BESS manage the variability of renewable energy sources like wind and solar by storing excess energy when production exceeds demand and releasing it during peak periods. This helps stabilise the grid and improve energy efficiency. The projected growth of BESS installations is substantial, with a 15-fold increase expected by 2030, from 27 GW/56 GWh in 2021 to 411 GW/1,194 GWh. While this expansion highlights the strategic importance of BESS in future energy systems, it also increases their exposure to cyber threats.

Given their critical role, BESS are significant targets for cybercriminals. These systems are integrated with broader energy management systems, making them susceptible to cyber intrusions. The attack surface of BESS includes both operational technologies (OT), which control physical processes, and information technologies (IT), which manage data and communication. This convergence creates complex vulnerabilities that can be exploited by malicious actors.

The cybersecurity landscape 
The energy sector faces an increasingly complex cyber risk landscape, with cybersecurity threats rising in frequency and sophistication. Recent incidents, such as cyberattacks on wind-energy companies in Germany and a data breach at India’s main power company Tata Power, illustrate the growing risks. These attacks range from ransomware and data theft to disruptions of critical control systems, driven by motives like financial gain, political agendas and sabotage.

For BESS, the risks are particularly acute. As part of critical national infrastructure (CNI), a successful cyberattack of a BESS could lead to catastrophic outcomes, including data breaches, operational disruptions and physical damage. A significant concern is the compromise of battery management systems (BMS), which are crucial for maintaining the safety and performance of battery cells. A compromised BMS can disrupt operations or cause physical damage, such as initiating a thermal runaway in lithium-ion batteries, resulting in fires or explosions.

OT vulnerabilities also play a significant role in the cybersecurity landscape for BESS. The integration of OT with IT systems in BESS creates numerous entry points for potential cyberattacks. According to Andrew Hainault, Managing Director at Aon, cybersecurity for OT is ‘playing catch-up’ with IT. Many OT systems were not designed with cybersecurity in mind and lack even basic protections. This is particularly concerning as BESS must integrate with broader electrical grid architectures, which necessitates the adoption of communication infrastructure and increases the potential surface area for cyberattacks.

Invisible cyber risks are another major concern. Aon’s 2021 Global Risk Management Survey reported that cyberattacks are ranked as the number one threat facing businesses today. In the energy sector, the digitalisation of the grid has introduced new forms of volatility and complexity to the cyber risk landscape. The OT assets used in BESS control systems represent an ‘invisible’ point of vulnerability, often overlooked in enterprise cyber risk management. These systems often have security limitations that prevent regular updates, and the lifespan of operational equipment means that component life cycles are longer than in the IT environment. Such gaps in cybersecurity can be exploited by sophisticated threat actors, leading to severe operational, financial and physical impacts.

The attack surface of BESS includes both operational technologies (OT), which control physical processes, and information technologies (IT), which manage data and communication. This convergence creates complex vulnerabilities that can be exploited by malicious actors.

Mitigating cybersecurity risks
To address these risks, BESS developers and asset owners must implement robust cybersecurity measures. A ‘defence-in-depth’ approach, which involves layering multiple security measures, is effective for protecting BESS from various types of attacks. This includes physical security measures, network security protocols, application-level controls and device-specific protections.

Adopting a zero-trust security model, where no system or device is assumed to be secure, is another critical strategy. Every user and device must be authenticated, authorised and continuously validated to ensure that they have the right to access specific resources. This approach helps prevent unauthorised access and minimises the risk of insider threats.

Conducting regular vulnerability assessments and software updates is also crucial. It is important to perform regular assessments to identify and mitigate vulnerabilities in both hardware and software components of BESS. Keeping systems up to date with the latest security patches is essential to protect against newly discovered threats.

Limiting access and connectivity enhances cybersecurity further. Access to BESS should be restricted to trained and vetted personnel only. Connections between BESS and external systems should be minimised to reduce the potential attack surface, implementing strong access controls and network segmentation to prevent unauthorised access.

Advanced cybersecurity measures, such as encryption, multi-factor authentication and continuous monitoring of network activity, are also vital. These measures ensure the integrity and confidentiality of data and maintain operational stability.

Regulatory standards and frameworks
Given the critical nature of BESS in modern power systems, adopting standardised cybersecurity frameworks and practices is imperative. The National Institute of Standards and Technology (NIST) provides comprehensive guidelines for securing industrial control systems, including those used in BESS. The NIST Cybersecurity Framework 2.0, alongside NIST Special Publication 800-82 (Guide to Operational Technology Security), offers a robust foundation for developing cybersecurity policies and practices tailored to BESS.

Additionally, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards provide guidelines for configuration change management, vulnerability assessments and information protection in energy systems. While these standards are primarily focused on bulk electric systems, their principles can be adapted to BESS to enhance their cybersecurity posture.

The defence-in-depth approach aligns with these frameworks by advocating for multiple layers of security controls to protect BESS from various threats. This approach is particularly effective in mitigating risks associated with complex, interconnected systems like BESS, where a single point of failure could have catastrophic consequences.

Advanced detection and mitigation techniques
To enhance the cybersecurity of BESS further, advanced detection and mitigation techniques are necessary. False data injection attacks (FDIAs) are a significant threat to BESS, as they target sensors and manipulate data used for system operations. Detecting and mitigating FDIAs is vital to maintaining the safe and reliable operation of BESS.

Sandia National Laboratories has proposed a method for detecting FDIAs in BESS, combining battery modelling, state estimation and statistics-based detection mechanisms. This approach uses battery models to represent system dynamics and an extended Kalman filter (EKF) to estimate system states and measurements. Deviations indicative of an FDIA are identified using the cumulative sum (CUSUM) algorithm, a statistical error detection method.

This approach has demonstrated high accuracy in detecting FDIAs, with a detection rate of 99.90% and a false positive rate of 0%. Incorporating advanced detection techniques like the CUSUM algorithm allows BESS operators to proactively identify and respond to potential cyberattacks before they cause significant damage.

The role of national security
As BESS become more integral to national energy infrastructure, government oversight is critical to ensuring their security. In the UK, the National Cyber Security Centre (NCSC) provides guidance and support to organisations in the energy sector, helping them enhance their cybersecurity measures and protect against potential threats.

While BESS may not currently be classified as critical national infrastructure, there is growing recognition of their importance in maintaining energy security. As the energy landscape evolves, the classification of critical infrastructure is likely to expand to include more assets like BESS, ensuring they receive the highest levels of protection.

Government initiatives play a vital role in supporting training and capacity-building efforts to enhance the skills of those working in critical sectors. By providing tailored training programmes that cover a range of expertise levels, the government helps ensure that the workforce managing BESS is well-prepared to counteract potential cyber threats.

Insurance and risk mitigation
Given the potential physical damage and financial losses resulting from cyberattacks, asset owners must also consider their insurance coverage. Many operational property damage insurance policies exclude losses resulting from cyber incidents, leaving a significant gap in protection. It is important for asset owners to review their policy wording and explore additional coverage options to mitigate this risk.

The insurance market is responding with new products designed to cover cyber-related property damage. A new cyber property damage insurance solution has been launched to protect against malicious cyber acts, providing coverage for property damage and business interruption losses up to $50mn.

Building a resilient future
Securing BESS from cyber threats requires a holistic approach that integrates the technical aspects of energy storage with robust cybersecurity measures. Skilled personnel who are competent in both domains are key to this strategy.

BESS providers must emphasise hiring and training staff who can manage complex energy storage systems while also understanding cybersecurity nuances. Operators need to recognise signs of a cyber intrusion, understand response protocols and know when to escalate issues to specialised cybersecurity teams.

Cybersecurity experts in the energy sector emphasise the importance of continuous education and skills development. The threat landscape is constantly evolving, with new vulnerabilities and attack vectors emerging regularly. Ongoing training is vital for ensuring that staff remain up to date with the latest cybersecurity trends and techniques.

From a government perspective, there is a need for policies that encourage and even mandate this kind of training. Given the strategic importance of BESS in the modern energy grid, ensuring that operators and managers are adequately trained in cybersecurity should be a national priority. By investing in comprehensive training programmes and fostering a culture of cybersecurity awareness, the BESS industry can better safeguard these vital assets, ensuring a stable and reliable energy future.

• Further reading: ‘Is battery storage key to more resilient power networks?’. Electricity has become more precious due to the ongoing energy crisis. Operators are looking for ways to reduce their dependence on natural gas by capturing and storing renewable energy. Michael Lippert, Director of Innovations and Solutions for Energy at Saft, now a subsidiary of TotalEnergies, explains how this makes a strong incentive for battery energy storage systems (BESS).
• Global industry accounts for a significant proportion of energy consumption and the sector faces increasing pressure to turn to renewables. Find out why industrial consumers should consider becoming more independent from energy markets to reduce energy costs and ensure stability?