Evaluating Cybersecurity Risks of Bulgaria’s Energy Sector: Focus on PV and HVAC-R

Response to Reviewer 1 Comments

1. Summary

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted.

Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.

We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy  (see attachment), in which the new text is colored in blue. The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.

3. Point-by-point response to Comments and Suggestions for Authors

Below are answers to all the comments after your “Major Concerns”

Comments 1: Scientific accuracy and clarity of terminology

The introduction contains vague claims not supported by evidence (e.g., lines 16–17: “The real control of those devices remains unclear”).

Terms such as “unclear control,” “potential threats,” or “certain concerning trends” are overly broad and should be specified or substantiated.

Response 1: Thank you for pointing this out. We agree with the remark and have tried to fix it. The abstract has been changed. We have made an attempt to clarify our statements.

Comments 2: Structural imbalance

Section 2 (literature review) is overly lengthy and loses focus. Subsections 2.1.1–2.1.4 are repetitive and could be significantly condensed.

Section 3 deviates from the cybersecurity focus, placing excessive emphasis on economic and policy aspects.

Response 2: Agree. The general literature review has been significantly shortened, but text has been added specifically concerning European cybersecurity regulations.

We agree. Section 3 has been shortened. Our idea is to show the trends in the development of energy, based on which we actually make the forecast that the number of hybrid inverters will grow and rapidly, increasing their share in the total generation.

Comments 3: Lack of analytical generalization

The authors describe isolated cases (e.g., inverter malfunctions), but do not attempt to classify them into a risk taxonomy or threat scenarios.

Response 3: Again, you are absolutely right. In the corrected version, a risk assessment has been made and threat scenarios have been defined.

Comments 4: Absence of European regulatory and technical context

A significant shortcoming is the complete lack of reference to European cybersecurity standards relevant to the energy sector. None of the following critical documents or standards are mentioned:

IEC 61850 — communication standard for substation automation;

ENISA guidelines — recommendations for protecting critical infrastructure;

NIS2 Directive (2022) — EU directive on cybersecurity for essential services, including energy;

Cybersecurity Act (2019) — framework for EU cybersecurity certification schemes;

SunSpec, Modbus TCP, OPC UA — widely adopted protocols in smart PV systems.

This omission critically weakens the practical validity of the proposed recommendations, especially given that Bulgaria is an EU Member State.

Response 4: We have fully complied with this remark and have referenced the above-mentioned documents (lines 140-195)

Comments 5: Issues with Conclusions

Lack of specificity. The conclusion mentions “certain concerning security trends,” but fails to define what they are. Given the study’s objective (lines 71–72), such vagueness is problematic.

Proposed solutions require stronger justification.

For example, the recommendations to “disconnect inverters and BMS from the Internet” and “implement control similar to HVAC-R systems” are questionable:

Disconnecting from the global network is impractical, as it would prevent firmware updates, diagnostics, and data collection.

The analogy with HVAC-R control architectures lacks technical justification, given the differing requirements and operational logic.

Response 5: Major changes have been made to address this comment. We think the new material is much more focused on the issue.

Thank you for bringing this to our attention - we have never suggested disconnecting the systems from the internet - that would be extremely impractical. Our suggestion is to keep them remotely controllable, but to isolate the direct influence of the manufacturers on the operational settings, and we think we have now described it better.

Comments 6: Recommendations to the Authors

Methodological:

Condense the literature review and focus on studies directly related to PV/HVAC-R cybersecurity in the EU context.

Define clear threat scenarios using established classifications (e.g., MITRE ATT&CK, ENISA threat taxonomy).

Content-related:

Include a dedicated section on the EU regulatory and technical framework, referencing NIS2, IEC 62443, IEC 61850, and related standards.

Align proposed measures with existing initiatives in the EU, such as:

"Smart Inverters" in Germany, Italy, and the Netherlands;

Use of Home Energy Management Systems as a common European practice to avoid direct cloud dependency.

Response 6: We think we have complied with all the recommendations listed.

Response to Reviewer 2 Comments

1. Summary

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted.

Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.

We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.

2. Point-by-point response to Comments and Suggestions for Authors

Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction.

Comments 1: To improve readability, the authors should explicitly delineate their specific contributions to the research.

Response 1: The new version highlights cybersecurity issues related to the use of hybrid inverters. Threat scenarios that are not covered by current European regulations are identified.

Comments 2: Introducing a list of abbreviations at the beginning of the article would aid readers in understanding the terminology used throughout the paper.

Response 2: A list of abbreviations has been included in the new edition. According to our reading of the instructions for authors, this list should be at the end of the report, as it falls into the "back matter" category.

Comments 3: Providing comprehensive information about the software and hardware utilized in the energy management system would offer deeper insights into the system's architecture and potential vulnerabilities.

Response 3: Your comment is extremely accurate and apparently we were not able to express ourselves well in the previous edition.

In many EU countries there is a power limit below which facilities are not subject to dispatch control. In Bulgaria it is 200 kW, and for example in Germany - 100 kW. There are absolutely no requirements for all installations with lower power. The facilities are installed using the manufacturer's software and firmware, for which information is extremely difficult to obtain (in fact, not possible at all). All installers in the field would very much like to have "comprehensive information", but often have to take pictures of hieroglyphs with their phone and search for a translation with Google. These are not directly cyber problems and we think that as technology matures they will be solved, but agree, the fact that we don't know anything about the systems is worrying.

Comments 4: An in-depth analysis of possible cyber threats to the energy system, along with strategies to mitigate them, would strengthen the article's practical relevance.

Response 4: The new edition identifies threat scenarios, conducts a risk assessment, and proposes means to improve security.

Comments 5: Presenting quantitative data to support the proposed solutions would enhance the credibility of the conclusions and demonstrate the effectiveness of the recommended measures.

Response 5: We completely agree, but the technology is new and sufficient statistics have not yet been accumulated. In the new edition, we have tried to be more precise and support our claims by citing results from other researchers.

Comments 6: Enhancing the clarity and resolution of Figures 5, 10, 11, and 13 would facilitate better comprehension of the visual data presented.

Response 6: The figures were redrawn using vector graphics.

Response to Reviewer 3 Comments

1. Summary

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted.

Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.

We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.

2. Point-by-point response to Comments and Suggestions for Authors

Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction.

Comments 1: While the paper identifies various cybersecurity threats, it does not use a standardized risk assessment model (e.g., FMEA, Bow-tie analysis, or NIST Cybersecurity Framework) to quantify their likelihood and impact. Why wasn't a formal cybersecurity risk assessment methodology used to structure and validate the threat analysis?.

Response 1: The remark is reflected in the new edition.

Comments 2: The study’s novelty seems to stem from anecdotal case insights rather than from a newly developed theoretical or analytical framework. What is the methodological innovation of this work? Could the approach be generalized beyond the Bulgarian context to support broader application?

Response 2: In the new edition, we have tried to explain that the processes in the Bulgarian energy system are similar to the processes in other European energy systems, which we support with quotes.

Analyzing the processes, we make a prediction that the number of small inverters will grow rapidly and soon they will have a significant share in the total generating capacity. Then we assess the risk of this and indicate measures for improvement.

In our opinion, the new edition is much more precise and focused on the problem.

Comments 3: The discussion comparing HVAC-R systems and PV inverters is primarily qualitative. There is no metric-based comparison of security architecture, failure modes, or resilience. Can the authors offer a structured, indicator-based comparison of the cybersecurity architectures of HVAC-R and PV systems?

Response 3: We have been looking at this area for a long time. In connection with the current paper, we have compiled a survey and collected answers from HVAC companies. None of the surveyed companies has ever encountered cyber-attacks and even cyber related technical issues. We cannot even give examples similar to those we give with inverters. After the systems come to life, they work without fail. I guess you would not dare to publish exactly such data - no engineer would believe that something works without any fail, we agree that we have a gap in this point and we need to change our approach in the future.

In the report, these systems are only marginally present as an example of reliable in terms of cyber security.

Comments 4: The example of a hybrid inverter failure is compelling, but it represents a single case. No evidence is provided to suggest it is statistically representative or systemic. What percentage of installed systems experience such firmware failures? Is the described case typical or exceptional?

Response 4: The technology is new, accumulated statistics are absent. Examples are simply given to show that the problem exists, it's not a matter of paranoid assumptions.

The general validity of the conclusions is supported by citations of other researchers who reach similar conclusions.

Comments 5: The conclusion suggests adopting HVAC-style control for inverters, but it lacks details regarding implementation challenges, costs, and standards compliance. How can the proposed control model be realistically integrated within current grid operational practices or regulatory environments?

Response 5: In the new edition, we propose several measures, focusing on the specific one in much more detail. We use the HVAC as an example of a system in which there is an intermediate layer in the control system - the manufacturer of the individual components does not have direct access to them. They are still controllable, but through the PLC and so each individual system has an element of uniqueness and cannot all be attacked simultaneously.

Comments 6: The dominance of Chinese-manufactured inverters is acknowledged but not examined from the standpoint of supply chain risk, firmware trust, or jurisdictional control. Has the potential geopolitical and supply chain risk of foreign-manufactured energy equipment been sufficiently addressed in the security analysis?

Response 6: The remark is reflected in the new edition.

Comments 7: The issue of unsynchronized inverters leading to system collapse is mentioned, but it lacks a technical breakdown, such as protocol mismatches, sampling latency, or command conflicts. Can the authors provide a more detailed explanation of the technical root causes of the observed inverter synchronization failure?

Response 7: You touch on a very important topic related to the stability of the energy system. The article points out real problems in this regard, which occurred this year in Macedonia and Spain. The topic is very large, it needs serious additional research, although it has been worked on since the dawn of energetics. It is directly related to cyber security - impact on the stability of the system would be the main goal of a cyber attack, but it is too large to be discussed in detail. Again - examples are given simply to show that the threats are not purely hypothetical.

Comments 8: The suggestion to sever internet connectivity contradicts common operational needs for monitoring and firmware updates. How do the authors propose to balance cybersecurity with the requirements of remote access and cloud-based monitoring?

Response 8: Thank you for bringing this to our attention - we have never suggested disconnecting the systems from the internet - that would be extremely impractical. Our suggestion is to keep them remotely controllable, but to isolate the direct influence of the manufacturers on the operational settings, and we think we have now described it better.

Comments 9: The paper does not reference key EU frameworks, such as the NIS 2 Directive and the EU Cyber Resilience Act, which directly address these infrastructure concerns. How do the authors’ recommendations align with or diverge from existing EU-wide cybersecurity and critical infrastructure policies?

Response 9: We have fully complied with this remark and have referenced the above-mentioned documents (lines 140-195)

Comments 10: Although well-referenced, the paper does not clarify which scholarly gap it fills or how it extends, contradicts, or refines prior studies. What specific research gap does this study address, and how does it advance the academic discourse on cybersecurity in distributed energy systems?

Response 10: The new edition identifies threat scenarios and provides a risk assessment. It identifies weaknesses in European cybersecurity regulations. It identifies scenarios for which adequate measures are not provided for in the CRA. Measures have been proposed to improve security.

Response to Reviewer 4 Comments

1. Summary

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted.

Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.

We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.

2. Point-by-point response to Comments and Suggestions for Authors

Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction.

Comments 1: Introduction - (1) The problem statement should be further clarified. (2) The contributions must be clearly listed. A contribution to every identified problem should be identified and listed. (3) There is a lack of clarity about the scope of the paper. Is it a technical or a survey paper?.

Response 1: In the new edition, all these remarks have been addressed.

Comments 2: Literature Review - (1) CPS is only introduced here; why not introduce it in the first few paragraphs of the introduction? (2) This section needs a rework. Each sub-section should be mapped back to the problem statement. Existing literature and its limitations should be summarized. 

Response 2:

(1) - moved.

(2) - redundant text removed to avoid tautology.

We believe that the major changes made take into account the remark.

In our opinion, the new edition is much more precise and focused on the problem.

Comments 3: Sec 3 - (1) Please include an introductory paragraph to inform the reader about the sequence of details that will be provided in this section. (2) Insights from the authors must be included in this section. There seems to be a disconnect between the literature survey and this section. What problems/cyber-attacks listed in the Literature Review are possible or have impacted systems in Bulgaria?

Response 3: In the new edition, all these remarks have been addressed.

Comments 4: General - Figures must be within the allocated page layout. Image quality must be improved for readability. Please use high resolution images.

Response 4: The figures are remade in vector graphics and within the allocated page layout.

We believe that the formatting of Fig. 6 and Fig. 10 corresponds to the formatting of a double figure (Fig. 2) from the template file.

Response to Reviewer 5 Comments

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corrections highlighted.

Thanks to your recommendations, we have made a major revision of the report, changing approximately 50% of its content. New chapters have been added regarding risk assessment and improvement measures. In our opinion, the revised version is much more balanced and focused on the topic of cybersecurity of small systems.

We have uploaded the revised material to the MDPI system, and for your convenience, we are sending you an identical copy, in which the new text is colored in blue (see attachment). The text in black has also been corrected, but mainly by reducing the volume, while the meaning remains the same.

2. Point-by-point response to Comments and Suggestions for Authors

Below are answers to all the comments after your suggestions but in our opinion, the new edition will change the overall view of the report and some of the proposals will fall by themselves. We assume that you will have comments again, but they will be in a different direction.

Comments 1: Methodology

The approach is very poorly described, actual unique own contribution and novelty is not clear. To me this paper reads more like some report, and is not clear whether authors are reviewing other sources and synthesizing the situation in Bulgaria or did they actually applied some proprietary approaches and did the experimental measurements themselves? If yes – how, with what equipment, methods? Paper just cannot start with literature review and then move directly to descriptive overview, with some experimental measurements integrated. Please rewrite it in more formal manner, following standard materials and methods format (data used>workflow>actual methods developed>how it was measured>etc).

Response 1: In the new edition, the contributions, problem statement, proposed measures have been further clarified.

Hybrid inverters are still an emerging technology that finds widespread throughout residential PV systems. Our view is that after a significant revision of the paper, we have complied with the nature of your review.

Comments 2: As said above, to me its not clear what is made by the author team. In addition: Temporal ablation for dynamic style threats is required, as in what happens by ablating time-series segments regarding sensitivity to temporal shifts (for all aspects presented in the paper). Please also add bootstrapping analysis on historical electricity price data to statistically validate correlations between PV saturation and negative pricing. Was there any counterfactual reasoning done to isolate causal effects of specific vulnerabilities (likely unpatched PLCs given the context) on grid instability, moving beyond correlational studies? Please add what was done here. Please use TDA to extract persistent topological features from high-dimensional data you used. Please add more indepth analysis on historical data (figure 9, maybe also in broader context?) to statistically confirm correlations between PV saturation and market price collapses. The period chosen also seem weird, why this one exactly?

Response 2:

Our idea is to show the trends in the development of energy, based on which we actually make the forecast that the number of hybrid inverters will grow and rapidly, increasing their share in the total generation. After that, we analyze the risks associated with hybrid inverters and the fact that they will occupy a sufficiently large share of the total generating power.

In the new edition, we have taken the liberty of supporting the conclusions we reach not with additional statistical procedures, but by citing other studies that draw similar conclusions, including after statistical processing. We hope that this approach, in light of the new edition of the paper, will be acceptable to you.