Cybersecurity within our Organization
To maintain the robustness of our cybersecurity program, we employ the following resources and practices.
Technical Expertise
Technical Director for Product Cybersecurity & CISO
Dedicated secure development lifecycle (SDL) team
Acquisition of a large team of cybersecurity experts with a proven track record
In-house “Red Team” & Vulnerability researchers
External partnership with an industry-leading Incidence Response Team (IRT)
Supply Chain Controls
Vendor vetting process for hardware component suppliers (HBOM)
End-to-end software development in EU and Israel for inverters and for SolarEdge ONE Controllers
Security analysis of 3rd party code
Manufacturing site cybersecurity review process
Organizational Practices
Cyber awareness training for all new employees as part of their on-boarding program, is coupled with an annual cybersecurity online training course, mandatory for all global employees.
Third party certification to ISO 27001 Information Security Management Standard for company-wide IT infrastructure and digital assets. Our products are certified to ETSI 303-645, The Radio Equipment Directive (RED) 2014/52/EU and is compliant with the UK PSTI law.
Recurring penetration testing & mitigation work plan
Secure coding training
Continuous security events monitoring in our security operations center
Incident response policies and procedures
Vulnerability Disclosure Program for external researchers (Bug Bounty)
Ad-hoc updates sent to all employees on cybersecurity risks and threats
Protection of main online platforms against Denial-of-Service attacks (that prevent legitimate use of our services) and Denial-of-Wallet attacks
Information Security Due Diligence
We recently began undertaking information security assessments for new suppliers in an effort to ensure compliance with our requirements. These assessments cover several topics, including but not limited to- regulatory and standard compliance, information access protocols and controls, information protection, network security, physical protection, security controls, and event management and reporting. In cases of non-compliance, we formulate a corrective action plan with suppliers. We plan to expand this practice and include all major suppliers in the future.
SolarEdge has not experienced any material information security breaches in the past three years and minor issues have been reported to our Audit Committee. The company has not been subject to any information security breach penalties or settlement payments in the same three-year period. SolarEdge has not experienced a third-party material security breach within the last year that impacted our business.
SolarEdge is an active participant in various technical committees devising international regulatory cyber standards. For further information see section ‘Powering the World through Positive Policy’. We design our solutions in line with such future regulations.
Cybersecurity for our Customers
SolarEdge is committed to continuous cybersecurity improvement. We actively monitor cybersecurity trends, adopt industry best practices, and collaborate with security researchers to enhance our defenses.
To safeguard system connectivity, functionality, and customer data, SolarEdge follows the Cyber Informed Engineering (CIE) principle, embedding information security mechanisms into its products from initial design stages. We apply proactive security measures, perform continuous monitoring, and practice rapid incidence response if an incidence should occur.
Our Product Cybersecurity methodology is based on four pillars:
Unique device passwords per inverter
Restrictions on remote access, allowing pre-authorized users only
Detection and prevention of run-time anomalies by an embedded security agent
Built-in security features such as casual Wi-Fi scanning protections
Static code analysis procedures
3rd party penetration testing of the device
All SolarEdge inverters receive over-the-air security updates upon request, ensuring customers have secure access to signed software and firmware updates
Device Security
The underlying cornerstone of cybersecurity is the product itself. To ensure device security, SolarEdge embeds features such as:
SolarEdge’s security methodology empowers Commercial & Industrial customers’ IT and security teams to monitor their energy assets in real-time. To secure these systems -
Visibility & Control
All communications between the gateway and the SolarEdge server are encrypted and channeled through a single port (443)
Our devices contain enhanced security features, designed to block any remote action on the inverter, unless temporary access is granted by authorized personnel physically present at the device
SolarEdge devices also collect robust security logs on failed log-in attempts, system crashes and general system performance
Data analyzed at SolarEdge’s SOC (Security Operations Center) can be made available to customer IT teams
A critical point for protection in commercial installations is the connection between the customer’s PV system and the company’s IT network. To secure this connection, SolarEdge implements several measures:
Network Security
We direct the data flows of the entire PV system through a single point of entry, via the SolarEdge Local Controller, or via the SolarEdge Inverter in smaller installations
All communications passing through the gateway are inspected and analyzed, and a masking feature enhances protection by making it inaccessible, even if an intrusion attempt is made within the same LAN
Connected SolarEdge inverters do not store sensitive information and can be fully wiped of all configuration data in a factory reset
System-generated data is stored on-premises at a dedicated SolarEdge operated data center in Germany
We implement a comprehensive backup cycle to protect our customers’ data and store it with multiple redundancies
Best practice encryption and authentication are in place for a system to access the server
Data Security
To maintain security of our customers data, we ensure the following:
As solar energy emerges as a dominant source of power, installations are considered a significant part of the critical infrastructure in many countries. Grid participation, system maintenance and PV monitoring require heavy reliance on communications technology, and so protecting information integrity and reliability is of paramount importance.
With this in mind, SolarEdge launched a Cybersecurity Program aimed to safeguard its customers, itself, and to raise cybersecurity standards for the entire PV industry.
This program combines the efforts of the Chief Information Security Officer and his team, responsible for corporate protection, with those of the Chief Data and Digital Officer who leads the Product Security roadmap. The management team provides quarterly updates to the Technology Committee and annually to the full Board regarding cybersecurity activities and other developments that impact our digital security, in keeping with our high organizational focus on this issue.
Data Privacy
By adhering to these principles and implementing all the above-described practices, SolarEdge reaffirms its commitment to privacy compliance and its dedication to protecting the privacy rights of all stakeholders. We believe that integrating privacy considerations into our business frameworks strengthens our accountability, transparency, and trustworthiness as a responsible corporate actor.
Transparency: We are transparent about the types of personal data we collect, how we use it, and with whom we share it. We provide clear and easily accessible information about our data processing activities through our privacy policies and communications channels. For further information see our Privacy Policy.
Lawfulness, Fairness, and Purpose Limitation: We collect and process personal data in accordance with all relevant applicable laws and regulations worldwide. We ensure that personal data is obtained and used fairly, and only for specified and legitimate purposes. We do not use personal data for purposes incompatible with the initial one without obtaining appropriate consent or other legal basis.
Data Minimization and Accuracy: We collect and retain only the personal data necessary for the activities we execute on a lawful basis, and we take steps to ensure its accuracy and relevance. We regularly review and update our data collection processes to minimize the amount of personal data collected and to ensure its quality and accuracy.
Security and Confidentiality: We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. We restrict access to personal data to authorized personnel who have a legitimate need to know and who are bound by confidentiality obligations.
Data Subject Rights: We respect the rights of individuals regarding their personal data, including the rights to access, rectify, erase, restrict processing, and portability, as well as the right to object to processing. We have established procedures for responding to data subject requests and inquiries in a timely and effective manner.
Accountability and Governance: We have a designated Data Protection Officer in our organization who is responsible for overseeing our activities on personal data and ensuring compliance with all applicable privacy laws and regulations. We conduct periodic assessments and audits of our privacy practices to identify and address any compliance gaps or risks.
At SolarEdge, we are committed to upholding the highest standards of privacy compliance in all aspects of our operations. We recognize the importance of protecting the personal data and privacy rights of our stakeholders, including employees, customers, suppliers, and investors, and we are dedicated to ensuring that our activities align with all applicable privacy laws and regulations. SolarEdge is fully compliant with the requirements of the GDPR.
Our commitment to privacy compliance encompasses the following principles:
Sustainability Report 2023 /
Cybersecurity
and Data Privacy
Data Privacy
Cybersecurity for our Customers
Cybersecurity within our Organization
Join the SolarEdge Conversation
Contact our sustainability / ESG team
Contact us
How can we help you?
Join the SolarEdge Conversation
Contact our sustainability / ESG team
Contact us
How can we help you?
Information Security Due Diligence
We recently began undertaking information security assessments for new suppliers in an effort to ensure compliance with our requirements. These assessments cover several topics, including but not limited to- regulatory and standard compliance, information access protocols and controls, information protection, network security, physical protection, security controls, and event management and reporting. In cases of non-compliance, we formulate a corrective action plan with suppliers. We plan to expand this practice and include all major suppliers in the future.
SolarEdge has not experienced any material information security breaches in the past three years and minor issues have been reported to our Audit Committee. The company has not been subject to any information security breach penalties or settlement payments in the same three-year period. SolarEdge has not experienced a third-party material security breach within the last year that impacted our business.
SolarEdge is an active participant in various technical committees devising international regulatory cyber standards. For further information see section ‘Powering the World through Positive Policy’. We design our solutions in line with such future regulations.
Supply Chain Controls
Vendor vetting process for hardware component suppliers (HBOM)
End-to-end software development in EU and Israel for inverters and for SolarEdge ONE Controllers
Security analysis of 3rd party code
Manufacturing site cybersecurity review process
Organizational Practices
Cyber awareness training for all new employees as part of their on-boarding program, is coupled with an annual cybersecurity online training course, mandatory for all global employees.
Third party certification to ISO 27001 Information Security Management Standard for company-wide IT infrastructure and digital assets. Our products are certified to ETSI 303-645, The Radio Equipment Directive (RED) 2014/52/EU and is compliant with the UK PSTI law.
Recurring penetration testing & mitigation work plan
Secure coding training
Continuous security events monitoring in our security operations center
Incident response policies and procedures
Vulnerability Disclosure Program for external researchers (Bug Bounty)
Ad-hoc updates sent to all employees on cybersecurity risks and threats
Protection of main online platforms against Denial-of-Service attacks (that prevent legitimate use of our services) and Denial-of-Wallet attacks
Cybersecurity within our Organization
Technical Expertise
Technical Director for Product Cybersecurity & CISO
Dedicated secure development lifecycle (SDL) team
Acquisition of a large team of cybersecurity experts with a proven track record
In-house “Red Team” & Vulnerability researchers
External partnership with an industry-leading Incidence Response Team (IRT)
To maintain the robustness of our cybersecurity program, we employ the following resources and practices.
By adhering to these principles and implementing all the above-described practices, SolarEdge reaffirms its commitment to privacy compliance and its dedication to protecting the privacy rights of all stakeholders. We believe that integrating privacy considerations into our business frameworks strengthens our accountability, transparency, and trustworthiness as a responsible corporate actor.
Transparency: We are transparent about the types of personal data we collect, how we use it, and with whom we share it. We provide clear and easily accessible information about our data processing activities through our privacy policies and communications channels. For further information see our Privacy Policy.
Lawfulness, Fairness, and Purpose Limitation: We collect and process personal data in accordance with all relevant applicable laws and regulations worldwide. We ensure that personal data is obtained and used fairly, and only for specified and legitimate purposes. We do not use personal data for purposes incompatible with the initial one without obtaining appropriate consent or other legal basis.
Data Minimization and Accuracy: We collect and retain only the personal data necessary for the activities we execute on a lawful basis, and we take steps to ensure its accuracy and relevance. We regularly review and update our data collection processes to minimize the amount of personal data collected and to ensure its quality and accuracy.
Security and Confidentiality: We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. We restrict access to personal data to authorized personnel who have a legitimate need to know and who are bound by confidentiality obligations.
Data Subject Rights: We respect the rights of individuals regarding their personal data, including the rights to access, rectify, erase, restrict processing, and portability, as well as the right to object to processing. We have established procedures for responding to data subject requests and inquiries in a timely and effective manner.
Accountability and Governance: We have a designated Data Protection Officer in our organization who is responsible for overseeing our activities on personal data and ensuring compliance with all applicable privacy laws and regulations. We conduct periodic assessments and audits of our privacy practices to identify and address any compliance gaps or risks.
Data Privacy
At SolarEdge, we are committed to upholding the highest standards of privacy compliance in all aspects of our operations. We recognize the importance of protecting the personal data and privacy rights of our stakeholders, including employees, customers, suppliers, and investors, and we are dedicated to ensuring that our activities align with all applicable privacy laws and regulations. SolarEdge is fully compliant with the requirements of the GDPR.
Our commitment to privacy compliance encompasses the following principles:
SolarEdge’s security methodology empowers Commercial & Industrial customers’ IT and security teams to monitor their energy assets in real-time. To secure these systems -
Visibility & Control
All communications between the gateway and the SolarEdge server are encrypted and channeled through a single port (443)
Our devices contain enhanced security features, designed to block any remote action on the inverter, unless temporary access is granted by authorized personnel physically present at the device
SolarEdge devices also collect robust security logs on failed log-in attempts, system crashes and general system performance
Data analyzed at SolarEdge’s SOC (Security Operations Center) can be made available to customer IT teams
SolarEdge is committed to continuous cybersecurity improvement. We actively monitor cybersecurity trends, adopt industry best practices, and collaborate with security researchers to enhance our defenses.
To safeguard system connectivity, functionality, and customer data, SolarEdge follows the Cyber Informed Engineering (CIE) principle, embedding information security mechanisms into its products from initial design stages. We apply proactive security measures, perform continuous monitoring, and practice rapid incidence response if an incidence should occur.
Our Product Cybersecurity methodology is based on four pillars:
Unique device passwords per inverter
Restrictions on remote access, allowing pre-authorized users only
Detection and prevention of run-time anomalies by an embedded security agent
Built-in security features such as casual Wi-Fi scanning protections
Static code analysis procedures
3rd party penetration testing of the device
All SolarEdge inverters receive over-the-air security updates upon request, ensuring customers have secure access to signed software and firmware updates
Device Security
The underlying cornerstone of cybersecurity is the product itself. To ensure device security, SolarEdge embeds features such as:
A critical point for protection in commercial installations is the connection between the customer’s PV system and the company’s IT network. To secure this connection, SolarEdge implements several measures:
Network Security
We direct the data flows of the entire PV system through a single point of entry, via the SolarEdge Local Controller, or via the SolarEdge Inverter in smaller installations
All communications passing through the gateway are inspected and analyzed, and a masking feature enhances protection by making it inaccessible, even if an intrusion attempt is made within the same LAN
Connected SolarEdge inverters do not store sensitive information and can be fully wiped of all configuration data in a factory reset
System-generated data is stored on-premises at a dedicated SolarEdge operated data center in Germany
We implement a comprehensive backup cycle to protect our customers’ data and store it with multiple redundancies
Best practice encryption and authentication are in place for a system to access the server
Data Security
To maintain security of our customers data, we ensure the following:
Cybersecurity for our Customers
As solar energy emerges as a dominant source of power, installations are considered a significant part of the critical infrastructure in many countries. Grid participation, system maintenance and PV monitoring require heavy reliance on communications technology, and so protecting information integrity and reliability is of paramount importance.
With this in mind, SolarEdge launched a Cybersecurity Program aimed to safeguard its customers, itself, and to raise cybersecurity standards for the entire PV industry.
This program combines the efforts of the Chief Information Security Officer and his team, responsible for corporate protection, with those of the Chief Data and Digital Officer who leads the Product Security roadmap. The management team provides quarterly updates to the Technology Committee and annually to the full Board regarding cybersecurity activities and other developments that impact our digital security, in keeping with our high organizational focus on this issue.
Cybersecurity
and Data Privacy
Sustainability Report 2023 /