Professional services firm, Aon, says that asset owners and operators in the burgeoning battery energy storage system (BESS) market must bolster their cyber resilience as they face emerging cyberthreats.

As the energy grid digitalises, Aon’s Cyber Security Advisory team has identified operational technologies used in BESS control systems as an “invisible” point of vulnerability that could be exposed by increasingly sophisticated threat actors.

Aon’s 2021 Global Risk Management Survey reported that cyberattacks are ranked as the number one threat facing businesses today and in the future. Energy businesses, in particular, are facing an increasingly complex cyber risk landscape, with new forms of volatility and current geopolitical tensions driving scrutiny on the security of essential energy infrastructure.

Energy storage installations around the world are projected to reach a cumulative 411 GW – or 1,194 GWh – by the end of 2030, according to the 2H 2022 Energy Storage Market Outlook from BloombergNEF (BNEF). This growth is going hand-in-hand with the increasing digitalisation of the energy system.

Due to the nature of this digital evolution, however, OT assets are now connected more than ever – which may leave asset owners exposed to unknown risks and open to attacks from threat actors.

“In our experience, cybersecurity for OT is playing catch-up with information technology (IT),” says Andrew Hainault, MD EMEA – security advisor at Aon. “We see examples of clients who have relatively mature cybersecurity programmes for IT, with corresponding control frameworks that are established and measured, yet have noticeable control gaps for OT.

“Indeed, OT environments often fall outside the remit of IT and consequently are invisible when it comes to enterprise cyber risk management. To make matters worse, manufacturers are generally not conversant with secure development lifecycles and therefore continue to deploy systems that are not properly hardened for Internet-accessible environments.”

Paul Gooch, head of Cyber Open Market at Tokio Marine Kiln, the lead underwriter for Aon’s Cyber Property Damage (CYPD) Facility, adds: “For BESS to be effective in ensuring reliability and grid stability, they will need to be fully-integrated into the electrical grid architecture. Such integration necessitates the adoption of a communication infrastructure, which will increase the potential surface area for cyberattacks.”

While only a handful of successful attacks on clean energy systems have been reported to date, new forms of sophisticated malware emerged in 2022 – including Chernovite’s “Pipedream” – that pose a significant threat to industrial control systems connected to the energy grid, including BESS.

In this context, Aon cautions that even BESS asset owners with robust IT security measures in place may be overlooking significant vulnerabilities in their OT systems.

Operational systems often have security limitations that prevent regular updates and the lifespan of operational equipment means that component lifecycles are longer than in the IT world. Furthermore, there may be gaps in reviewing vulnerabilities and managing controls to protect assets from digital threats, as well as the implementation and management of effective controls.

Should these gaps in cybersecurity for OT be exploited by a threat actor, the consequences may far outweigh the impact of a cyberattack on IT systems, leading to severe operational, financial, and physical impacts for BESS asset owners.

“Lithium-ion (Li-ion) batteries – currently the most commonly used in BESS – require careful monitoring and control of their voltage, current, and temperature conditions,” says Gooch. “If a threat actor were to interfere with this monitoring and control, physical damage could occur – ranging from battery cell degradation caused by overcharging or over-discharging, to a ‘thermal runaway’ event resulting in overheating, fire, or explosion.”