Prosumers
In previous posts, we've examined how the clean energy transition is reshaping our electrical grid. Today, we’ll focus on a unique element of the clean energy landscape: prosumers.
What are prosumers?
Prosumers are entities that both produce and consume energy. Your neighbor with solar panels on their roof who sells excess electricity back to the grid? A prosumer. The office building with its own battery storage system that charges during off-peak hours and discharges during peak demand? Also a prosumer.
This dual role—consuming from the grid when needed and contributing energy back when possible—marks a shift in how our energy system operates. For most of electrical history, generation happened at centralized plants and flowed one way to passive consumers. Now, energy flows have become bidirectional, and the lines between producer and consumer have blurred.
The rise of the prosumer
This shift didn't happen overnight. Early adopters of rooftop solar were pioneers, often motivated more by environmental values than economics. But several forces have accelerated the prosumer revolution:
Plummeting costs: Solar panel prices have fallen over 90% in the last decade, while battery storage costs continue to decline.
Policy incentives: Net metering policies, tax credits, and renewable portfolio standards have created favorable economics for small-scale generation.
Climate awareness: Increasingly visible climate impacts have motivated homeowners and businesses to take energy production into their own hands.
Resilience concerns: Many consumers want backup power they can control after experiencing grid failures from extreme weather events.
Today, prosumers come in many forms:
Residential prosumers: Homeowners with rooftop solar, home batteries, and increasingly, electric vehicles that can provide vehicle-to-grid services.
Commercial prosumers: Businesses with on-site generation, sophisticated energy management systems, and demand response capabilities.
Community prosumers: Neighborhood microgrids, community solar projects, and other collective energy assets.
Some statistics illustrate the scale of this shift: In California alone, over 2 million homes and businesses now have rooftop solar. Behind-the-meter battery storage installations are growing at double-digit rates annually in many markets.
The cybersecurity blind spot
Despite their growing importance to grid stability, prosumers represent a significant cybersecurity blind spot. Here’s why.
First, most residential and small commercial prosumers have no cybersecurity expertise. The typical solar panel owner focuses on energy savings and environmental benefits, not on whether their inverter firmware is up to date or their smart meter uses encrypted communications.
Second, installation companies typically set up the systems, connect them to the internet for monitoring, and then leave customers with minimal guidance about security. They emphasize functionality, not security.
Meanwhile, the systems themselves are increasingly sophisticated. Modern solar installations include:
Inverters that convert DC power from panels to AC power for the grid
Battery management systems (BMS) that decide when to store or discharge energy
Energy management software that optimizes system operation
Communication modules that send performance data to monitoring platforms
Grid integration components that respond to utility signals
Each of these elements represents a potential entry point for attackers:
Researchers have identified 46 vulnerabilities in solar inverters from major manufacturers, including Sungrow, Growatt, and SMA. Insecure APIs and weak authentication mechanisms allow attackers to hijack devices and alter energy output or steal sensitive data. (Per a very recent (March 27) report from SUN:DOWN research, control over 4.5GW would be required to bring the frequency down to 49Hz" in the European grid, requiring attackers to control less than 2% of all inverters!)
BMS interfaces, such as maintenance ports and SCADA/DCS connections, are susceptible to exploitation. Attackers can manipulate system parameters, inject malicious commands, or disable protections, leading to operational disruptions or unsafe conditions.
Vulnerabilities in energy management software may allow unauthorized access to control systems or disrupt operations. (See: critical vulns in ABB Cyclon Aspect).
As for communication modules, cloud-based monitoring platforms often lack adequate security measures. Weak authentication and poor network segmentation could allow attackers to bypass protections and manipulate system functions remotely.
Grid integration components are exposed to risks from lateral movement within process networks. Attackers that breach SCADA or DCS systems can use grid integration components as pivot points for further attacks, potentially destabilizing power grids.
And, unlike utilities or large energy producers, prosumers rarely have the resources or know-how to secure these systems properly.
Complexity at the grid’s edge
The real cybersecurity challenge of prosumers lies in the complexity they add to the grid.
For decades, utilities have managed the delicate balance between energy supply and demand. This balance must be maintained in real-time—too much or too little power can destabilize the grid, leading to brownouts or blackouts.
Prosumers complicate this balancing act considerably. Consider:
Unpredictable generation: A passing cloud can cause thousands of solar panels to decrease output simultaneously.
Bidirectional energy flows: Distribution networks designed for one-way power flow must now handle electricity travelling in both directions.
Real-time market participation: Prosumers may respond to price signals, all attempting to sell energy when prices are high and buy when prices are low.
Utilities and grid operators are deploying increasingly sophisticated systems to monitor and control this complexity. These systems rely on continuous data exchange with edge devices installed at prosumer locations. Of course, these systems may introduce vulnerabilities of their own.
Two-way dependence
And here is where cybersecurity concerns become acute: The grid is developing a two-way relationship between its own stability and the stability of the internet. Outages on the grid impact the internet’s reliability, and the reliability of internet-bound services goes on to impact the stability of the grid.
Several aspects of prosumer systems present particular concerns around this point:
Smart inverters: Modern inverters don't just convert DC to AC—they also communicate with the grid, adjusting their output in response to grid conditions. Many use standard protocols like IEEE 2030.5 or SunSpec Modbus, which have documented vulnerabilities. A compromised inverter could feed harmful harmonics into the grid or disconnect during critical periods.
Home energy management systems: These systems often run on commodity hardware and operating systems, with all their associated vulnerabilities. Many connect to cloud services over the public internet, creating potential entry points for attackers.
Third-party monitoring platforms: Most residential solar systems send performance data to monitoring platforms operated by installers or equipment manufacturers. These platforms may have varying security practices, and data breaches could reveal patterns that make physical attacks easier to time.
Update mechanisms: How do prosumer devices receive security updates? The answer varies widely. Some require manual updates by technicians, others update automatically over the internet. Both approaches have security implications.
Mobile apps: Many prosumers monitor and control their systems through smartphone apps, adding another potential attack vector.
The security of these systems matters not just to the individual prosumer but potentially to the entire grid. Unlike most cybersecurity domains, where the primary concern is data confidentiality, here, the physical impacts of a breach could be severe.
Stakes and Impacts
What could go wrong? Several scenarios merit consideration:
Cascading failures: If attackers could simultaneously shut down or manipulate many prosumer systems in a single area, they could potentially destabilize the local grid. During periods of peak demand, this could trigger broader outages.
Energy market manipulation: When prosumer systems buy or sell energy, attackers could influence energy prices, creating artificial scarcity or surplus.
Privacy violations: The energy consumption patterns of a household reveal a surprising amount about the occupants' daily lives. When does the household wake up? When are they home? Do they have an electric vehicle? Energy data is personal data.
Infrastructure damage: In worst-case scenarios, coordinated attacks on prosumer equipment could damage grid infrastructure by causing voltage or frequency fluctuations outside safe operating parameters.
These risks aren't merely theoretical. Researchers have already demonstrated attacks on solar inverters, smart meters, and home energy management systems in controlled environments.
Intervention points
We have multiple options for addressing these vulnerabilities.
Technical solutions must start with secure-by-design equipment incorporating hardware security modules and encrypted communications. We should implement isolated operational networks that remain separated from the public internet to prevent remote attacks. Anomaly detection systems can be deployed to identify unusual behavior across prosumer devices, providing early warning of potential compromise. Secure update mechanisms that cryptographically verify the authenticity of firmware would prevent malicious code from being installed during routine maintenance.
Policy approaches should establish minimum security standards for all grid-connected devices to create a baseline of protection. Security certification requirements could be tied to equipment eligible for tax incentives, using financial leverage to improve security posture. Clear liability frameworks must be developed to establish responsibility when security breaches affect the grid. Privacy protections for energy consumption data are essential, as this information can reveal intimate details of daily life.
Market solutions could include cybersecurity services bundled with solar and battery installations, making security a standard feature rather than an optional add-on. Insurance products covering cyber risks for prosumers would help distribute the financial impact of breaches while creating incentives for better security. Industry-wide security best practices for installers would raise the bar for the entire ecosystem. Shared security monitoring across prosumer aggregators would leverage economies of scale in threat detection.
Educational initiatives must provide clear security guidance for prosumers in non-technical language they can understand and act upon. Training programs for installation technicians should focus on security alongside traditional electrical and mechanical skills. Information sharing between utilities, vendors, and security researchers would accelerate identifying and remedying new threats.
None of these interventions alone will solve the problem. A layered approach is necessary, recognizing that prosumers are rarely security experts.
More research needed
As a researcher, I have an incentive-caused bias to believe research problems always require—you guessed it—more research to solve.
Well, I think several knowledge gaps require targeted investigation before we can implement effective solutions at scale. Here’s what I think they are.
Standards development research
Developing minimum security standards requires evidence about what works. Research should focus on:
Identifying the minimum viable security requirements that balance protection with cost and complexity
Testing how different certification frameworks affect manufacturer compliance and innovation
Evaluating whether standards should vary by device class, capacity, or grid impact potential
Determining how standards can remain adaptable as technologies evolve
We need field studies, not just lab simulations, to understand how these systems behave in real-world conditions with actual prosumers.
Threat modelling at scale
I’ve done research on threat modelling before, particularly on its limitations. One limitation that’s salient here is that threat modelling approaches typically examine individual devices or small systems in isolation. But we need to understand…
…how many compromised prosumer nodes would create meaningful grid instability in different regions
…which attack patterns could exploit the unique characteristics of distributed energy resources
…how cascading effects might propagate through both the electric grid and connected information networks
…whether certain geographic or network topologies create particular vulnerabilities
Bringing these pieces together will require cross-disciplinary work combining power engineering, network theory, and cybersecurity expertise.
Human factors research
The prosumer revolution puts critical infrastructure in the hands of non-experts. Research should investigate…
…how prosumers interact with their energy systems in practice
…which security behaviors we can reasonably expect from typical system owners
…what communication approaches most effectively convey security information to non-technical users
…how installer training affects the security posture of deployed systems
The most sophisticated security measures are useless if they're disabled or misconfigured by confused users!
Economic incentive alignment
Perhaps most crucially, we need research on aligning economic incentives with security outcomes.
How might insurance markets price prosumer cybersecurity risk?
Do security improvements generate a measurable return on investment for prosumers?
Which policy mechanisms most cost-effectively drive security improvements?
How do we effectively distribute security costs across the value chain (manufacturers, installers, prosumers, utilities)?
Without aligned incentives, even the best technical solutions will face adoption barriers.
The path forward
The prosumer revolution represents a fundamental shift in our energy landscape—and the risks it bears. The distributed nature of these systems creates both vulnerabilities and resilience. While a single point of failure can no longer take down the entire grid, thousands of insecure edge points create new attack surfaces.
Progress will require collaboration across traditional boundaries—between utilities and security researchers, policymakers and technologists, manufacturers and end users. The technical challenges are substantial, but the coordination challenges may prove even more difficult.
Clearly, we cannot afford to treat security as an afterthought in the prosumer ecosystem. The stakes—grid stability, energy markets, and critical infrastructure—are too high. By addressing these research gaps now, we can build a clean energy future that's both sustainable and secure.
After all, a transition to renewable energy that creates new vulnerabilities would be a Pyrrhic victory at best. The true challenge is building clean, resilient, and secure energy systems for the decades ahead.
Feedback?
This post represents our current understanding of the prosumer security landscape, but we know there's much more to learn. Are you working on prosumer security issues? Do you see risks or opportunities we've missed? Please contact Nick Merrill (ffff@berkeley.edu) or leave a comment below.
This work emerged in collaboration with researchers at the Center for Long-Term Cybersecurity at UC Berkeley and the Institute for Security in Technology. Support for this work comes from Open Philanthropy.