The cybersecurity risks our nation’s energy infrastructure is facing are not hypothetical — they are increasingly visible and growing steadily.
Recently, Solar Power World’s Managing Editor Billy Ludt highlighted this growing concern in his article on solar inverter advancements and the urgent need for stronger cybersecurity protocols. As he outlined, distributed energy resources (DERs) are becoming more interconnected with both the grid and behind-the-meter loads, expanding attack surfaces and raising the stakes for proper security controls.
Inverters do represent a critical entry point. If compromised, they can disrupt operations, destabilize local grids and even trigger outages. The risks scale with size; what might begin as a localized issue could quickly escalate in larger utility-scale power plants.
Inverters are understandably a point of concern. But when looking at cybersecurity from a wider lens, there are even more critical and crippling challenges to consider.
The bigger picture: national infrastructure at risk
The real issue? Nothing less than the security of our entire nation’s energy infrastructure.
As reported by CNN and other mainstream media outlets, Iran-linked cyberattacks this month successfully targeted U.S. oil, gas and water systems. Make no mistake: these state-sponsored hacks demonstrated how serious and sophisticated these threats have become.
Unlike traditional cyberattacks that exploit software vulnerabilities, these incidents leveraged internet-facing programmable logic controllers (PLCs). PLCs are the backbone of industrial operations, enabling communication and control across critical systems. When compromised, the consequences extend beyond data breaches — they can directly impact physical operations. State-sponsored bad actors used PLCs exactly as designed to gain access. That distinction matters. It means attackers didn’t need advanced zero-day exploits; they simply took advantage of poor system architecture and insufficient safeguards.
Basic cybersecurity hygiene — network segmentation, restricted access and properly configured firewalls — could significantly reduce this risk. Yet, simple brush-and-floss practices are inconsistent, especially when it comes to our nation’s power infrastructure.
Let’s remember that this is not a distant or theoretical threat. What was once considered a low-probability, high-impact scenario is now an active risk environment. Clearly, the grid is one of the most attractive targets to disrupt economic stability and public safety.
Gaps in current industry practices
What then are we, as an industry, doing to develop sensible cybersecurity protections? Many standards are developed within the clean energy sector, but they prioritize broad applicability over strict enforcement. Requirements may call for firewalls or password protection, but they rarely mandate stronger controls like multi-factor authentication, continuous monitoring or rigorous access management.
Additionally, remote vendor access is expanding. Shared service providers support multiple sites, increasing the potential for widespread impact from a single breach. AI-enabled impersonation campaigns are making social engineering attacks more convincing and more dangerous.
The result is a clear shift from isolated incidents to potentially catastrophic power infrastructure shutdowns.
Regulatory shift: NERC steps in
Clearly, the risk landscape is becoming more complex. This underscores the need for major regulatory change — one of which is rapidly approaching, thanks to the North American Electric Reliability Corporation (NERC).
NERC has lowered its registration threshold substantially. Its new reliability standards will significantly expand oversight for inverter-based resources, shifting from voluntary to mandatory requirements, with financial penalties for non-compliance. This is a notable shift from the previous 75-MW threshold, and it brings a large segment of the industry into a stricter compliance framework.
Beginning May 15, owners and operators of wind, solar, storage and/or hybrid facilities generating 20 MW or above, connected at 60 kV or higher, will be subject to these requirements. These mid-sized power plants are now squarely in scope for NERC compliance. Independent power producers (IPPs) must register with NERC and comply with applicable rules — even if their sites were previously too small to be considered.
And IPPs take note: there is no grace period, and penalties for noncompliance can reach $1.5 million per day.
Why expanded NERC oversight matters
Why is NERC expanding oversight to these assets? This change is both necessary and overdue. It acknowledges the growing importance of distributed sources and the risks associated with them.
Keep in mind, these power plants are not fringe contributors. They are essential to powering communities, hospitals, and critical services. Yet many still lack foundational cybersecurity protections.
And, too often, compliance becomes a “check-the-box” exercise rather than a commitment to true operational security. Documentation may be complete, but systems remain vulnerable. NERC requirements also reinforce that cybersecurity is not optional. It is a fundamental component of grid reliability.
A needed mindset shift: cybersecurity as core operations
Developers and IPPs need to consider cybersecurity as a core operational priority, not just a regulatory obligation. Every interconnected asset has the potential to impact others. A vulnerability at one power plant does not stay isolated. It can ripple outward, affecting neighboring systems, local communities and broader grid stability. This a community of many, with an urgent, shared responsibility of one.
This is why NERC compliance should be viewed as more than a performative exercise. It is a foundational practice for responsible grid participation. All IPPs — no matter their portfolio size — are responsible for ensuring that each asset contributes to overall system reliability rather than introducing avoidable risk. Strong cybersecurity practices support not only immediate operational security, but also long-term asset performance and the credibility of the renewables industry.
This means going beyond minimum requirements and implementing robust access controls, continuously monitoring systems, regularly testing defenses and ensuring that cybersecurity practices evolve alongside emerging threats.
The path forward
The industry is at an inflection point. Mid-sized assets, once considered far less important, are now recognized as essential generators that power our nation’s communities and businesses. That means they are equally attractive targets for hackers and attackers. Meeting NERC Category 2 requirements is a critical milestone, and part of our central ethos as “good grid citizens.”
The path forward is clear: embrace the new NERC Category 2 requirements; look at compliance protocols as a shared responsibility; strengthen cybersecurity practices across all assets; and recognize that protecting our energy infrastructure is not just about compliance — it is about resilience, reliability and national security.
The grid depends on it, and so does our nation.
Kellie Macpherson is executive VP of compliance and risk management at Radian Generation. With more than 25 years of industry experience, she is a recognized leader in renewable energy regulation, cybersecurity and grid reliability. In her current role, Macpherson oversees NERC compliance and managed security services, ensuring clean energy developers, owners, and operators meet regulatory obligations.
