PLC Security Flashpoint: Lithuania Pulls Plug on Insecure Solar Assets

PLC Security Flashpoint: Lithuania Pulls Plug on Insecure Solar Assets

Why It Matters Now

Europe's accelerating green energy transition is connecting tens of thousands of programmable logic controllers (PLCs) and industrial control systems to national power grids — and with them, an expanding attack surface that most operators have not adequately secured. Lithuania has just become the first EU member state to draw a hard line: grid operators can now disconnect solar plants over 100kW that fail cybersecurity compliance checks. The decision marks a pivotal moment for PLC security, elevating it from an operational concern to a matter of national energy sovereignty.

The legislation, effective for new projects since May 1, 2025, targets the remote-access capabilities embedded in modern inverters — devices that sit at the intersection of power electronics and networked industrial control. With 79 MPs voting in favour of the amendment to Lithuania's Law on Electricity, the message is unambiguous: the era of connecting critical energy assets to the grid without verified cybersecurity controls is over.

The Inverter Is a PLC — And That's the Problem

For much of the industrial automation community, the term “PLC” conjures images of ruggedized controllers on factory floors. But in renewable energy deployments, the inverter functions as a de facto PLC — executing real-time control logic, communicating over industrial protocols, and increasingly, maintaining persistent cloud connections to vendor servers located in jurisdictions beyond European regulatory reach.

These devices manage grid synchronization, power quality, and fault response. If compromised, an attacker could theoretically command thousands of distributed assets simultaneously — a scenario that moves well beyond data theft into the realm of physical infrastructure sabotage. The 2024 Deye inverter incident, where units across North America were remotely disabled via firmware-level lockout commands, demonstrated that this is not hypothetical.

Analyst Insight: The Converged Threat Landscape

The convergence of IT, OT, and IoT in renewable energy has created a threat landscape where a vulnerability in a cloud-connected inverter is indistinguishable from a vulnerability in a grid substation PLC. According to Forescout's 2025 OT/ICS vulnerability report, the ICS cybersecurity risk level hit a record high — 508 advisories covering 2,155 vulnerabilities. Energy infrastructure, once air-gapped by design, now presents one of the fastest-growing attack surfaces globally. The Energy & Utilities sector is experiencing 25% year-over-year IoT expansion, outpacing most other critical infrastructure verticals.

Lithuania's Legislative Framework: What It Mandates

Lithuania's amendment to the Law on Electricity requires operators of power plants exceeding 100kW to implement “additional safeguards” for information management systems and connected inverters. Crucially, the legislation designates “hostile countries” — as defined by the country's National Security Strategy — and imposes restrictions on remote access originating from equipment manufactured in those jurisdictions.

The European Solar Manufacturing Council (ESMC) has publicly endorsed the Lithuanian approach, calling for wider EU adoption of similar policies. This signals a broader regulatory trajectory: cybersecurity compliance is shifting from voluntary best practice to statutory requirement — with teeth.

Key Provisions of Lithuania's Electricity Law Amendment
  • Applicability threshold: All power plants and devices with capacity exceeding 100 kW.
  • Effective date for new projects: May 1, 2025.
  • Enforcement mechanism: Grid operators granted authority to disconnect non-compliant assets.
  • Geopolitical dimension: Restrictions on remote access capabilities originating from “hostile country” manufacturers.
  • Scope: Covers information management systems, inverters, and associated communication infrastructure.

PLC-Level Security: From Afterthought to Design Imperative

For decades, industrial PLCs were designed with an implicit assumption: they would operate inside physically secured, air-gapped environments. Security features — when they existed — were bolted on through network segmentation, firewalls, and intrusion detection systems layered above the controller layer. The renewable energy rollout shatters this model.

Solar farms and wind installations are geographically distributed, often unmanned, and connected via cellular or satellite links. Each networked PLC — or inverter functioning as one — becomes a potential ingress point into the wider grid. The IEC 62443 standard, which defines security requirements for Industrial Automation and Control Systems (IACS), provides a framework for addressing this at the architecture level, but adoption across the renewable energy supply chain remains inconsistent.

Market Trend: Security-by-Design Becomes a Competitive Differentiator

PLC manufacturers and inverter OEMs that embed IEC 62443-compliant security — including secure boot, firmware signing, and hardware-rooted device identity — are positioned to capture market share as regulations tighten. The days of treating cybersecurity as a post-deployment configuration exercise are numbered. Procurement specifications across European utilities are already being rewritten to mandate pre-certified security assurance at the component level. For the industrial automation supply chain, Lithuania's move is a preview of requirements that will soon span the continent.

Supply Chain Sovereignty and the China Question

Lithuania's legislation does not name specific manufacturers, but its reference to “hostile countries” — combined with the National Security Strategy's designation criteria — places Chinese inverter and component suppliers squarely in scope. This follows a pattern: U.S. energy officials have separately investigated unexplained communication equipment discovered inside Chinese-manufactured solar inverters, including cellular radios not listed in product documentation.

The industrial automation sector faces a structural dilemma. Chinese manufacturers now command significant market share in solar inverters, PLC-adjacent components, and grid interface equipment. Supply chain diversification is slow, and alternative suppliers in Europe and North America operate at lower scale and higher cost. The regulatory pressure, however, is only moving in one direction.

FAQ: What This Means for Industrial Automation Professionals

Q: Does Lithuania's law apply to existing installations?
The disconnect authority applies broadly, but the May 2025 compliance deadline specifically targets new projects. Retrofitting requirements for legacy assets are expected to follow as regulatory frameworks mature.

Q: How does this affect PLC procurement for renewable energy projects?
Project developers must now verify the cybersecurity posture of every networked controller — including inverters functioning as PLCs — against IEC 62443 or equivalent frameworks. Vendor remote-access policies must be documented and contractually governed.

Q: Will other EU countries follow Lithuania's lead?
The ESMC has explicitly called for wider adoption. Combined with the EU's NIS2 Directive and Cyber Resilience Act, the regulatory environment is converging toward mandatory OT/ICS security across energy infrastructure. Lithuania has simply moved faster than Brussels.

Q: What are the immediate steps for asset operators?
Conduct a complete OT asset inventory, map all remote-access vectors, audit vendor connectivity, and implement network segmentation that isolates inverter/PLC traffic from broader grid control systems.

The Wider Implication: Green Transition Cannot Outrun Security

Europe's energy transition targets are among the most ambitious in the world. But the velocity of renewable deployment has consistently outpaced the cybersecurity governance needed to protect it. Lithuania's intervention — controversial as it may be for asset owners facing sudden compliance pressure — addresses an uncomfortable truth: every connected inverter, every networked PLC, every cloud-managed solar array adds a node to an attack surface that adversaries are actively mapping.

The question is no longer whether OT/ICS security matters to the green transition. It is whether the industrial automation industry can embed it fast enough to keep pace with both the threat and the regulator. For PLC manufacturers, system integrators, and energy asset operators, Lithuania's hard line is not an outlier — it is a signal of what is coming.

Related Articles

Powrót do blogu