How to make inverter password secure

The digitalization of the energy transition with intelligent networking through digital technology is in full swing. Secure passwords for data communication are essential. With our new password guideline you protect your solar plant against unauthorized access.

In the context of the digitalization of the energy system transformation, the linking of the various energy sectors is becoming more and more important. The monitoring and control of PV systems as well as intelligent networking within the Smart Grid is only possible with digital technology and data communication. The required level of cybersecurity can be ensured only through the joint efforts of product manufacturers, installers and PV system operators. Secure passwords are an essential building block for this.

Assigning secure passwords for operators and installers to ensure secure data communication

To enhance the security of our devices and thus the entire PV system and to protect them against unauthorized access, new password rules will apply to SMA string inverters from August 2019. For new devices and for devices that get an update, the passwords for the “User” and “Installer” user groups must comply with the new password rules. Find here what you have to consider when commissioning a new system, expanding an existing system or replacing a device.

Password rules

  • 8 to 12 characters
  • At least 1 lower- and 1 upper-case letter
  • At least 1 number /li>
  • At least one of four special characters: ?_!-

Note: Passwords that have already been assigned in a device will remain valid even after a firmware update.
The new password rules require user action only if a user logs in to the user interface and the user and/or installer password has not yet been assigned.

Important: When choosing a secure password, avoid using names or designations from dictionaries, data related to you or your company and number/letter combinations that are located side by side on the keyboard. Above all, never use the same password for different systems. This prevents multiple applications/systems from being put at risk of unauthorized access if one of your passwords is stolen. If you use many different passwords for different purposes or use certain passwords only rarely, you are advised to use a password manager (also known as “Password Safe”) so that you have to remember only one password, namely that of the password manager itself.

 

For the following devices, updates with the new password rules are already available or will be provided in the near future. For other inverters, the functions will be made available at a later date.

From firmware 2.00.XX:
SUNNY TRIPOWER 60 (STP 60-10)
SUNNY TRIPOWER 60 Japan (STP 60-JP-10)
SUNNY HIGHPOWER PEAK 1 (SHP 75-10)
SUNNY HIGHPOWER PEAK 3 (SHP 100-20, SHP 150-20)
SUNNY HIGHPOWER PEAK3 (SHP 125-US-20)
SUNNY HIGHPOWER PEAK3 (SHP 150-US-20)
SUNNY TRIPOWER STORAGE 60 (STPS 60-10)

From firmware 3.00.XX:
SUNNY BOY 1.5 / 2.0 / 2.5 (SB 1.5-2.5-1VL-40)
SUNNY BOY 3.0 / 3.6 / 4.0 / 5.0 / 6.0 (SB 3.0-6.0-1AV-41)
SUNNY BOY 3.0-US / 3.8-US / 5.0-US / 6.0-US / 7.0-US / 7.7-US (SB 3.0-7.7-1SP-US-41)
SUNNY TRIPOWER 3.0 / 4.0 / 5.0 / 6.0 / 8.0 / 10.0 (STP 3.0-10.0-3AV-40)
SUNNY TRIPOWER 15000TL / 20000TL / 25000TL (STP 15-25TL-30)
SUNNY TRIPOWER CORE1 (STP 50-40)
SUNNY TRIPOWER CORE1 (STP 33-US-41)
SUNNY TRIPOWER CORE1 (STP 50-US-41)
SUNNY TRIPOWER CORE1 (STP-US-41)
SUNNY ISLAND 4.4M / 6.0H / 8.0H (SI 4.4M-12 / SI 6.0H-12 / SI 8.0H-12)

Note: When commissioning a new system using an SMA data logger (e.g., Sunny Home Manager), you should still assign the passwords in accordance with the new password rules. The data logger does not currently check compliance with these new rules, but this will save you additional work later on – and also increases the security of your system right now.

A new inverter can be commissioned using an SMA data logger (e.g., SMA Data Manager). SMA recommends commissioning the inverter via the data logger. If the system does not contain an SMA data logger, you can assign the passwords via the user interface on the inverter in accordance with these new rules.

Example for a Sunny Boy:

  1. Set up a connection with the device.
  2. When you open the inverter user interface, you are prompted to enter the password for the user group “User.”
  3. Select the language and enter the password for the user group “User” twice. Compliance with the new password rules is checked (five green check marks).
  4. Press Save.
  5. You are then prompted to enter the password for the user group “Installer.”
  6. Select the language and enter the password for the user group “Installer” (i.e., system password) twice. Compliance with the new password rules is checked (five green check marks). Make sure that the password you assign is not the same as the user password.
  7. Save your entries and log in.
  8. The user interface for the remaining inverter commissioning steps then opens.

To commission a new device based on the updated password rules in an existing system, you first have to change the system password in the devices already integrated in the system to a new password that complies with the new rules. Of course, you have to do this only if the current system password does not already comply with the rules. Only then can the inverter be commissioned.

The passwords for the user group “Installer” on the devices are used for system communication between data loggers and inverters and for Webconnect communication. This is why the password for the user group “Installer” is called a system password. Proper system communication is possible only if all the system inverters have been assigned the same system password.

Assigning a new system password in accordance with the new password rules:

  1. Systems with Webconnect, Sunny Home Manager, SMA Cluster Controller or SMA Data Manager:
    1. For systems with Webconnect or Sunny Home Manager, you can quickly assign the new system password in one step for all devices in the system via Sunny Portal.
    2. For systems with SMA Cluster Controller or SMA Data Manager, you can quickly assign the new system password in one step for all devices in the system in the data logger.The new system password is automatically adopted as the password of the user group “Installer” for the inverters. This new password must therefore be used for establishing a direct connection to the inverter.
  2. If no SMA data logger has been installed in the system or no Webconnect data communication with Sunny Portal is used, the system password must be assigned either with the Sunny Explorer software or via the inverter user interface.

Note: zFor information on assigning new system passwords and commissioning inverters you´ll also find in the user manual of the aforementioned product if necessary.
You can complete commissioning via an SMA Data Manager or on the inverter user interface.

If you have forgotten the password for the inverter, you can unlock the inverter with a personal unlocking key (PUK). For each inverter, one PUK is available for each user group (user and installer). You can request the PUK at our SMA Service Line. With the PUK you can unlock the inverter via Sunny Explorer and then assign a new password.

 

2/5 - (1 vote)
2 Comments
  1. Clay Stafford
    Clay Stafford says:

    We are trying to register an older inverter on Sunny Portal but the installer password for the inverter does not include a special character and the registering procedure at Sunny Portal will not accept a password without a special character. What is the way around this? Going back to the site and changing the installer password is not an option because of the distance involved.

    Reply
    • Christiane Keim
      Christiane Keim says:

      Hello Clay,

      Sorry for the delayed response.
      Please contact the SMA Service for further assistance on this topic.
      In order to support you the best possible, please deliver further plant details.

      Thanks & best regards
      Christiane

      Reply
Leave a Reply
Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>