Re: Lack of competence
Well, installers install. It really isn't a credible expectation that they should become ITSec configuration experts, and for smaller installations you can't expect that one should be brought along as another expensive body visiting the site.
As it happens, the grid can manage reasonably well (sailing close to the wind, I assure you) with the intermittency of renewables, so some artificial intermittency of hacked inverters on these devices would not actually do too much. There's plenty of systems in place for bringing in thermal plant to back up loss of renewables (remember that on solar you have this on a daily basis even before weather fluctuations). As for "flooding the grid with power", there's already some local saturation problems (eg SW England on a sunny weekend), but the grid operators have "constraint" systems to cut off excess supply. So all in all a bit of a nothing problem, for now.
However, in the longer term, with much higher levels of battery storage and electric vehicles, hacked control systems could become a problem. Due to network and generation constraints, these future loads will have to be centrally managed. And that means there is the potential to maliciously connect additional demand load to the network, far beyond the capabilities of generation - hack the central despatch system for a modest EV fleet of 200,000 cars (less than 1% of the total UK car fleet), even on 13 amp slow charging, and that would throw an instantaneous spike of 600 MW at the grid. Coping with that without notice at a bad time would be a real problem, but if the cars were on fast chargers, or the fleet bigger, then the problem becomes much, much worse. Bear in mind that the real threat here is not so much the casual cyber-vandal, or even ransomware scum, but well resourced nation-state grade actors, able to bide their time, build specific tools, use hoarded zero day flaws, test all of the "old tech" of phishing, SQL injection, bribery and coercion, attacks via trusted party systems etc. These people would choose their timing carefully.
In the UK context, for those who trust government, recent consultations on the future energy system and electric vehicles have had specific mention of the issue of IT security. But having been part of those consultations, I'm pretty sure that no proper ITSec expertise has been brought to bear. The emerging demand aggregation systems that are the focus of this threat are either from large "can't happen hear, we know best" energy industry dinosaurs, or from cash strapped, private equity funded startups where everything is about getting basic functionality out of the door ASAP, and immediate cash takes precedence over everything else.