Is your storage system prepared for attack?

• Concern that storage industry is ill-prepared for cyberattacks
• Some utilities still 'not up-to-speed' on cybersecurity
• Cybersecurity standards planned, but will they arrive soon enough?

When groups of energy storage professionals have got together in recent months, it hasn’t been long before the conversation has turned to the issue of cybersecurity.

It’s a topic that’s keeping many in the industry awake at night.

And recent geopolitical events prove that interference with nations’ energy supplies should be a growing concern.

Storage ill-prepared for cyberattacks

And the alarming truth is that energy storage systems are as vulnerable as any power system to cyberattacks.

Perhaps even more alarming is a feeling within the industry that it is ill-prepared for such threats. Only two weeks ago, the CEO of UK-headquartered standalone battery owner and operator Eelpower, Mark Simon, said that, not only was cybersecurity a “real risk” in the energy storage industry, but that, in his view, “no one has a complete and coherent plan for it yet”.

It's a chilling thought. 

The five functions of cybersecurity

So what should the industry be doing to counteract the threat? Experts in the sector are pointing to the “five functions” of the US National Institute of Standards and Technology cybersecurity framework as a starting point. These five functions are: Identify, Protect, Detect, Respond and Recover.

What does this mean in practice? Parminder Sahi, head of cloud and operations at energy storage company STEM has described it thus: “First we identify what we’re trying to protect; then we protect it with tools such as firewalls, network security, and physical security; then we detect and respond to any intrusions; and finally, we repeat the process.”

The good news: robust systems can be built

Even if you are taking the aforementioned steps, you can’t afford complacency. It’s a simple fact that all risks cannot be eliminated. However, energy storage security experts, including Sahi, are confident that systems can be built that will stop intruders taking control of “critical information and infrastructure”.

However, Sahi has also warned that some companies and electric utilities have still not fully implemented up-to-date cybersecurity practices.

The stark truth is that cybercriminals are becoming more adept than ever at compromising cybersecurity systems. Added to this, the fact energy storage is a distributed energy resource (DER) is both its strength and its weakness. Yes, a DER offers considerable flexibility, but it is also much more vulnerable to cyberattack than traditional energy resources.

Industry must act now

Despite this gloomy prognosis, there are signs that the industry is beginning to take steps to tackle the issue.

A recent report by the National Renewable Energy Laboratory (NREL) – in partnership with global safety science company UL – highlighted that NREL and the US government’s Solar Energy Technologies Office are currently working on an “outline of investigation” for DER cybersecurity testing protocols with a view to developing it into an industry standard in collaboration with other standards development organisations.

The intentions are undoubtedly honourable, but there will be those in the industry that will fear that the fruit of such labours will not be seen fast enough.

Now is the time for the energy storage industry to wise-up to the cybersecurity threat.

Failure to do so could result in crippling security breaches that could damage the storage industry’s reputation at a time when it is starting to be taken much more seriously as a force for good in the world.

Additional research by Robert Malthouse