Evaluating Cybersecurity Risks of Bulgaria’s Energy Sector: Focus on PV and HVAC-R
Round 1
Reviewer 1 Report
Comments and Suggestions for AuthorsGeneral Impression
The article addresses an important and highly relevant issue — cybersecurity in Bulgaria’s energy system, with a focus on photovoltaic (PV) installations and HVAC-R systems. It presents an extensive literature review, a detailed analysis of the national context, and attempts to propose recommendations for improving the security of these systems. The paper demonstrates the authors’ deep familiarity with the subject matter, includes many practical examples, and can potentially be a valuable contribution to interdisciplinary research at the intersection of energy systems and cybersecurity.
However, the manuscript requires substantial revision in terms of scientific rigor, logical consistency, terminological precision, alignment with European standards, and coherence between the stated objectives and the conclusions.
Strengths
- Topical relevance. The security issues of PV and HVAC-R systems in the context of growing distributed generation are well grounded.
- Practical foundation. The inclusion of real-life cases of equipment malfunctions and organizational issues adds credibility to the analysis.
Major Concerns
- Scientific accuracy and clarity of terminology
- The introduction contains vague claims not supported by evidence (e.g., lines 16–17: “The real control of those devices remains unclear”).
- Terms such as “unclear control,” “potential threats,” or “certain concerning trends” are overly broad and should be specified or substantiated.
- Structural imbalance
- Section 2 (literature review) is overly lengthy and loses focus. Subsections 2.1.1–2.1.4 are repetitive and could be significantly condensed.
- Section 3 deviates from the cybersecurity focus, placing excessive emphasis on economic and policy aspects.
- Lack of analytical generalization
- The authors describe isolated cases (e.g., inverter malfunctions), but do not attempt to classify them into a risk taxonomy or threat scenarios.
- Absence of European regulatory and technical context
- A significant shortcoming is the complete lack of reference to European cybersecurity standards relevant to the energy sector. None of the following critical documents or standards are mentioned:
- IEC 61850 — communication standard for substation automation;
- ENISA guidelines — recommendations for protecting critical infrastructure;
- NIS2 Directive (2022) — EU directive on cybersecurity for essential services, including energy;
- Cybersecurity Act (2019) — framework for EU cybersecurity certification schemes;
- SunSpec, Modbus TCP, OPC UA — widely adopted protocols in smart PV systems.
This omission critically weakens the practical validity of the proposed recommendations, especially given that Bulgaria is an EU Member State.
Issues with Conclusions
- Lack of specificity. The conclusion mentions “certain concerning security trends,” but fails to define what they are. Given the study’s objective (lines 71–72), such vagueness is problematic.
- Proposed solutions require stronger justification.
- For example, the recommendations to “disconnect inverters and BMS from the Internet” and “implement control similar to HVAC-R systems” are questionable:
- Disconnecting from the global network is impractical, as it would prevent firmware updates, diagnostics, and data collection.
- The analogy with HVAC-R control architectures lacks technical justification, given the differing requirements and operational logic.
Recommendations to the Authors
Methodological:
- Condense the literature review and focus on studies directly related to PV/HVAC-R cybersecurity in the EU context.
- Define clear threat scenarios using established classifications (e.g., MITRE ATT&CK, ENISA threat taxonomy).
Content-related:
- Include a dedicated section on the EU regulatory and technical framework, referencing NIS2, IEC 62443, IEC 61850, and related standards.
- Align proposed measures with existing initiatives in the EU, such as:
- "Smart Inverters" in Germany, Italy, and the Netherlands;
- Use of Home Energy Management Systems as a common European practice to avoid direct cloud dependency.
Conclusions:
- Structure the conclusions to address:
- A concise summary of the identified problems based on evidence.
- A set of specific recommendations directly linked to the analyzed issues and informed by EU experience.
Author Response
Response to Reviewer 1 Comments
|
||
1. Summary |
|
|
Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted. Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.
We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy (see attachment), in which the new text is colored in blue. The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.
|
||
3. Point-by-point response to Comments and Suggestions for Authors |
||
|
||
Below are answers to all the comments after your “Major Concerns” Comments 1: Scientific accuracy and clarity of terminology The introduction contains vague claims not supported by evidence (e.g., lines 16–17: “The real control of those devices remains unclear”). Terms such as “unclear control,” “potential threats,” or “certain concerning trends” are overly broad and should be specified or substantiated. |
||
Response 1: Thank you for pointing this out. We agree with the remark and have tried to fix it. The abstract has been changed. We have made an attempt to clarify our statements.
|
||
Comments 2: Structural imbalance Section 2 (literature review) is overly lengthy and loses focus. Subsections 2.1.1–2.1.4 are repetitive and could be significantly condensed. Section 3 deviates from the cybersecurity focus, placing excessive emphasis on economic and policy aspects. |
||
Response 2: Agree. The general literature review has been significantly shortened, but text has been added specifically concerning European cybersecurity regulations. We agree. Section 3 has been shortened. Our idea is to show the trends in the development of energy, based on which we actually make the forecast that the number of hybrid inverters will grow and rapidly, increasing their share in the total generation.
Comments 3: Lack of analytical generalization The authors describe isolated cases (e.g., inverter malfunctions), but do not attempt to classify them into a risk taxonomy or threat scenarios. Response 3: Again, you are absolutely right. In the corrected version, a risk assessment has been made and threat scenarios have been defined.
Comments 4: Absence of European regulatory and technical context A significant shortcoming is the complete lack of reference to European cybersecurity standards relevant to the energy sector. None of the following critical documents or standards are mentioned: IEC 61850 — communication standard for substation automation; ENISA guidelines — recommendations for protecting critical infrastructure; NIS2 Directive (2022) — EU directive on cybersecurity for essential services, including energy; Cybersecurity Act (2019) — framework for EU cybersecurity certification schemes; SunSpec, Modbus TCP, OPC UA — widely adopted protocols in smart PV systems. This omission critically weakens the practical validity of the proposed recommendations, especially given that Bulgaria is an EU Member State. Response 4: We have fully complied with this remark and have referenced the above-mentioned documents (lines 140-195)
Comments 5: Issues with Conclusions Lack of specificity. The conclusion mentions “certain concerning security trends,” but fails to define what they are. Given the study’s objective (lines 71–72), such vagueness is problematic. Proposed solutions require stronger justification. For example, the recommendations to “disconnect inverters and BMS from the Internet” and “implement control similar to HVAC-R systems” are questionable: Disconnecting from the global network is impractical, as it would prevent firmware updates, diagnostics, and data collection. The analogy with HVAC-R control architectures lacks technical justification, given the differing requirements and operational logic. Response 5: Major changes have been made to address this comment. We think the new material is much more focused on the issue. Thank you for bringing this to our attention - we have never suggested disconnecting the systems from the internet - that would be extremely impractical. Our suggestion is to keep them remotely controllable, but to isolate the direct influence of the manufacturers on the operational settings, and we think we have now described it better.
Comments 6: Recommendations to the Authors Methodological: Condense the literature review and focus on studies directly related to PV/HVAC-R cybersecurity in the EU context. Define clear threat scenarios using established classifications (e.g., MITRE ATT&CK, ENISA threat taxonomy). Content-related: Include a dedicated section on the EU regulatory and technical framework, referencing NIS2, IEC 62443, IEC 61850, and related standards. Align proposed measures with existing initiatives in the EU, such as: "Smart Inverters" in Germany, Italy, and the Netherlands; Use of Home Energy Management Systems as a common European practice to avoid direct cloud dependency. Response 6: We think we have complied with all the recommendations listed.
|
Author Response File: Author Response.pdf
Reviewer 2 Report
Comments and Suggestions for AuthorsThe article investigates potential issues associated with Bulgaria's energy system, particularly focusing on vulnerabilities arising from software interference. It highlights that cyberattacks could disrupt the management of the energy infrastructure, emphasizing the critical need for robust cybersecurity measures. Given the increasing digitization of energy systems, this topic is undeniably pertinent.
To enhance the quality of the article, the following suggestions are proposed:
- To improve readability, the authors should explicitly delineate their specific contributions to the research.
- Introducing a list of abbreviations at the beginning of the article would aid readers in understanding the terminology used throughout the paper.
- Providing comprehensive information about the software and hardware utilized in the energy management system would offer deeper insights into the system's architecture and potential vulnerabilities.
- An in-depth analysis of possible cyber threats to the energy system, along with strategies to mitigate them, would strengthen the article's practical relevance.
- Presenting quantitative data to support the proposed solutions would enhance the credibility of the conclusions and demonstrate the effectiveness of the recommended measures.
- Enhancing the clarity and resolution of Figures 5, 10, 11, and 13 would facilitate better comprehension of the visual data presented.
Implementing these recommendations would significantly improve the article's clarity, depth, and overall impact.
Author Response
Response to Reviewer 2 Comments
|
||
1. Summary |
|
|
Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted. Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.
We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.
|
||
2. Point-by-point response to Comments and Suggestions for Authors |
||
|
||
Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction. Comments 1: To improve readability, the authors should explicitly delineate their specific contributions to the research. |
||
Response 1: The new version highlights cybersecurity issues related to the use of hybrid inverters. Threat scenarios that are not covered by current European regulations are identified.
|
||
Comments 2: Introducing a list of abbreviations at the beginning of the article would aid readers in understanding the terminology used throughout the paper. |
||
Response 2: A list of abbreviations has been included in the new edition. According to our reading of the instructions for authors, this list should be at the end of the report, as it falls into the "back matter" category.
Comments 3: Providing comprehensive information about the software and hardware utilized in the energy management system would offer deeper insights into the system's architecture and potential vulnerabilities. Response 3: Your comment is extremely accurate and apparently we were not able to express ourselves well in the previous edition. In many EU countries there is a power limit below which facilities are not subject to dispatch control. In Bulgaria it is 200 kW, and for example in Germany - 100 kW. There are absolutely no requirements for all installations with lower power. The facilities are installed using the manufacturer's software and firmware, for which information is extremely difficult to obtain (in fact, not possible at all). All installers in the field would very much like to have "comprehensive information", but often have to take pictures of hieroglyphs with their phone and search for a translation with Google. These are not directly cyber problems and we think that as technology matures they will be solved, but agree, the fact that we don't know anything about the systems is worrying.
Comments 4: An in-depth analysis of possible cyber threats to the energy system, along with strategies to mitigate them, would strengthen the article's practical relevance. Response 4: The new edition identifies threat scenarios, conducts a risk assessment, and proposes means to improve security.
Comments 5: Presenting quantitative data to support the proposed solutions would enhance the credibility of the conclusions and demonstrate the effectiveness of the recommended measures. Response 5: We completely agree, but the technology is new and sufficient statistics have not yet been accumulated. In the new edition, we have tried to be more precise and support our claims by citing results from other researchers.
Comments 6: Enhancing the clarity and resolution of Figures 5, 10, 11, and 13 would facilitate better comprehension of the visual data presented. Response 6: The figures were redrawn using vector graphics.
|
Author Response File: Author Response.pdf
Reviewer 3 Report
Comments and Suggestions for Authors- While the paper identifies various cybersecurity threats, it does not use a standardized risk assessment model (e.g., FMEA, Bow-tie analysis, or NIST Cybersecurity Framework) to quantify their likelihood and impact. Why wasn't a formal cybersecurity risk assessment methodology used to structure and validate the threat analysis?
- The study’s novelty seems to stem from anecdotal case insights rather than from a newly developed theoretical or analytical framework. What is the methodological innovation of this work? Could the approach be generalized beyond the Bulgarian context to support broader application?
- The discussion comparing HVAC-R systems and PV inverters is primarily qualitative. There is no metric-based comparison of security architecture, failure modes, or resilience. Can the authors offer a structured, indicator-based comparison of the cybersecurity architectures of HVAC-R and PV systems?
- The example of a hybrid inverter failure is compelling, but it represents a single case. No evidence is provided to suggest it is statistically representative or systemic. What percentage of installed systems experience such firmware failures? Is the described case typical or exceptional?
- The conclusion suggests adopting HVAC-style control for inverters, but it lacks details regarding implementation challenges, costs, and standards compliance. How can the proposed control model be realistically integrated within current grid operational practices or regulatory environments?
- The dominance of Chinese-manufactured inverters is acknowledged but not examined from the standpoint of supply chain risk, firmware trust, or jurisdictional control. Has the potential geopolitical and supply chain risk of foreign-manufactured energy equipment been sufficiently addressed in the security analysis?
- The issue of unsynchronized inverters leading to system collapse is mentioned, but it lacks a technical breakdown, such as protocol mismatches, sampling latency, or command conflicts. Can the authors provide a more detailed explanation of the technical root causes of the observed inverter synchronization failure?
- The suggestion to sever internet connectivity contradicts common operational needs for monitoring and firmware updates. How do the authors propose to balance cybersecurity with the requirements of remote access and cloud-based monitoring?
- The paper does not reference key EU frameworks, such as the NIS 2 Directive and the EU Cyber Resilience Act, which directly address these infrastructure concerns. How do the authors’ recommendations align with or diverge from existing EU-wide cybersecurity and critical infrastructure policies?
- Although well-referenced, the paper does not clarify which scholarly gap it fills or how it extends, contradicts, or refines prior studies. What specific research gap does this study address, and how does it advance the academic discourse on cybersecurity in distributed energy systems?
Author Response
Response to Reviewer 3 Comments
|
||
1. Summary |
|
|
Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted. Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.
We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.
|
||
2. Point-by-point response to Comments and Suggestions for Authors |
||
|
||
Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction. Comments 1: While the paper identifies various cybersecurity threats, it does not use a standardized risk assessment model (e.g., FMEA, Bow-tie analysis, or NIST Cybersecurity Framework) to quantify their likelihood and impact. Why wasn't a formal cybersecurity risk assessment methodology used to structure and validate the threat analysis?. |
||
Response 1: The remark is reflected in the new edition.
|
||
Comments 2: The study’s novelty seems to stem from anecdotal case insights rather than from a newly developed theoretical or analytical framework. What is the methodological innovation of this work? Could the approach be generalized beyond the Bulgarian context to support broader application? |
||
Response 2: In the new edition, we have tried to explain that the processes in the Bulgarian energy system are similar to the processes in other European energy systems, which we support with quotes. Analyzing the processes, we make a prediction that the number of small inverters will grow rapidly and soon they will have a significant share in the total generating capacity. Then we assess the risk of this and indicate measures for improvement. In our opinion, the new edition is much more precise and focused on the problem.
Comments 3: The discussion comparing HVAC-R systems and PV inverters is primarily qualitative. There is no metric-based comparison of security architecture, failure modes, or resilience. Can the authors offer a structured, indicator-based comparison of the cybersecurity architectures of HVAC-R and PV systems? Response 3: We have been looking at this area for a long time. In connection with the current paper, we have compiled a survey and collected answers from HVAC companies. None of the surveyed companies has ever encountered cyber-attacks and even cyber related technical issues. We cannot even give examples similar to those we give with inverters. After the systems come to life, they work without fail. I guess you would not dare to publish exactly such data - no engineer would believe that something works without any fail, we agree that we have a gap in this point and we need to change our approach in the future. In the report, these systems are only marginally present as an example of reliable in terms of cyber security. Comments 4: The example of a hybrid inverter failure is compelling, but it represents a single case. No evidence is provided to suggest it is statistically representative or systemic. What percentage of installed systems experience such firmware failures? Is the described case typical or exceptional? Response 4: The technology is new, accumulated statistics are absent. Examples are simply given to show that the problem exists, it's not a matter of paranoid assumptions. The general validity of the conclusions is supported by citations of other researchers who reach similar conclusions.
Comments 5: The conclusion suggests adopting HVAC-style control for inverters, but it lacks details regarding implementation challenges, costs, and standards compliance. How can the proposed control model be realistically integrated within current grid operational practices or regulatory environments? Response 5: In the new edition, we propose several measures, focusing on the specific one in much more detail. We use the HVAC as an example of a system in which there is an intermediate layer in the control system - the manufacturer of the individual components does not have direct access to them. They are still controllable, but through the PLC and so each individual system has an element of uniqueness and cannot all be attacked simultaneously.
Comments 6: The dominance of Chinese-manufactured inverters is acknowledged but not examined from the standpoint of supply chain risk, firmware trust, or jurisdictional control. Has the potential geopolitical and supply chain risk of foreign-manufactured energy equipment been sufficiently addressed in the security analysis? Response 6: The remark is reflected in the new edition.
Comments 7: The issue of unsynchronized inverters leading to system collapse is mentioned, but it lacks a technical breakdown, such as protocol mismatches, sampling latency, or command conflicts. Can the authors provide a more detailed explanation of the technical root causes of the observed inverter synchronization failure? Response 7: You touch on a very important topic related to the stability of the energy system. The article points out real problems in this regard, which occurred this year in Macedonia and Spain. The topic is very large, it needs serious additional research, although it has been worked on since the dawn of energetics. It is directly related to cyber security - impact on the stability of the system would be the main goal of a cyber attack, but it is too large to be discussed in detail. Again - examples are given simply to show that the threats are not purely hypothetical.
Comments 8: The suggestion to sever internet connectivity contradicts common operational needs for monitoring and firmware updates. How do the authors propose to balance cybersecurity with the requirements of remote access and cloud-based monitoring? Response 8: Thank you for bringing this to our attention - we have never suggested disconnecting the systems from the internet - that would be extremely impractical. Our suggestion is to keep them remotely controllable, but to isolate the direct influence of the manufacturers on the operational settings, and we think we have now described it better.
Comments 9: The paper does not reference key EU frameworks, such as the NIS 2 Directive and the EU Cyber Resilience Act, which directly address these infrastructure concerns. How do the authors’ recommendations align with or diverge from existing EU-wide cybersecurity and critical infrastructure policies? Response 9: We have fully complied with this remark and have referenced the above-mentioned documents (lines 140-195)
Comments 10: Although well-referenced, the paper does not clarify which scholarly gap it fills or how it extends, contradicts, or refines prior studies. What specific research gap does this study address, and how does it advance the academic discourse on cybersecurity in distributed energy systems? Response 10: The new edition identifies threat scenarios and provides a risk assessment. It identifies weaknesses in European cybersecurity regulations. It identifies scenarios for which adequate measures are not provided for in the CRA. Measures have been proposed to improve security.
|
Author Response File: Author Response.pdf
Reviewer 4 Report
Comments and Suggestions for AuthorsOverall, the paper identified cybersecurity risks for electrical systems in Bulgaria’s energy sector. The topic is interesting, but the paper lacks clarity, lacks a systematic review approach, and does not clearly highlight the goal and the paper’s contributions. I do not get the novelty behind this work. I’ve listed a few more detailed comments below.
- Introduction - (1) The problem statement should be further clarified. (2) The contributions must be clearly listed. A contribution to every identified problem should be identified and listed. (3) There is a lack of clarity about the scope of the paper. Is it a technical or a survey paper?
- Literature Review - (1) CPS is only introduced here; why not introduce it in the first few paragraphs of the introduction? (2) This section needs a rework. Each sub-section should be mapped back to the problem statement. Existing literature and its limitations should be summarized.
- Sec 3 - (1) Please include an introductory paragraph to inform the reader about the sequence of details that will be provided in this section. (2) Insights from the authors must be included in this section. There seems to be a disconnect between the literature survey and this section. What problems/cyber-attacks listed in the Literature Review are possible or have impacted systems in Bulgaria?
- General - Figures must be within the allocated page layout. Image quality must be improved for readability. Please use high resolution images.
Author Response
Response to Reviewer 4 Comments
|
||
1. Summary |
|
|
Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted. Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.
We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.
|
||
2. Point-by-point response to Comments and Suggestions for Authors |
||
|
||
Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction. Comments 1: Introduction - (1) The problem statement should be further clarified. (2) The contributions must be clearly listed. A contribution to every identified problem should be identified and listed. (3) There is a lack of clarity about the scope of the paper. Is it a technical or a survey paper?. |
||
Response 1: In the new edition, all these remarks have been addressed.
|
||
Comments 2: Literature Review - (1) CPS is only introduced here; why not introduce it in the first few paragraphs of the introduction? (2) This section needs a rework. Each sub-section should be mapped back to the problem statement. Existing literature and its limitations should be summarized. |
||
Response 2: (1) - moved. (2) - redundant text removed to avoid tautology. We believe that the major changes made take into account the remark. In our opinion, the new edition is much more precise and focused on the problem.
Comments 3: Sec 3 - (1) Please include an introductory paragraph to inform the reader about the sequence of details that will be provided in this section. (2) Insights from the authors must be included in this section. There seems to be a disconnect between the literature survey and this section. What problems/cyber-attacks listed in the Literature Review are possible or have impacted systems in Bulgaria? Response 3: In the new edition, all these remarks have been addressed.
Comments 4: General - Figures must be within the allocated page layout. Image quality must be improved for readability. Please use high resolution images. Response 4: The figures are remade in vector graphics and within the allocated page layout. We believe that the formatting of Fig. 6 and Fig. 10 corresponds to the formatting of a double figure (Fig. 2) from the template file.
|
Author Response File: Author Response.pdf
Reviewer 5 Report
Comments and Suggestions for AuthorsMethodology
The approach is very poorly described, actual unique own contribution and novelty is not clear. To me this paper reads more like some report, and is not clear whether authors are reviewing other sources and synthesizing the situation in Bulgaria or did they actually applied some proprietary approaches and did the experimental measurements themselves? If yes – how, with what equipment, methods? Paper just cannot start with literature review and then move directly to descriptive overview, with some experimental measurements integrated. Please rewrite it in more formal manner, following standard materials and methods format (data used>workflow>actual methods developed>how it was measured>etc).
Experiments
As said above, to me its not clear what is made by the author team. In addition: Temporal ablation for dynamic style threats is required, as in what happens by ablating time-series segments regarding sensitivity to temporal shifts (for all aspects presented in the paper). Please also add bootstrapping analysis on historical electricity price data to statistically validate correlations between PV saturation and negative pricing. Was there any counterfactual reasoning done to isolate causal effects of specific vulnerabilities (likely unpatched PLCs given the context) on grid instability, moving beyond correlational studies? Please add what was done here. Please use TDA to extract persistent topological features from high-dimensional data you used. Please add more indepth analysis on historical data (figure 9, maybe also in broader context?) to statistically confirm correlations between PV saturation and market price collapses. The period chosen also seem weird, why this one exactly?
Author Response
Response to Reviewer 5 Comments
|
||
|
|
|
Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted. Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.
We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.
|
||
2. Point-by-point response to Comments and Suggestions for Authors |
||
|
||
Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction. Comments 1: Methodology The approach is very poorly described, actual unique own contribution and novelty is not clear. To me this paper reads more like some report, and is not clear whether authors are reviewing other sources and synthesizing the situation in Bulgaria or did they actually applied some proprietary approaches and did the experimental measurements themselves? If yes – how, with what equipment, methods? Paper just cannot start with literature review and then move directly to descriptive overview, with some experimental measurements integrated. Please rewrite it in more formal manner, following standard materials and methods format (data used>workflow>actual methods developed>how it was measured>etc). |
||
Response 1: In the new edition, the contributions, problem statement, proposed measures have been further clarified. Hybrid inverters are still an emerging technology that finds widespread throughout residential PV systems. Our view is that after a significant revision of the paper, we have complied with the nature of your review.
|
||
Comments 2: As said above, to me its not clear what is made by the author team. In addition: Temporal ablation for dynamic style threats is required, as in what happens by ablating time-series segments regarding sensitivity to temporal shifts (for all aspects presented in the paper). Please also add bootstrapping analysis on historical electricity price data to statistically validate correlations between PV saturation and negative pricing. Was there any counterfactual reasoning done to isolate causal effects of specific vulnerabilities (likely unpatched PLCs given the context) on grid instability, moving beyond correlational studies? Please add what was done here. Please use TDA to extract persistent topological features from high-dimensional data you used. Please add more indepth analysis on historical data (figure 9, maybe also in broader context?) to statistically confirm correlations between PV saturation and market price collapses. The period chosen also seem weird, why this one exactly? |
||
Response 2: Our idea is to show the trends in the development of energy, based on which we actually make the forecast that the number of hybrid inverters will grow and rapidly, increasing their share in the total generation. After that, we analyze the risks associated with hybrid inverters and the fact that they will occupy a sufficiently large share of the total generating power. In the new edition, we have taken the liberty of supporting the conclusions we reach not with additional statistical procedures, but by citing other studies that draw similar conclusions, including after statistical processing. We hope that this approach, in light of the new edition of the paper, will be acceptable to you.
|
Author Response File: Author Response.pdf
Round 2
Reviewer 3 Report
Comments and Suggestions for AuthorsThe paper is close to being publishable. The core contributions are important and timely, especially as hybrid PV penetration rises in Europe. However, to meet the journal’s standards for rigor and generalizability, I recommend a final revision that includes:
1. A brief comparison with frameworks like NIST CSF or ISO/IEC 27005, even if just to justify why the custom matrix was chosen.
2. Integrate even small-scale survey data to underpin prevalence or impact claims.
3. Better delineation of how/why the findings apply beyond Bulgaria.
4. Proofreading for grammar and flow.
If these points are addressed, the paper can be confidently recommended for acceptance.
Author Response
Thank you for your remarks, a comparison to NIST CSF and IEC 27005, and a small-scale survey have been added.
In terms of better delineation beyond Bulgaria, new Figure 12 from cited data has been added.
Reviewer 4 Report
Comments and Suggestions for AuthorsOverall, I appreciate the authors for making several improvements to address my previous comments. However, I still feel that the paper lacks clarity and its scope is not well defined. Please take a look at some of the comments below.
- Abstract and Introduction have been improved, but there is still no clarity in the scope and contributions of this work. The introduction has to identify and list clearly what aspects of cyber-attacks are being analyzed or surveyed in this work. Please highlight and enumerate the technical/empirical contributions of this work.
- Sec 5 – The scope of this section should be described by including details on how this section is useful for readers.
- Sec 5 – Why is a real dataset or simulation not used for risk assessment in Section 5? Is the intention to lay out a risk assessment methodology that can be used by the readers for their assessment?
- Sec 5 – I am not sure how an objective assessment with random risk calculation is going to help the evaluation. Why is a systematic risk assessment approach not used for this evaluation/assessment?
- Sec 6 – On what basis are the recommendations for enhancing the cybersecurity of hybrid inverters made? Are these derived from a literature survey or empirical analysis?
- Paper Formatting – Please allow space between the table and text. E.g., Tables 2, 3, and 4 on page 14.
- Figures need to be improved for readability. E.g., the quality of Figures 5, 10, etc. must be improved.
- Check for grammatical and spelling errors. E.g., deactivsted on page 13.
There are language checks required in some parts of the paper. Spell check is also required.
Author Response
Thank you for your remarks.
In terms of Section 5 a description on details has been added. As this is still an emerging, but rapidly growing, technology there is a lack of statistical data and many of conclusions drawn in literature as in our case are prognosis. As such a systematic approach is not applicable.
Regarding Section 6, with a bit of tautology, recommendations are given by prognosis conclusions.
Space has been added after tables.
Grammatical and spelling mistakes have been corrected.
Reviewer 5 Report
Comments and Suggestions for AuthorsDear authors, thank you for the revised version, however it is still not clear to me what is the proprietary contribution here or maybe the paper is steered more towards a literature review and situation in Bulgarian adoption of hybrid invertes, as well as related issues? In that case the full regview protocol is needed and the style feels off as well. If the offering is on risk assesment than additional details are needed on why it would be considered reliable, as referring to other sources might not necessary correlate well with the Bulgarian market, no? Also how were the risks calcualted, to what methodology?
Author Response
Thank you for your remarks.
Hybrid inverters are still an emerging, but rapidly growing technology. There is a lack of statistical data to make any empirical or systematic assessments. As such it is our believe that attention to issues and potential solutions based on prognosis. As of this moment the parallels between Bulgarian market and EU market are drawn from recent literatures, correspondence with local installers and PV owners, and the following of inverters' market to the best of our knowledge.