U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity for Smart Inverters: Guidelines for Residential and Light Commercial Solar Energy Systems

The smart inverter in a home or small business solar energy system manages the flow of of electric energy within the home and between the home and the local electric utility. A cyber compromise of the smart inverter that changes its behavior in managing electric energy flow can negatively impact the home or small business as well as the local electric grid.

Practical guidelines for home and small business owners to secure small-scale energy generation systems

The guidance was developed by examining the current smart inverter threat landscape, testing currently available smart inverter cybersecurity capabilities, and potential mitigations which system installers, homeowners, and small business owners can implement. The report also presents recommendations to smart inverter manufacturers to improve the cybersecurity capabilities in their products.
Status: Reviewing Comments

The public comment period has closed for the initial public draft of Cybersecurity for Smart Inverters: Guidelines for Residential and Light Commercial Solar Energy Systems. We are currently reviewing the comments received. Thank you to everyone who shared their feedback with us.

NIST IR 8498 Cybersecurity for Smart Inverters: Guidelines for Residential and Light Commercial Solar Energy Systems (Initial Public Draft)Web Version NIST IR 8498 Cybersecurity for Smart Inverters: Guidelines for Residential and Light Commercial Solar Energy Systems (Initial Public Draft)

Abstract 


The use of residential and light-commercial inverters connected to the distribution network and not directly owned and operated by the utility to generate electricity for homes and small businesses continues to increase. In addition to supplying power to individual homeowners and small business owners these systems can supply power to the electric grid. 

Smart inverters provide two critical functions to a small-scale solar energy system; they convert the direct current (DC) produced by solar panels to the alternating current (AC) used on the electric grid, in homes, and businesses. They also manage the flow of excess energy to the electric grid. The “smart” in smart inverter allows these devices to assist the local electric utility in addressing anomalies on the electric grid. However, properly responding to anomalies requires that the smart inverter be configured to behave in a grid-friendly, supportive manner. An improperly configured inverter can respond in inappropriate ways that exacerbate anomalies. 

While one smart inverter is unlikely to have significant impact on the grid if it is misconfigured, a large number of misconfigured smart inverters could have a negative impact on a utility’s efforts to address anomalies. If a malicious actor were able to deliberately misconfigure many smart inverters, grid stability and performance could be impacted. 

This report provides practical cybersecurity guidance for small-scale solar inverter implementations typically used in homes and small businesses. These guidelines are informed by a review of known smart inverter vulnerabilities documented in the National Vulnerability Database (NVD), a review of information about known smart inverter cyber-attacks and testing five example smart inverters. The report also provides recommendations to smart inverter manufacturers for cybersecurity capabilities needed in their products to implement the seven guidelines. These recommendations build on the Internet of Things (IoT) cybersecurity capability baselines defined in NISTIR 8259A and NISTIR 8259B by providing smart-inverter specific information for some of the baseline cybersecurity capabilities. 

If a malicious actor were able to deliberately misconfigure many smart inverters, grid stability and performance could be impacted. 

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself