In this issue: cybersecurity & clean energy vendors. The first in a series of actors in the clean energy ecosystem.
Something to say? We want to hear from you. Reply to this email or contact <ffff@berkeley.edu>.
In August 2024, Dutch researchers discovered six zero-day vulnerabilities in Enphase's IQ Gateway devices, equipment installed in over 4 million solar systems across 150 countries. By chaining these vulnerabilities, an attacker could have orchestrated synchronized disruptions to multiple power grids. Such an attack could have greatly destabilized an electrical grid during peak demand periods when solar production is most relied upon.
More broadly, this case demonstrates what happens when vendors ship infrastructure with bugs in it. Per the White House’s Energy Modernization Cybersecurity Implementation Plan, the clean energy transition will require a great deal of new technology, much of it internet-connected, often produced by new market entrants, for whom cybersecurity may not come naturally, may not be a go-to-market priority, or may simply lack expertise.
This post talks about where this type of systematic risk comes from, why it’s so hard to manage, and how we might manage it anyway.
Vendor security practices
In a case like the Enphase bug, the first finger always points to the vendor’s security practices. Clean energy vendors face a classic incentive misalignment problem: while they bear the costs of implementing robust security measures, they don't directly bear the systemic risks their vulnerabilities create.
This dynamic is generally familiar in technology markets, but it takes on new urgency in critical infrastructure. In critical infrastructure, security failures can cascade beyond economic damage into physical consequences that threaten public welfare. When vulnerable devices control power generation at scale, the gap between private security costs and public risks becomes a matter of national security.
The issue runs deeper than individual vendor incentives, however. The clean energy transition shifts how we produce and distribute power: from centralized systems with relatively few points of failure to distributed networks with millions of potential vulnerabilities. This architectural transformation demands a parallel evolution in how we think about security governance. Traditional regulatory approaches, which rely heavily on compliance checklists and periodic audits, may not suffice in countering rapidly evolving threats across a vastly expanded attack surface.
My take: Industry-wide security standards need to evolve with threat landscapes. That may mean establishing robust vulnerability-sharing programs or developing financial mechanisms (like specialized insurance products) that better align vendor incentives with systemic risk management.
Governments could subsidize security research and implementation for smaller vendors—similar to how we support basic research in other domains where private incentives can’t provide sufficient profit motive to pick up the tab. This support is especially pressing in clean energy, where some of the best research (at least in the United States) is done behind the veil of security clearance, limiting participation from people without such clearance (while, somehow, managing the very real national security risks associated with the findings of this security research!).
As we can see, the devil is in the details here. A lot more research will be required to get any of these policies even remotely right.
Distributed risk
With the invocation of national security, we can move our perspective from individual vendors to the ecosystem as a whole.
One antidote to bugs in individual vendor products is heterogeneity. Having many vendors with different products on the grid keeps the attack surface steady but prevents a single bad vulnerability from affecting the whole grid. (I understand there’s been work at various DoE labs on this question, but of course, I can’t see the details.)
I, and I think most Americans, need little prodding to accept that vendor diversity is a good thing—another point in favor of a competitive market. Small numbers of dominant vendors create obvious points of failure. However, excessive fragmentation can lead to security vulnerabilities as well, through implementation inconsistencies and difficulties in coordinating responses to threats. (That’s before you get into the power systems reasons why managing heterogeneity is hard).
On that point: vendors have heterogeneous approaches to device identity management. When different vendors implement different identity schemes, it becomes much harder to maintain security across the system. (Imagine trying to coordinate a response to a threat when you can't consistently identify which devices are which or definitively authenticate their communications!).
Also, with clean energy technology, the risk surface extends beyond traditional grid infrastructure. Clean energy devices increasingly connect through home networks. These networks, often secured by consumers rather than security professionals, frequently contain insecure devices. When an EV charger or heat pump shares a network with a vulnerable smart TV or poorly secured IoT device, that consumer device becomes a potential attack vector, from which an attacker can move onward into energy infrastructure and (if we’re really unlucky) into the grid system.
Further complicating matters: the ongoing convergence of information technology (IT) and operational technology (OT) systems inside utilities. Traditionally, these systems were separated by an airgap—physically isolated from each other and the internet. Today, DERs and energy flexibility applications require these systems to communicate, forcing utilities to bridge historically siloed organizations that operate under different security regimes and priorities. Talk about heterogeneity.
My take: The sweet spot here may lie in maintaining a balance between heterogeneity and visibility—enough diversity to prevent cascade failures, but not so much that security coordination (and power distribution!) becomes impossible.
But maintaining market heterogeneity is harder than it sounds. We’ve observed various markets trend toward consolidation, and for good reason: with greater scale come greater economies of scale, which can lower costs and improve product quality. Of course, gaining these economies of scale very frequently requires offshoring production.
Which brings us to our next point.
Supply chain
When vendors are invoked, supply chain security is often the first thing domain experts will discuss. Supply chain risks can easily be overplayed here: even when U.S. vendors use Chinese components, the software that orchestrates it (including, often, the firmware) is created in the United States or other allies.
Still, there are supply chain risks for vendors. Even when using vetted components from trusted suppliers, the complexity of modern supply chains creates opportunities for compromise. Hardware components may be modified in transit, firmware could be tampered with during manufacturing, and even seemingly innocuous parts like power supplies can be attack vectors. (The challenge is particularly acute for clean energy vendors who rely on specialized components with limited supplier options.)
This situation creates a tension between maintaining secure supply chains and achieving the cost efficiencies needed to drive clean energy adoption. Some vendors have responded by moving toward vertical integration or developing redundant supplier networks, but these approaches can significantly increase costs and slow time-to-market—precisely when rapid deployment of clean energy infrastructure is most needed.
My take: The solutions to these problems are likely twofold:
Developing more sophisticated supply chain verification techniques, perhaps leveraging emerging technologies like hardware security modules and provenance tracking systems.
Building more resilient domestic manufacturing capabilities for critical components.
How might industrial or trade policy shape the incentives around either of these objectives? Answering that question will require extensive research. (If you know of any, please send it our way).
Rules and regulation
The regulatory landscape for clean energy cybersecurity remains fragmented and incomplete. Frameworks often struggle to keep pace with rapidly evolving threats and technological innovation.
The challenge is crafting regulations that effectively manage risk without stifling innovation or creating excessive compliance burdens that could slow clean energy adoption. Traditional critical infrastructure regulation has focused on prescriptive requirements, such as specific technical standards, testing protocols, and certification processes. While these approaches have merit, they may prove too rigid for the dynamic clean energy landscape.
My take: “Regulatory sandboxes,” that allow controlled testing of new technologies and security approaches, could help strike a balance between innovation and security. Singapore's Energy Market Authority (EMA) introduced a regulatory sandbox in 2017 to promote innovation in the energy sector. The sandbox allows companies to test new products and services in a controlled environment with temporary regulatory waivers. If regulators extended these waivers to security researchers, we might stand to discover vulnerabilities before new products turned into critical infrastructure.
These regulatory sandboxes could be coupled with robust information-sharing requirements. These frameworks could help regulators and vendors collaboratively develop security standards that evolve with the threat landscape. Some bodies have experimented with outcome-based regulation, where vendors must demonstrate their ability to maintain certain security outcomes rather than follow specific procedures. For example, the U.S. Department of Defense's Cybersecurity Maturity Model Certification (CMMC) requires entities to demonstrate capabilities in identifying and intercepting per-system threats. This approach gives vendors flexibility in how they achieve security objectives while maintaining accountability for results.
But regulatory frameworks face their own coordination challenges. In the United States alone, clean energy vendors must navigate a complex web of federal, state, and local requirements. International vendors face even greater complexity. This regulatory fragmentation can create gaps in security coverage while simultaneously increasing compliance costs, particularly challenging for smaller vendors and new market entrants.
The road ahead
Managing vendor security risks in the clean energy transition requires a delicate balance. We need approaches that can simultaneously foster innovation and market entry, ensure a robust security posture, maintain grid reliability, keep costs manageable for both vendors and consumers, and enable effective coordination across this increasingly complex ecosystem.
Success will likely require new institutional arrangements that bridge traditional divisions between public and private sectors. This might include public-private partnerships for threat intelligence sharing, industry-led standards development with regulatory oversight, and new financial instruments that better align incentives across the ecosystem.
The stakes are high. As we rapidly deploy clean energy infrastructure to address climate change, we must ensure we're not inadvertently creating new vulnerabilities that could undermine energy security and the clean energy transition itself. Getting this right will require sustained attention and investment from all stakeholders – vendors, utilities, regulators, and security researchers alike.
Thanks to Max van der Horst and Peter Baard at DIVD for the truly stimulating conversation. Thanks to Phil Keys at Intertrust for notes on the landscape.
What did we miss? Let us know: <ffff@berkeley.edu>.