Under Attack: Storage must address cybersecurity risk

• ‍Energy supply disruption could be increasingly common in global conflicts
• Lithium-ion battery storage cyberattacks could lead to life-threatening fires‍
• Energy professionals believe major cyberattack ‘probable’ in next two years
• Energy companies biggest victims of cyberattacks in North America

‍
How vulnerable are renewable energy projects to cyberattack? While this may be difficult to measure with a high degree of accuracy, recent reports suggest that disputes involving energy supplies will be a prominent feature in international geopolitics in the coming years.

Only last month, a joint investigation conducted by broadcasters in Denmark, Norway, Sweden and Finland led to allegations that Russia has a programme to sabotage wind farms in the North Sea. A series of reports broadcast in the Scandinavian countries said that Russia has a fleet of vessels – disguised as fishing trawlers and research vessels – that carry underwater surveillance equipment for the purpose of mapping key sites for possible sabotage. It has led to speculation that disrupting nations’ energy supplies could be a tactic increasingly deployed in conflicts around the world.

Major cyberattack is ‘probable’

Research suggests that concerns about disruptions to energy supplies caused by malevolent forces are justified. And cyberattacks could be the weapon of choice. A survey of almost 1,000 energy professionals conducted last year by DNV showed that the vast majority (85 per cent) believe that a major cyberattack incident is “probable” at some scale within the next two years. Of those that feel a major cyberattack is imminent, a total of 85 per cent think it will result in disrupted operations, 74 per cent believe it will cause harm to the environment, while 57 per cent say it will lead to loss of life.

The findings are alarming. Especially when you consider that the same survey indicated that the renewables industry is woefully underprepared for cyberattacks. The DNV research showed that only one in five (20 per cent) of professionals in the renewables industry “assert confidently that they would know exactly what to do if concerned about a potential cyberattack”. 

Storage needs range of cybersecurity strategies

The evidence suggests most energy professionals currently have no intention of taking steps to protect their organisations against cyberattacks. While the DNV survey showed that six out of ten energy sector ‘C-suite’ respondents acknowledged that their organisation is “more vulnerable to attack than ever before”, far fewer (44 per cent) expect to make “urgent improvements in the next few years to prevent an attack”.

But this risk needs to be acted upon by all segments of the renewables industry, including energy storage businesses. The Environmental Protection Agency has stressed that storage technologies need cybersecurity strategies to prevent, identify, detect, respond to, and recover from cyberattacks.

Just last week, global professional services firm Aon - which has placed insurance for over 2.8 GW of battery energy storage systems (BESS) and handled more than $100 million of battery storage claims - said that storage asset owners and operators must “bolster their cyber resilience as they face emerging cyber threats”. Specifically, Aon has identified operational technologies used in BESS control systems as an “invisible point of vulnerability that could be exposed by increasingly sophisticated threat actors”.

Storage sector has cybersecurity ‘gaps’

The energy storage industry’s digitalisation was speeded up by the global pandemic, but this has meant that, as the sector has become increasingly digitalised, so has its vulnerability to cyberattack. If we take the US as an example, the Atlantic Council think tank has highlighted that, despite the fact that energy storage relies “intrinsically on digitization and network connectivity”, the US is “unprepared” to secure the energy transition.

Due to the nature of the digital evolution, Aon has said, critical operational technologies (OT) in the energy storage sector are now connected “more than ever”, which could leave asset owners exposed to unknown risks. Andrew Hainault, managing director, EMEA – security advisory at Aon, has highlighted how OT is playing catch-up with information technology (IT). “We see examples of clients who have relatively mature cyber security programmes for IT, with corresponding control frameworks that are established and measured, yet have noticeable control gaps for OT,” he said.

Potential for storage cyberattacks increasing

Meanwhile, Paul Gooch, head of cyber open market at underwriter Tokio Marine Kiln, said that, while battery energy storage will have to be fully integrated into the electrical grid architecture to effectively ensure reliability and grid stability, such integration “necessitates the adoption of a communication infrastructure, which will increase the potential surface area for cyberattacks”.

This should be a serious concern given that data has shown energy companies are more at risk of cyberattack than any other business in North America. IBM’s X-Force Threat Intelligence Index 2023 revealed that energy firms were North America’s most commonly attacked organisations, constituting 20 per cent of all cases. This was higher than the manufacturing and retail-wholesale sectors, which tied for second place with 14% of cases each.

The IBM study also showed that extortion is the most common objective of cyberattacks, accounting for 21 per cent of the total, more than data theft, which accounted for 19 per cent. A total of 13 per cent of all extortion-related cyberattacks target the energy industry.

Attack on lithium-ion battery storage could cause fire

It’s not hard to see why the majority of energy storage professionals fear that a major cyberattack is imminent that could lead to loss of life. As Gooch highlighted, lithium-ion batteries – the technology most commonly used in battery energy storage systems – require careful monitoring and control of their voltage, current and temperature conditions. “If a threat actor were to interfere with this monitoring and control, physical damage could occur – ranging from battery cell degradation, caused by overcharging or over-discharging, to a ‘thermal runaway’ event resulting in overheating, fire or explosion,” he added.

What should energy storage companies be doing to protect against cyberattacks? Firstly, with the industry upping its investment in digitalisation, they need to ensure that, where possible, investment in cybersecurity keeps pace. Secondly, it’s prudent to assess exactly where projects are vulnerable to cyberattack – while your organisation may be confident that its OT is adequately protected, can the same be said for your suppliers? Finally, make sure cybersecurity training is also prioritised – the DNV study indicated that while some organisations are taking steps to upgrade core IT system security, less attention is being paid to training programmes.

It's clear that cybersecurity must be taken seriously in the energy storage sector. If it isn’t, our data, our environment, and even people’s lives could be put in danger. The worry is that the renewable energy sector is woefully unprepared.

‍