A Unified Security Baseline for Photovoltaic Inverters Integrating IEC, UL, IEEE, SunSpec and EU CRA Requirements

The increasing digitalization of photovoltaic (PV) inverters and their integration into distributed energy resource (DER) ecosystems expose these devices to a rapidly expanding cyber‑physical attack surface. Existing security requirements are fragmented across heterogeneous technical standards—including IEC 62443, IEC 62351, UL 2900‑1, UL 1741 SB, IEEE 1547, IEEE 2030.5, and SunSpec profiles—and only partially aligned with emerging regulatory obligations such as the EU Cyber Resilience Act (CRA) and NIS2 Directive. This fragmentation complicates assurance, hinders interoperability, and leaves critical security controls inconsistently implemented across vendors and deployments. This paper introduces a Unified Security Baseline (USB) that harmonizes essential technical and lifecycle security controls for PV inverters, including secure boot, firmware signing, anti‑rollback protection, strong authentication, TLS‑secured communication, SBOM governance, secure over‑the‑air updates, and coordinated vulnerability disclosure. The USB provides a device‑centric, standards‑agnostic framework designed to strengthen the security posture of inverter‑dominated DER environments while supporting regulatory compliance. By consolidating cross‑standard requirements into a coherent baseline, this work establishes a foundation for future conformity assessment, certification efforts, and secure‑by‑design engineering practices in critical IoT/OT infrastructures.