner and you can’t get the benefits of your system, that still matters.”
While the focus of this story is on DERs and inverters, any modern device connected to the power grid, including traditional power infrastructure, is susceptible to cyberattacks.
In 2025, the country of Poland experienced an unprecedented number of cyberattacks, which led to a grid outage affecting nearly 500,000 people, as reported by the Associated Press. These cyberattacks halted operations at a combined power plant, solar projects and wind farms in the country.
The digitalization of DERs and inverter-based power plants has increased their ease of use and capabilities but also makes them at higher-risk for cyberattacks. While standards like UL 2941 are not mandatory for solar inverter deployment, their authors are imploring manufacturers and project developers to implement these safety measures.
“As we see more progress from large-scale, centralized power production facilities to more distributed energy resources now becoming increasingly more important to our energy portfolio, the risks for threats to reliable and safe power production are different. You need to be able to put them into a cybersecure infrastructure environment … Product requirements alone will not make you immune to a cybersecurity attack,” Boyce said.