The fight for global power is increasingly playing out across the world’s networks, data centers, and energy grids. Critical infrastructure, including electrical grids and power plants, has become both the prize and the proving ground in this new era of strategic competition, with civilians caught in the crossfire. This looming problem at the intersection of energy policy, cybersecurity, and national security demands immediate attention from policymakers.
In May 2025, security experts reported finding rogue communication devices in solar power inverters and batteries installed throughout the United States. Those undocumented devices, such as cellular radios, reportedly allowed systems to bypass firewalls and permit unauthorized remote access to solar equipment powering American homes and small businesses. This backdoor access could be used to remotely cut power across the country, destabilise or damage power grids, and even trigger widespread blackouts.
If foreign adversaries or cyber criminals exploited vulnerabilities like these, the impact could be severe. These rogue communication devices affect the same category of distributed energy and industrial microgrids adversaries are already probing to test resilience and sow instability. As security researchers have warned, this convergence of geopolitics, climate technology, and digital dependence has created an expanding — yet insufficiently defended — attack surface. Russia’s repeated strikes on Ukraine’s energy grid are clear acts of cyberwarfare, but the same tools and vulnerabilities are being exploited by criminal and proxy actors worldwide, erasing clearer boundaries between state and non-state operations.
The U.S. Solar Industry and Small Scale Solar
Without measures to build resilience, the U.S. solar industry’s growth will also exacerbate its vulnerabilities. According to the U.S. Energy Information Administration (EIA), solar energy will contribute more than other forms of energy to increased electricity generation in 2025 and 2026. Small-scale solar installations — residential and commercial systems producing less than one megawatt — are growing at the fastest rate. Falling prices, higher efficiency, and ease of installation have fueled widespread adoption.
Solar technology can be deployed at every scale, making it an attractive option for households, businesses, and utilities to achieve energy independence. Today, coupled with solar, there are over 23 gigawatts of battery energy storage capacity installed on the U.S. electric grid, inverters — the digital control systems that regulate solar output — and other components in homes and businesses across the United States for backup generation.
Security Threats and Vulnerabilities in Solar Energy Systems
Solar technology poses several unique security threats because of the importance of electric power and the interconnected nature of the electric grid. Direct threats include:
- Data monitoring and surveillance;
- Extortion;
- Theft or misuse of data and electricity (for example, to launch cyber attacks or simply to mine cryptocurrencies);
- Localized or regional power outages or disruptions; and
- Physical damage to devices.
Solar technology faces two categories of risk: insecure software and vulnerable hardware. Many remote management tools still lack basic protections, such as password complexity and multi-factor authentication. A 2025 study identified nearly 35,000 exposed solar devices from 42 vendors worldwide, while a follow-up analysis found 93 vulnerabilities across 17 manufacturers — one-third critical enough to allow attackers full system control.
Hardware supply chains compound the problem. Roughly 70 percent of solar and battery components—including inverters and sensors—are manufactured in China, and 90 percent of global solar products include at least one critical Chinese-made element. Without independent security testing, the risk of embedded backdoors or manipulated firmware grows as these systems spread across U.S. grids.
These vulnerabilities have already been exploited. A 2019 distributed denial of service attack disrupted 500 megawatts of renewable energy assets across three states in the United States. In 2024, a vulnerability in solar power monitoring software allowed unauthorized actors to access solar power generation facilities, which they used to expand a botnet to steal money from bank accounts. That same year, a Chinese manufacturer remotely disabled inverters, bricking devices nationwide. And in 2025, investigators discovered the rogue communications equipment embedded in imported solar components in the United States. Each event underscores the same reality: distributed power introduces distributed security risks.
States Must Step In Where Federal Policy Stops
The United States still regulates the grid as if energy flows only one way — from centralized power plants to consumers. While a bill was introduced in 2025 to prohibit the Department of Homeland Security from purchasing batteries from countries deemed foreign adversaries, it has not been passed and will not address the full scope of the problem. Federal oversight remains focused on bulk power reliability, leaving distribution-connected assets such as inverters and remote monitoring systems largely ungoverned. These distributed energy resources (DER) now form the soft underbelly of U.S. critical infrastructure.
Responsibility for securing them falls to the states. The federal government has already pushed states to assume greater responsibility for emergency preparedness and cybersecurity, and states have shown leadership in data privacy, AI governance, and cybersecurity. Yet small-scale solar remains largely unregulated.
Large solar farms fall under the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards. Small systems do not. A handful of state laws, like California’s Security of Connected Devices Act, require “reasonable” security features, but they stop short of mandating the safeguards needed to secure remote management software. Broader privacy laws, like those in California, Massachusetts, and New York, protect consumer data, not grid integrity.
The result is a dangerous regulatory blind spot: utilities secure the bulk grid, but no one secures the millions of internet-connected solar devices now feeding into it. Until that changes, the United States’ clean energy transition will remain both a technological triumph and a national security risk.
Recommendations: A Realistic Path to Solar Resilience
The United States lacks a coherent strategy to secure distributed energy resources. States and utilities must move on what is feasible now, while building the foundation for longer-term reform.
Short-Term: Tie Security to Incentives
The fastest wins come from linking renewable energy incentives — rebates, grants, and tax credits — to compliance with existing cybersecurity standards, such as the NARUC Cybersecurity Baselines, NIST IR 8498, and IEEE 1547.3. States can also update grid interconnection rules to require secure defaults like strong passwords, encryption, and multi-factor authentication. These efforts should be paired with cybersecurity education for solar manufacturers and installers, most of whom are not security experts and may not fully appreciate the security risks posed by DER. These steps use existing authorities and funding and can be implemented within months, not years.
Medium-Term: Build Preparedness and Transparency
Next, states should integrate distributed energy attacks into emergency preparedness exercises and require supply-chain transparency from DER manufacturers and installers. Knowing the origin of hardware and firmware components allows states to identify high-risk suppliers and reward trusted manufacturing. These measures can be adopted within two to three years and align security with economic development — an easier political sell than new mandates.
Long-Term: Legislate for a Secure Grid
Over time, states should consider laws and regulations modeled on NERC-CIP standards but tailored for distributed energy resources. States should establish DER cybersecurity task forces to begin working on legislative solutions. Those task forces should also evaluate creating vetted vendor registries, ensuring that only secure-by-design components connect to the grid, with shared registries across states to scale efficiency and strengthen national defense. These steps require coordination and funding, but they would deliver durable protections and set the baseline for a resilient energy future.
What’s Most Realistic?
In the near term, incentivized compliance offers the highest return on effort. Medium-term priorities should focus on institutional readiness and supply-chain visibility. Long-term legislative reform is essential but slower. Taken together, these actions can transform distributed energy from a security liability into a resilient pillar of national power, but only if states act before adversaries.
