‘As deployments grow, so does the need,’ says Sungrow North America cybersecurity director

Additionally, there has been increased political pressure surrounding perceived threats to national security via grid infiltration through BESS or other equipment connected to the electric grid.

In this interview, Hudson claims Sungrow North America has taken the approach of leading the industry in promoting cybersecurity standards; designing its own equipment so that remote control is not possible; and devoting the most staff of any company in the sector to continuous cybersecurity research and development, to meet cyber threats as they emerge.

Michael Hudson was a speaker at Energy Storage Summit USA 2026 in Dallas, Texas, last month, alongside hundreds of other industry experts.

Energy-Storage.news: How does Sungrow’s cybersecurity strategy differ across product lines—from utility-scale systems to C&I to residential installations?

Michael Hudson: I would say that, at a high level, Sungrow’s global approach essentially follows the critical infrastructure model. All our systems are aligned with the product security processes outlined in IEC 62443, a globally recognised framework for securing industrial automation and control systems.

Our development lifecycle aligns with IEC 62443-4-1, which focuses primarily on secure development processes, ensuring that everything is developed in a way that reviews any vulnerabilities before the product itself goes into a production environment. And then, for the device-level controls, we align with IEC 62443-4-2.

We also layer regional regulatory requirements on top of this. As you can imagine, many regions have different regulatory frameworks or controls they would like to see in place, but the 62443 framework is widely used across the industry because it emphasises secure development, controlled access, system integrity, and segmented architectures in devices and deployments.

For commercial and industrial systems, the architecture is similar, but the operational environment differs because these devices typically sit within customer facilities rather than directly within utility or Operational Technology (OT) networks. The design is typically focused on secure integration with those enterprise environments while maintaining the isolation of operational controls.

For residential products, that changes the risk model significantly. Those systems typically operate in consumer environments rather than critical infrastructure. For those products, we align with consumer Internet of Things (IoT) security standards—EN 303645 and EN 18031, for example. Those focus on very similar things, such as device configuration, credential management, ensuring that updates are secure, and then consumer data protection, as they don’t have typical enterprise controls, and there’s more integration with housing their data.

But the underlying principles across all the product lines are the same—secure by design. And then the standards and controls really align with the product and the scenario or environment in which it operates. We go beyond legal requirements, such as with regular testing by third parties.

How large is the cybersecurity team?

At Sungrow North Americas, I was hired to build out the entire programme and we will soon have a team in the double digits. So there’s a lot of growth happening here at Sungrow, with a lot of focus on cybersecurity.

At Sungrow, more than 40% of our 17,000 employees focus on R&D, and here we’ve developed a specific Cybersecurity Task Force. The growth that we’re seeing at Sungrow, and really in the industry right now, is pretty awesome and also very necessary to avoid cybersecurity breaches.

I love seeing companies focus on security and invest to make their products secure, ensuring a secure-by-design, security-first mindset and defence-in-depth are front of mind as we work with our customers, increase our deployments, and just take care of business.

What do you think are the most significant cybersecurity threats targeting BESS deployments in North America right now, or potentially targeting BESS deployments?

I don’t think there’s a single threat actor or vulnerability that poses the biggest threat. There are definitely plenty of them, but really, the biggest challenge is the rapid digitisation of energy infrastructure.

Many of these systems were siloed in the past or were less interconnected than they are today. And so we’re seeing systems connected to grid operations, monitoring platforms, EMS (energy management systems), and broader enterprise networks.

This connectivity is great. It’s modern grid flexibility, and it really expands that renewable integration that we’re seeing. Data is amazing. With the right data, we can have actionable insights. It allows us to be more resilient. However, having all this data and interconnectivity also means the systems are now part of a broader digital ecosystem.

So really, what this means is the most common risk patterns fall into three areas:

One is access governance—ensuring that vendor access and maintenance, third-party access, operational access, and all that is tightly controlled and auditable. Is the right person accessing the right system at the right time? Are they supposed to be there? Are we logging that? If something happens, do we know who touched it?

Second is the system architecture itself. Segmentation between enterprise networks and operational environments is really important. A lot of times, when we see threat actors move from an internal network to an OT network, that lateral movement is what causes breaches in those systems. Ensuring that your segmentation across these networks is applied and consistent, and that you know what’s happening in your environment, is important.

And the third thing is supply chain and firmware integrity. This is because modern energy systems rely heavily on embedded software and connections. If there is any lateral movement, ensuring that we have these defence-in-depth controls is really important. These devices have to be hardened.

If we can do that and implement these defence-in-depth controls, these segmentations, and ensure that each system is as hardened as possible, then we can reduce the scope of any potential breach.

The encouraging thing about all this is the industry—everyone I’m talking to—is recognising that cybersecurity is fundamentally part of reliability engineering. For us here at Sungrow, Iit’s not just about preventing those intrusions; it’s really about ensuring that, when we design our infrastructure, our systems, our devices, no single compromise can disrupt safe operations.

How concerned should the industry be as a whole about state-sponsored threats?

For us it is not important where the threats are coming from. We design our products in a way that they can be protected against anyone, whether state-sponsored or private. Because hackers don’t typically have borders, right? We have concerns—foreign, domestic, worldwide—and they don’t have a timeline. They’ll sit in an environment with a vulnerability, try and maintain access until they can laterally move. They’ll try and disguise themselves as legitimate protocols.

The lessons to be learned from all these recent threat reports and warnings of hackers targeting industry are that organisations should take them seriously and design their infrastructure assuming that capable adversaries exist—adversaries that will sit in your network, adversaries that will wait for the right time to exploit it. The strong system design and operational discipline we employ, enabled by the frameworks we have developed, are really important.

Any activity targeting critical infrastructure right now should be taken seriously. The security community has seen an uptick in security events. Even the government has said we’ve seen increases. Besides an increase in attacks we also see an increase in protection. Energy systems really are foundational to economic stability. It’s natural that sophisticated actors, or state-sponsored threats like Volt Typhoon, would view them as strategically important.

I don’t think this means that we should panic. I don’t think that, even before these actors were out there, we should always assume that breach, which I feel is new to this industry. When we look at banking or healthcare—other highly regulated industries—we already have a wheel that’s been created, so we’re not recreating it here. It’s just kind of finally coming along.

Some of the things that that means, again, are stronger access controls, knowing what’s happening in your environment, segmented architectures, and verifying device-level integrity. Defence-in-depth, ensuring that all your devices are hardened, and then monitoring—having that visibility.

Those principles are embedded in IEC 62443, which is why many vendors, utilities, and customers are pursuing certifications to ensure their products align with them.

We see a lot of headlines, and they do raise awareness, but the real shift is to be security-first, secure-by-design, and to engineer security into our systems rather than add it later.

How do you address customer concerns about potential backdoors or embedded vulnerabilities?

I think the way that we address that, personally and at Sungrow, is transparency and standards alignment.

In general I see this as very important: Whatever is deployed in critical infrastructure, whether foreign or domestic, needs to be scrutinised. These are things that affect our country, affecting our people’s lives.

A good example is the Texas Winter Storm Uri, when there were a lot of power outages. There’s a lot of concern if something can disrupt the grid. ESS can be a backup for the energy system with its black-start function and other grid-forming features.

Whether it be Sungrow or any other organisation, what I want to know as a security professional is that all organisations are being held to standards—global standards, recognised standards, NERC CIP—these specific frameworks that say we will have secure development processes, security by design, security embedded in our products.

Compliance is a great step to security, but we have to be forward-thinking and go beyond that. How are we going to harden these devices? How are we going to ensure that, as adversaries get smarter and leverage AI, and as our technology becomes increasingly reliant on other communications or integrations, how do we defend against this? And how do we prove that we’re defending against this?

Our customers want to see that assurance. They want to see that the technology deployed in their critical infrastructure meets these globally recognised standards and practices. I want to see that too, regardless of the organisation, the country of origin, etc.

That’s why these standards exist, and they’re important and why we go beyond that at Sungrow. They provide a globally recognised framework for secure-by-design and forward-thinking mindsets, for product security controls, and for the overall end-to-end lifecycle governance of that device itself.

But equally important is that independent validation provides additional transparency for customers. What I want to see and what I’m pushing for is, yes, we are doing this as a company, but we’re also doing this with third parties to independently come and test these products and validate the products, and look at the hardware and look at the software and provide these attestations to our customers. Now you have multiple forms of validation that the product and the lifecycle are secure.

That’s what we’ve done at Sungrow, by inviting White Knight Labs in to do a teardown of our leading inverter. They found no remote controls, and not only that, they reported that you couldn’t remotely control it without completely reengineering the product.

Can it be difficult to assert the seriousness with which cybersecurity threats are being addressed within a company to the public?

Not one person, company, or organisation in this line owns the entire process of grid security, and I think that’s very important. At each check, we all have to ensure the security framework is in place and that compliance isn’t just a checkbox.

Customers are increasingly demanding greater convenience, and smarter solutions for their operations and maintenance. As the energy sector continues to digitalize, there are always hackers trying to penetrate and compromise these products, which is why it’s so important to have that defence-in-depth. And so, by adopting an assume-breach mentality, you can work on segmenting to lower the risk if a breach does occur.

It’s really important—whether it be what happened in Texas or somewhere else. I want to see the critical infrastructure industry as a whole improve overall security. The direction we’re going is just that.

Is the BESS industry taking cybersecurity seriously enough?

I can’t speak for the whole industry, but from what I see, it’s moving in the right direction. I think when sectors rapidly grow like this, security has to evolve alongside the technology.

The industry as a whole has scaled extremely quickly because it plays such an important role in the energy transition, in AI, data centres, and the need for power at this point. As those deployments grow, so does the focus on security. At Sungrow we always have this in mind when scaling up our business.

Utilities and regulators, insurers, system operators—they’re all asking questions. They all want to see increased adoption of these industry standards, supply chain practices, and secure-by-design principles. It’s a really positive trajectory. I think we’re getting there, but it’s not a one-time achievement. When you receive a certification, it’s not ‘you’re done.’ It’s an ongoing discipline.

I think that the energy sector has always prioritised reliability and safety. But, cybersecurity is increasingly being treated as a core part of that operational mindset, and it needs to be. I would really like to see cybersecurity taken seriously across all parties that interact with these systems.