✅ Roughly speaking
- 🔐 JC-STAR is a Japanese labeling system that makes the cybersecurity capabilities of IoT products visible.
- ⚡ In solar power generation and battery storage, JC-STAR★1 is becoming a practical requirement for control equipment such as PCS, EMS, and BMS in connection with grid connections, long-term decarbonized power supply auctions, and subsidy applications.
- 🧾 However, JC-STAR★1 is a self-conforming declaration method, and label acquisition does not guarantee complete safety.
- 🛠️ As a renewable energy operator, it is considered necessary to check the scope and evidence of JC-STAR as soon as possible in the areas of equipment selection, EPC contracts, O&M contracts, subsidy applications, and financial institution responses.
✅ Audio summary of this post here
Introduction
This time, I will explain JC-STAR.
Many people have recently started to see the term JC-STAR in the context of solar power generation and battery storage.
As I myself follow the reform of renewable energy-related systems, I feel that JC-STAR is becoming more than just a cybersecurity jargon; it is becoming a point of contention that influences equipment selection, grid linkage, subsidies, auctions, and even contract practices in the renewable energy business.
This theme is not one where institutional change is rapid, nor is it simply a matter of saying, "If you have JC-STAR, you're safe."
Therefore, this paper will focus on the practical aspects of renewable energy companies, clarify what JC-STAR is, why it is becoming important for solar power generation and battery storage, and what companies should check.
What is JC-STAR
JC-STAR is the common name for the "Security Requirements Compliance Assessment and Labeling System."
In English, it is called the Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements.
IPA System explanation It is described as a system to visualize the security suitability of IoT products, based on the Ministry of Economy, Trade and Industry's policy for establishing the system.
IoT stands for Internet of Things, which refers to the way various devices send and receive data over a network. In the field of energy conservation, PCS for solar power generation equipment, BMS for battery storage, EMS for remotely controlling power plants and battery storage, and remote monitoring devices are areas where problems are likely to arise.
PCS stands for Power Conditioning System, and in Japanese it is called Power Conditioner. This device converts DC power from solar panels and storage batteries into AC power that can be used in power grids and demand facilities.
EMS stands for Energy Management System, and it is a system that manages and controls power generation, storage, consumption, charging and discharging to the grid, etc.
BMS stands for Battery Management System, which is responsible for monitoring, protecting, and controlling the condition of battery storage.
EPC stands for Engineering, Procurement and Construction, and refers to a contract structure that covers design, procurement and construction all at once.
O&M stands for Operation and Maintenance, which refers to the operation management and maintenance of equipment.
Traditionally, renewable energy companies have tended to focus on equipment certification, grid interconnection, land, permits, resident management, pricing, output control, and finance.
Of course, these are still important.
However, in the future, it is likely that the perspectives of "does the device communicate externally," "does the main control system device acquire JC-STAR★1," and "how to explain the cloud portion" will be less likely to be ignored in practice.
JC-STAR levels and energy efficiency are the main issues ★1
JC-STAR has levels ranging from ★1 to ★4.
IPA System explanation According to, ★1 indicates the minimum threat response common to IoT products, while ★2 and above are organized as higher-level labels based on the characteristics of each product type.
The main issue currently facing the renewable energy sector is ★1.
In materials related to grid interconnection, long-term decarbonized power supply auctions, and subsidies, the expression JC-STAR★1 can be seen for PCS, EMS, BMS, etc.
However, caution is needed here.
JC-STAR★1 and ★2 are vendor-defined self-conformity declaration methods.
IPA Regarding the limitations of conforming labels In this section, they explain that ★1 and ★2 do not require the submission of evidence to support the evaluation results when applying, and do not require the IPA to verify whether the evaluation results are correct.
The same IPA also states that just because a conformance label is given does not guarantee that complete and perfect security is in place.
This point is very important in practical terms.
In other words, JC-STAR is important as a "gateway for procurement and institutional response," but it does not alone complete the cybersecurity of power plants or entire battery storage systems.
As a power generation company, it is considered necessary to check whether or not JC-STAR is present, and then check the network configuration, access permissions, update system, vulnerability response, vendor support system, and communication system in the event of an incident.
Why cybersecurity is a problem in energy conservation businesses
Solar power generation and battery storage may have once been relatively associated with "on-site equipment."
However, current renewable energy facilities are linked to remote monitoring, remote control, output control, supply and demand adjustment markets, VPP, DR, and other related technologies. Power plants and batteries are not simply facilities that produce or store electricity, but are likely controlled by networks.
VPP stands for Virtual Power Plant, and it is a system that controls distributed power generation equipment, batteries, EVs, demand equipment, etc. together so that they function as if they were a single power plant.
DR stands for Demand Response, and it is a mechanism that helps regulate electricity supply and demand by controlling the equipment on the demander's side.
ERAB stands for Energy Resource Aggregation Business, and refers to a business that bundles energy resources from the demand side or decentralized, providing services to power transmission and distribution operators, retail electricity operators, demanders, renewable energy generators, and other businesses.
The Ministry of Economy, Trade and Industry is revising ERAB's cybersecurity guidelines, citing new use cases such as control via controllers in the cloud and direct and indirect communication without a demander gateway.
This is ERAB Cybersecurity Guidelines Ver.3.0 You can check it here.
This change is significant for energy conservation operators.
The external control of power plants and batteries means that control signals, credentials, communication paths, cloud environments, aggregator systems, and equipment manufacturers' maintenance environments are all part of the business risk.
Unintentional changes in power generation or charging/discharging timing can lead to imbalances, contract breaches, system operation problems, and revenue deterioration.
If equipment is shut down or malfunctions occur, it can affect not only information leakage but also power supply and safety.
In this sense, cybersecurity in the field of renewable energy is not just an issue for the IT sector.
Business development, procurement, legal affairs, EPC, O&M, aggregation, and finance appear to be cross-cutting themes that should be involved.
Specific cyberattack cases are fueling policy discussions
The cyber risks associated with renewable energy equipment are not limited to abstract concerns.
For example, Contek Co., Ltd. announced that following reports of a cyberattack by some media outlets on SolarView Compact, a remote monitoring device for solar power facilities, malicious hackers had identified vulnerabilities and installed backdoors that could allow unauthorized relay to some devices that were not taking recommended measures.
This is the company's Published on May 7, 2024 You can check it here.
Such cases are seen as illustrating the risks that arise when renewable energy equipment becomes "device visible from the internet."
Of course, it is not appropriate to generalize that the entire renewable energy system is dangerous based solely on specific product examples.
However, if remote monitoring and control equipment remains vulnerable and is operated, power generators themselves could unintentionally become a stepping stone to attack.
As a business operator, I believe it is important not to be overly afraid of past attack cases, but to understand "why the system has begun to require security requirements for key control devices such as PCS, EMS, and BMS."
JC-STAR★1 becomes a problem in lineage interconnections
For renewable energy operators, the most significant impact is on grid connections.
Documents from the Ministry of Economy, Trade and Industry in the power sector indicate a direction in which the use of products that have obtained JC-STAR★1 in the grid interconnection technology requirements for solar power generation and battery storage will be made mandatory.
Specifically, from April 2027 onwards ( Ministry of Economy, Trade and Industry Power SWG Materials ) For solar power generation and storage batteries that are newly connected to the grid, it is required to use a control system with communication capabilities, such as PCS, EMS, etc., that has obtained JC-STAR★1.
Low pressure less than 50kW ( Ministry of Economy, Trade and Industry Power SWG Materials ) As for October 2027 ( Ministry of Economy, Trade and Industry Power SWG Materials ) is considered to be applicable from.
This point is not merely a technical argument.
Power plant development involves complex factors such as land, systems, EPCs, equipment procurement, financing, licenses, subsidies, and PPAs.
If the selection of a PCS or EMS is later found to be non-JC-STAR compatible, issues such as re-procurement, design changes, delivery delays, increased costs, and contractual division of responsibilities may arise.
In particular, for cases where the lineage interconnection period is from April 2027 onwards, it is considered necessary to check the JC-STAR response status from an early stage.
Even low-pressure cases may be affected if new connections are made after October 2027. These periods are not far off, considering the lead times for procurement and development.
It also affects the long-term decarbonized power supply auction
JC-STAR is also influencing the long-term decarbonized power supply auction.
The Long-Term Decarbonized Power Auction is a system that provides predictability of fixed long-term revenues to encourage new investment in decarbonized power sources. OCCTO stands for Organization for Cross-regional Coordination of Transmission Operators, and in Japanese it is the organization that promotes the operation of the power industry over a wide area.
Recruitment guidelines for 2025 ( OCCTO's 2025 Recruitment Guidelines ) In principle, 20 years ( OCCTO's 2025 Recruitment Guidelines ) The payment period for the capacity securing contract amount is shown.
The application guidelines state that the registration items for solar, onshore wind, and offshore wind are limited to those that have implemented security measures related to PCS, and require a compliance label indicating that the company has obtained ★1 in the security requirements compliance assessment and labeling system, i.e., JC-STAR. This too Same recruitment guidelines You can check it here.
Additionally, for batteries, the format is shown, including the manufacturer's name, model number, and JC-STAR conformity label registration number for BMS, EMS, and PCS.
Furthermore, for all major security components of the control systems adopted by the energy storage system, submission of a conformity label indicating JC-STAR★1 certification, system configuration diagrams, etc., is required.
This too OCCTO's 2025 Recruitment Guidelines You can check it here.
The important point here is that JC-STAR is not a "future system," but is already listed in some of the system documents.
When renewable energy companies utilize long-term decarbonized power auctions, they need to check not only the performance, price, and construction time of power generation equipment and batteries, but also the security compliance of control systems as early as possible.
Even from the perspective of financial institutions and investors, I suspect that the risk of participating in the system due to non-compliance with JC-STAR may become a matter of due diligence confirmation in the future.
JC-STAR is also a confirmation item in subsidy applications
Even in the world of subsidies, JC-STAR is becoming increasingly difficult to ignore.
For example, in the SII, the public tender for the Renewable Energy Combined Battery Installation Support Project of the General Incorporated Association Environmental Co-Creation Initiative, the main components related to the security of all control systems adopted by the energy storage system to be installed, specifically BMS, PCS, EMS, etc I'm looking for a conformance label that indicates I have JC-STAR★1. This is SII's public tender for energy-efficient batteries You can check it here.
For large-scale industrial energy storage systems, there is a requirement to request JC-STAR★1 conformity labels for major component products such as BMS, PCS, and EMS. This is SII's Large-Scale Industrial Energy Storage System Public Proposal You can check it here.
Similarly, in the business industrial energy storage system implementation support project, there is a requirement to request JC-STAR★1 conformity labels for BMS, PCS, EMS, etc. This is SII's Public Proposal for Industrial Energy Storage Systems You can check it here.
Furthermore, in the DR-enabled IoT-related equipment implementation support project, IoT-related equipment such as communication equipment, sensors, and EMS to make existing resources installed on the demand side above high pressure DR-enabled are considered auxiliary equipment The equipment is required to be one that can be confirmed to have obtained JC-STAR★1 for communication with the outside world.
This is SII DR-enabled IoT-related equipment application guidelines You can check it here.
From this perspective, JC-STAR has already become a confirmation item related to adoption and application procedures, at least for some grants.
However, it's not accurate to say that the same requirements are uniformly imposed on all subsidies.
Since the equipment, documents, and required documentation vary for each grant, it is necessary to review the latest application guidelines for each case. This area is quite important in practical terms.
"Devices that do not communicate directly with the outside world" are not necessarily safe
There are some expressions that require particular attention when reading materials related to subsidies and auctions.
This statement includes equipment that may affect the entire facility through indirect communication with the outside world, even if direct communication with the outside world is not conducted.
For example, in the SII's public tender for batteries with integrated energy efficiency, not only is JC-STAR★1 required for BMS, PCS, EMS, etc., but if the package includes equipment that does not have IP communication capabilities and therefore is not eligible for JC-STAR acquisition, A conformance label is required indicating that the device has obtained JC-STAR★1 as a configuration incorporating equipment for protocol conversion with IP.
Furthermore, if the data includes equipment that is not eligible for JC-STAR acquisition because it is installed in the cloud, explanatory materials are required explaining the reasons for not being eligible for acquisition and whether equivalent security measures are in place. This is SII's public tender for energy-efficient batteries You can check it here (see page 19 here).
In other words, it's not impossible to say, "This device is not directly connected to the internet, so it's irrelevant."
We need to determine whether the entire system is affected by external communications, where the protocol conversion equipment is located, how the cloud portion is involved in control, and what the responsibility endpoints are for the EMS, PCS, and BMS.
This is a very practical point of contention for energy conservation operators.
When equipment manufacturers, EPCs, EMS vendors, aggregators, O&M operators, and cloud service providers are involved, it can be ambiguous as to who will explain which parts of the security compliance.
If the system configuration diagram and the scope of JC-STAR are not aligned during the subsidy application and auction bidding stages, it may be difficult to explain later.
How to view the JC-STAR compliant product list
The IPA publishes a list of products that have obtained the JC-STAR conformity label.
The list is updated from time to time, so the latest information is IPA compliant product list page Please check the update date listed.
On this page, you can check the registration number, label acquisition provider, product name, level, status, label acquisition date, validity period, and more.
As a renewable energy operator, it is considered necessary to confirm at least the following points:
- Not only the product name, but also the model number and version must match those used in the project.
- Can you verify the JC-STAR registration number.
- The label status is valid.
- The label must correspond to the PCS, EMS, BMS, communication equipment, protocol conversion equipment, etc., which are the issues in question.
- It is possible to explain the cloud portion and the entire system that are not subject to labeling.
- Whether the requirements for subsidies, auctions, and lineage associations are aligned with the scope of the label.
Again, simply saying "JC-STAR obtained" is not enough.
The institutional documents require alignment between the equipment to be introduced in the case and the equipment to be acquired for JC-STAR★1 and the content of the acquisition.
Therefore, it seems necessary to not only include information that the sales materials are JC-STAR compatible, but also to verify the registration number, target equipment, configuration diagram, and proof of identity.
Key points to consider in contract practice
From here on, the process will be structured in a way that also takes into account the practical experience of a lawyer.
The scene where a renewable energy company confirms JC-STAR compliance goes beyond simply checking with technical personnel. I think it might be necessary to include this in the contract and specifications as well.
First, EPC contracts and equipment sales contracts must clearly state at what point and with what materials they verify that the equipment in question has obtained JC-STAR★1 certification.
Next, we need to consider what to do if the label expires, is cancelled, or is voluntarily withdrawn after delivery.
The IPA's list of compliant products assumes status as valid as well as conditions such as deferred expiration, expiration, voluntary withdrawal, and cancellation. This is IPA compliant product list page You can check it here.
It is also important that the O&M agreement specifies the application of security updates, notification of vulnerability information, account management, remote access management, log storage, and communication structure in case of anomaly detection.
Additionally, when aggregators or EMS vendors are involved, they must organize control authority, communication paths, response in the event of a cloud failure, and division of responsibilities in the event of a cyberattack.
The difficulty here is that in renewable energy cases, there are often separate power generators, EPCs, manufacturers, O&Ms, aggregators, demanders and financial institutions.
Cybersecurity responsibilities technically span the entire system.
However, since the scope of responsibility of each party is divided under the contract, it is thought that gaps are likely to arise.
As JC-STAR requirements become more stringent, this gap may become a more clearly defined problem.
JC-STAR as seen by financial institutions and investors
Another important factor for energy conservation companies is finance.
In project finance and M&A due diligence, the main areas of confirmation have traditionally been FIT and FIP certification, grid interconnection, land title, licensing, EPC contracts, O&M contracts, power generation forecasts, insurance, and environmental and resident response.
In the future, when it comes to solar power generation and battery storage, the JC-STAR compatibility status of control equipment will also be a matter to be checked.
In particular, cases participating in long-term decarbonized power auctions, cases that require subsidies, from April 2027 onwards ( Ministry of Economy, Trade and Industry Power SWG Materials ) For cases with new system connections, the lack of JC-STAR support may affect business plans.
As a financial institution or investor, it would be desirable to at least verify the registration number, status, documentation, configuration diagram, description of non-labelable parts, and vendor maintenance procedures of the equipment in question.
Insurance coverage, contractual liability, and business interruption risks in the event of a cybersecurity incident may also be considered.
What energy conservation operators should check now
As a renewable energy provider, JC-STAR needs to be integrated into their own project management rather than simply being treated as a "manufacturer's story."
First, we need to confirm the planned timing of the system interconnection for projects that are under development or under consideration.
From April 2027 onwards ( Ministry of Economy, Trade and Industry Power SWG Materials ) Solar power generation and storage batteries with new grid connections may be affected by the JC-STAR★1 requirement.
For low pressures below 50kW, from October 2027 ( Ministry of Economy, Trade and Industry Power SWG Materials ) is shown to apply.
Next, we need to check the JC-STAR acquisition status for the PCS, EMS, BMS, remote monitoring equipment, communication equipment, and protocol conversion equipment that are planned to be adopted.
Furthermore, when using subsidies or auctions, it is necessary to check which equipment, at what point, and with what materials need to be submitted in the public offering guidelines and application guidelines.
Furthermore, it is desirable to verify that the materials submitted by EPCs and manufacturers are consistent with the registration number, target equipment, model number, version, status, validity period, and configuration diagram.
Finally, it is necessary to confirm whether the JC-STAR response is merely an obligation to make an effort under the contract.
When directly related to subsidy or auction requirements, it is important to specify the representations and warranties, delivery conditions, termination and damages, provision of alternative equipment, and update support.
JC-STAR alone is not enough
Now that we've explained the importance of JC-STAR, there's one last point I'd like to emphasize.
JC-STAR is important, but JC-STAR alone is not enough.
As the IPA itself explains, conformance labels do not guarantee complete or perfect security. Also, ★1 and ★2 are self-conformity declaration methods. This is Explanation of the limitations of IPA's conformity labels You can check it here.
Therefore, as a renewable energy operator, JC-STAR should be positioned as a "minimum verification item," and security measures that are appropriate for the actual operating environment should be implemented accordingly.
Specifically, key aspects include stopping unnecessary external publishing, changing initial passwords, enhancing authentication, managing access permissions, software updates, collecting vulnerability information, log management, limiting remote maintenance, network isolation, and establishing incident response procedures.
Furthermore, during the O&M phase after the equipment is installed, it is necessary to determine who will provide updates, who will review vulnerability information, and who will take primary action in the event of an anomaly.
Reenergy facilities are not something that can be built and then finished.
These are assets that will be managed over the long term.
Cybersecurity also needs to be managed not only during implementation but throughout the entire operational period.
summary
JC-STAR is expected to become an increasingly important system for renewable energy operators in the future.
In particular, in solar power generation and battery storage, control devices such as PCS, EMS, and BMS are linked to external communication and remote control, affecting system operation, supply and demand adjustment, subsidies, auctions, and finance.
From April 2027 onwards ( Ministry of Economy, Trade and Industry Power SWG Materials ) indicates the direction in which the use of JC-STAR★1 acquired products is required for control systems with communication functions for solar power generation and storage batteries connected to the new system.
For low pressures below 50kW, from October 2027 ( Ministry of Economy, Trade and Industry Power SWG Materials ) is shown to apply.
Furthermore, in long-term decarbonized power supply auctions and some subsidies, the JC-STAR★1 conformity label, registration number, and configuration diagram are already practical items to verify.
However, JC-STAR is not a panacea.
In particular, ★1 is a self-conformity declaration method, and label acquisition does not guarantee complete security.
As a renewable energy operator, we believe it is important to view JC-STAR not only as a "check item for system compliance" but also as a "gateway to protect our own equipment and business."
In the future, it is expected that not only the amount and price of electricity generated, but also the ability to respond to cybersecurity will become factors that will determine the reliability of the business in the renewable energy business.
comment