New decentralised power supply systems based on renewable energy and energy storage are under potential threat from cyberterrorists. Tage Erikson investigates the risks and measures to create a resilient environment for the electricity supply chain.

In the 2018 novel The President is Missing, the authors – former US President Bill Clinton and James Pattersson – describe a planned attack by domestic and foreign terrorists against power and water supplies in Los Angeles and other major cities. The details of the fictive cyberattack give insight into the risks of an open IT system that provides access to the control systems of national utilities.

According to the report The State of Industrial Cybersecurity by internet security firm Kaspersky in 2024, 95% of energy companies had experienced a cybersecurity incident within the previous year. It stated: “The prevalence of remote energy and oil and gas facilities may also be vulnerable to a similar threat.

“With more industries adopting digital connected systems, the likelihood of large-scale cyberattacks with severe consequences is only expected to rise. Despite significant investments in technology and infrastructure, 74% of the respondents in the energy sector feel their supply chains are susceptible to cyberattacks.”

Understanding cybersecurity

When asked about the barriers to achieving a comprehensive understanding of cybersecurity at management level, 25% of respondents identified several key challenges: Jargon and confusing technical terms, difficulty quantifying risk and balancing compliance with operational objectives.

Mike Judd, President and CEO of US energy storage company Stryten Energy told BEST that as power demands continue to rise, energy resilience is crucial. “We must anticipate demand as much as possible, adapt to changing conditions and quickly respond to and recover from disruptions. Renewable sources paired with battery energy storage systems (BESS) deliver that resiliency.

“Currently, when there is a spike in demand, a peak demand power plant, or a peaker plant, will come online. As we move away from carbon-based power sources, solar/wind farms with BESS will replace these plants. These renewable systems are more agile, able to bring power online quickly and then go back offline. In comparison, peaker plants will stay online for a contracted period, which may be longer than necessary to meet the demand.”

In Sweden the rapid change of the energy supply system is obvious. Anna Jäderström, unit manager, Balance Market, at national Swedish grid operator Svenska Kraftnät, said Sweden has more BESS than the other Nordic countries, contributing to the market resilience. “Through our daily auctions of frequency and effect balance services, we can secure the supply of power to all consumers. Battery energy storage and other forms of energy storage increase the robustness of the system as cyberattacks will not affect the total grid.”

The Swedish grid balance system is based on three levels, the national grid operating the high voltage network, around 20 certified balance service suppliers and a large number of contracted battery storage owners, either single or aggregated BESS units.

Jäderström points out this system offers redundancy in the grid. “The basic level suppliers undergo technical tests and after approval the balance services will work autonomously upon command from Svenska Kraftnät. In the future there will be a new role for BESS operators over 500MW capacity. They should be ready for operation in less than a second and be able to supply balance services for at least 15–20 minutes with full power.”

Battery storage a risk?

The Energy Institute, a UK membership organisation for people working in energy, said in a report from October 2024 that the predicted 15-fold growth of global BESS installations from 27GW/56GWh to 411GW/1,194GWh in 2030 makes them a significant target for cybercriminals, since the systems are integrated into broader energy management systems.

The attacks on BESS include both operational technologies and informational technologies, which has been seen in cyberattacks on wind farms in Germany and a ransomware attack against a Luxembourg energy supplier in 2022.

The Institute said the attack in Germany “was probably initiated” by Russian hackers. It disrupted the remote control system for thousands of wind turbines. The Luxembourg cyberattack was also caused by ransomware that infiltrated the systems of electricity operator Envonos, it said.

Regarding the scope of risks, Stryten’s Judd continued: “The downside of renewables with BESS is they have a finite amount of power. A network of microgrids would mitigate this risk by pulling from various connections to produce enough power. But this network also needs to be sufficiently distributed. You do not want any one solar or wind farm attached to one system to become too large.

“As the renewable sources scale up, the power they generate should be dispersed across two or three systems. Like a computer with a dual processor, part of the renewables’ system could be offline, while the other is discharging or both could be running simultaneously. But any one part could be shut down independently of the other. This allocation protects the grid from a single point of failure should one large solar or wind farm be compromised.”

Decentralised structure

The decentralised structure of the new energy grids should reduce risks of external attacks, but Auke Huistra, service area director for Industrial & OT Cyber Security at cybersecurity services provider DNV Cyber, says many problems with cybersecurity of energy storage systems are related to internal and non-intentional reasons.

He said: “Suppliers and operators can cause local failures, while cyberattackers probably will target distribution system operators to achieve most impact. Regional grids including energy storage can still supply energy locally if the national grid fails to kick in. For example, in the Netherlands a really high percentage is not dependent on BESS. In the northern provinces, where more non-reliable renewable energy sources are available, a higher degree of resilience is built in, a trend visible in more and more countries.

“We need to make sure certain aspects of the BESS stay with an operator, rather than as a function of software. Hard-wired batteries are inherently safe, but not practical in these applications. Simply connecting and disconnecting the BESS from the internet is also not a viable safety protocol. A virus introduced into the code would infect the system the instant the BESS goes back online.”

He said the systems need to be properly configured so that critical data, such as minimum discharge voltage, maximum voltage, charge rate and state of charge/capacity, cannot be altered. The only signal permitted should be a message to charge or discharge the battery. The operator sending that signal will want additional context – what is the current state of charge, how long the system should discharge, etc.

Those details come from a reporting software module that would not have any control over the BESS hardware. This model corresponds to Svenska Kraftnät’s system, according to Jäderström. “There is also a risk with communication,” she said. “There is no activation signal from the central grid operator after the auction offer has been approved – when the frequency exceeds the upper or lower limits the system will be activated autonomously.”

Who should drive BESS security?

For Judd it is obvious the battery industry should be the driving force in establishing policies and standards for the energy storage systems they create. “Right now, the focus is on building systems as big as they can as fast as they can without considering the impact they could have on overall grid resiliency or that these systems should not be treated like traditional carbon-based power plants that generate consistent power.

“Policies regarding power distribution are just one example of standards that should be implemented as more renewables with BESS are incorporated into the power mix. The question is who will set them. If the industry does not work to institute safety standards, regulatory agencies will step in and dictate those guardrails. That scenario will likely be caused by some high-impact event, such as a widespread blackout resulting from either human error or software issues.”

BESS standards

Some standards mentioned to be applied for BESS and cybersecurity are IEC 62351, IEC 62443, for radio communication new RED cyber requirements from 08.2025 (EN 303 645, EN 18031 and directives like EU CRA and the NIS 2 Directive (EU 2022/2555)).

Heistra said a lot is happening already and the industry is not starting from scratch. “Cybersecurity systems should be implemented all over the supply chain,” he said. “Today some companies do not even connect their energy backup to the grid. If the central grid was hit by a blackout the consequences would be enormous.

“Think about Rotterdam port with all deliveries of goods to and from Europe, all cranes, the trading and logistics control systems, road signals, financial transactions… Battery backup or diesel generators can last for only a certain while – hospitals and other essential functions must go first, but the rest of the society would end up in a big chaos.”

He said the Dutch fiction movie Blackout by the NPO broadcaster describes what could happen in a developed country after a power failure caused by a cyberattack or by an internal breakdown of the system.

Geopolitical structure

Other experts see a problem in the geopolitical structure of the battery market. Vadym Utkin, energy storage lead at DTEK Group, an energy holding company investing in Ukrainian energy solutions, said in a comment on LinkedIn he is worried about the potential risk that comes from the fact that many BESS manufacturers are located in China or controlled by Chinese groups.

He said robust protocols are needed to control the constant exchange of technical data between the ESS and integrators to maintain warranties and operational limits, typically managed by the battery management system (BMS) and energy management system (EMS). Judd said the industry should drive governments and authorities to issue cybersecurity standards for decentralised energy systems together with suppliers of BMS and EMS protocols.

Utkin added that in Lithuania, companies from China and other countries that “pose a threat to national security” should not have access to solar or wind farms with power of more than 100kW and BMSs, nor should they be able to control them remotely.

Inducing system instability

Aon, the global risk management group, publishes reports on cyberthreats. Adam Piper, executive director, global renewables, said: “Utility-scale BESS are more and more often designed to provide grid stability in particular nodes of the power networks, generally by means of applications such as frequency response or synthetic inertia.

“In these systems, the BMSs are integrated with the BESS control and monitoring, as well as with electricity markets’ real-time data and the utility’s corporate network. This interconnection between data domains and the BESS intrinsic physical capabilities can be exploited to cause harm by inducing system instability and potentially wide area blackouts.”

A threat actor who compromises a BMS could violate operational constraints, making changes to the battery’s charge, temperature, degradation or operation, according to Aon. They could also disable protection mechanisms, cause damage or malfunction, induce power grid instability or modify readings to impair monitoring accuracy. Stored energy has inherent safety risks (gassing, fire, toxic chemicals) and therefore the risk of causing considerable physical damage becomes very real, it said.

Piper also refers to the SCOR Stationary Battery Energy Storage Systems Handbook from 2022. It describes in detail a key vulnerability: “Due to their higher specific energy density and a greater sensitivity to electrical and environmental abuse, lithium-ion batteries need to be effectively managed with a BMS.

“When improperly managed, a lithium-ion battery will easily reach a thermal runaway state because it has a low cell resistance and high energy storage capacity. This need for a continuous active control is a major weakness if the BMS can be interfered with externally. Aon has developed the so-called Cyber Loop, a circular and iterative cyber security strategy that builds long-term resilience.”

The right architecture

Heistra said the most important thing is to establish the right architecture and after that to test it and test it again to reduce entry points of cyberattacks. “Cybersecurity should be fully embedded in everything the company does, from the first design of a new BESS project to the final connection to the grid. Companies buy fancy stuff for their systems but forget the basics – you need people who understand the operating model and who can follow up. It is vital to have made a correct description of the connection between the different levels, but also the interaction between operators.

“And the training should include incident planning, establishing chains of responsibility and 24/7 monitoring. Cybersecurity is a part of the business in our world today – you cannot simply leave it to the IT department!” he said.