Battery Energy Storage Systems Can Make Companies More Sustainable — and More Vulnerable to Hackers
The battery energy storage system (BESS) industry is one of the fastest-growing markets.
Driven by the Inflation Reduction Act (IRA), the U.S. battery sector has grown exponentially over the past 12 months, with 26.5 gigawatts (GW) of pipeline capacity (up 58% on the pre-IRA figure) and expectations of further growth throughout 2023, according to the Energy Information Administration.
The biggest catalyst behind this is an investment tax credit for stand-alone battery storage projects that gives developers greater flexibility across their portfolios, encouraging higher-installed capacities and creating a buyers’ market for investors.
On a global scale, energy storage installations are projected to peak at a cumulative 411 GW or 1,194 GWh by the end of 2030 — a 15-fold increase over 2021 — according to a recent BloombergNEF report, with America and China at the forefront.
But as the technology becomes increasingly digitized and sophisticated, so do the methods hackers employ to compromise it.
Cyber Risks and Vulnerabilities
Aon’s Cyber Security Advisory team has identified a host of operational technologies (OT) used in BESS control systems as a key vulnerability that could be exploited by cybercriminals.
Because these OT assets are now more connected than ever, asset owners are even more exposed to unknown risks and open to attacks from threat actors.
Among the main vulnerabilities are:
- Out-of-date unpatched operating systems and components
- Systems that cannot provide strong passwords or integrate with strong passwords and multifactor authentication
- A lack of control or understanding of traffic to and from parts of the environment
- A lack of cybersecurity knowledge in the OT team or OT knowledge in the cybersecurity team
- A lack of segregation and control for the elements of OT
- A lack of security monitoring and vigilance in OT and appropriate services to respond
- Security tools that either don’t work at all with OT or work only in a light-touch capacity
Added to that, new forms of sophisticated malware emerged in 2022 — including Chernovite’s “Pipedream” — posing a significant threat to industrial control systems connected to the energy grid, including BESS.
Among the worst-case scenarios is a wide-area blackout of the grid, as happened in the UK in August 2019, when millions of customers were disconnected. From a BESS-owner perspective, they could lose a complete asset due to a malfunction induced by their battery management system (BMS), causing a fire and destruction of the cells by thermal runaway.
“In our experience, cybersecurity for OT is playing catch-up with information technology,” said Andrew Hainault, managing director, cyber security advisory, EMEA, at Aon.
“We see examples of clients that have relatively mature cybersecurity programs for IT, with corresponding control frameworks that are established and measured, yet have noticeable control gaps for OT,” he continued.
“Indeed, OT environments often fall outside the remit of IT and consequently are invisible when it comes to enterprise cyber risk management. To make matters worse, manufacturers are generally not conversant with secure development life cycles and therefore continue to deploy systems that are not properly hardened for internet-accessible environments.”
New forms of volatility and current geopolitical tensions have merely intensified the scrutiny of essential energy infrastructure. As a result, BESS asset owners and operators have had to focus on shoring up their key assets and systems.
For BESSs to ensure reliability and grid stability, they will need to be fully integrated into the electrical grid architecture, said Paul Gooch, head of cyber open market at Tokio Marine Kiln.
This requires the adoption of communications infrastructure; however, this also increases the potential surface area for cyberattacks, he said.
Aon has warned that even BESS asset owners with robust IT security measures in place may be overlooking significant vulnerabilities in their OT systems.
Operational systems often have security limitations that prevent regular updates, and the lifespan of operational equipment means that component life cycles are longer than in the IT environment.
There may also be gaps in reviewing vulnerabilities and managing controls to protect assets from digital threats, as well as the implementation and management of effective controls. Should these gaps in OT cybersecurity be exploited by a threat actor, the consequences may far outweigh the impact of an IT systems cyberattack — resulting in severe operational, financial and physical impacts for BESS asset owners.
Among the biggest risks, said Gooch, are lithium-ion batteries — the kind most commonly used in BESS — which require careful monitoring and control of their voltage, current and temperature conditions.
If a threat actor were to interfere with this, it may cause physical damage — ranging from battery cell degradation caused by overcharging or over-discharging to a “thermal runaway” event resulting in overheating, a fire or an explosion, he warned.
“A key determination in evaluating lithium-based battery reliability is the ability of its BMS to monitor and control the operational parameters reliably and safely,” said Nathan Jones, director of cyber, infrastructure sector at Aon.
“On the other hand, current utility-scale big BESS operations are usually designed to also provide grid stability through ancillary services like frequency response, synthetic inertia and others,” Jones continued.
“To be able to do so, the BMSs are an integral part of the BESS control and monitoring system and are interconnected to the utility’s substation local and wider area networks. In some cases, they may well be also connected to the utility’s corporate network due to the need for the BESS to respond in real time to the electricity market fluctuations. This interconnection can be exploited to harm either the BESS itself or the power grid.”
In response to these threats, Aon has advised asset owners and operators to bolster their cybersecurity strategies and resilience before a major attack strikes.
That requires continual assessment and mitigation efforts, as well as making sure they have the right coverage in place to protect themselves and ensure business continuity in the event of a physical, operational or financial loss. &