{"id":178206,"date":"2026-01-14T07:13:00","date_gmt":"2026-01-14T12:13:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/14\/standardisation-is-making-us-bess-an-easy-target-for-cyberattacks\/"},"modified":"2026-01-14T14:25:18","modified_gmt":"2026-01-14T19:25:18","slug":"standardisation-is-making-us-bess-an-easy-target-for-cyberattacks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/14\/standardisation-is-making-us-bess-an-easy-target-for-cyberattacks\/","title":{"rendered":"Standardisation is making US BESS an easy target for cyberattacks"},"content":{"rendered":"

Standardisation is making US BESS an easy target for cyberattacks<\/a><\/p>\n

https:\/\/www.energy-storage.news\/standardisation-is-making-us-bess-an-easy-target-for-cyberattacks\/<\/a><\/p>\n

Publish Date: 2026-01-14 07:13:00<\/a><\/p>\n

Source Domain: www.energy-storage.news<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

This has been an ongoing concern in the industry, but Brattle and Dragos claim that the issue will continue to grow if it is not properly addressed.<\/p>\n

In March of last year, Adile Ajaja, director of operations, IT and cybersecurity at provider of fully integrated BESS and a utility subsidiary, EVLO, wrote in a guest blog for ESN, that \u201cNo utility is safe from hackers, often backed by nation-states or organised groups. It only takes one breach to unleash widespread disruption, making utilities a prime target for those looking to exploit critical infrastructure or geopolitical gains.\u201d<\/p>\n

Ajaja continued, \u201cNow, more than ever, it\u2019s crucial for utilities and their energy storage providers to actively prevent and plan against cybersecurity threats. Fortunately, there are a growing number of security options to deploy and best practices to offer guidance.\u201d<\/p>\n

Because BESS contain various technologies, often from different countries, implementing cybersecurity best practices is a global concern for the BESS industry.<\/p>\n

Katherine Hutton, product manager of cybersecurity at energy storage technology and energy software services provider Fluence, wrote:<\/p>\n

\u201cThe operational role and architecture of BESS determine how security must be managed. Cyber-capable components such as battery management systems (BMS), power conversion systems (PCS), and energy management systems (EMS) each contain software and communications pathways that require secure maintenance throughout the system\u2019s life.\u201d<\/p>\n

Hutton continued, \u201cThese elements demand greater scrutiny than passive components like battery cells or structural parts. Remote access is essential for performance optimisation and troubleshooting, but it must be governed by strict protocols to prevent misuse. Similarly, global supply chains support rapid scaling but can obscure visibility into the origins and update histories of components, making transparency critical.\u201d<\/p>\n

Dragos is a cybersecurity firm specialising in cybersecurity software designed for industrial settings, such as industrial control systems (ICS), supervisory control and data acquisition (SCADA), distributed control systems (DCS), and operational technology (OT).<\/p>\n

The Brattle Group provides consulting and expert testimony in economics, finance, and regulation for corporations, law firms, and public agencies.<\/p>\n

BESS vulnerabilities<\/p>\n

Tonkin states that the main vulnerability of BESS is their direct connectivity to the internet.<\/p>\n

He explains that the distributed nature of these sites means they often rely on commodity communication services, such as cellular or satellite, to connect, especially given their remote locations and high volume.<\/p>\n

This approach expands the attack surface because it uses uniform technology and layered networking from IT, which increases vulnerability. Managing these systems requires ongoing operational instructions and involves multiple parties, further increasing exposure.<\/p>\n

Tonkin further explains that BESS have not been specifically targeted in coordinated cyberattacks; instead, their vulnerabilities make them easier targets.<\/p>\n

He explains, \u201cThere have been a number of cases where people who operate (BESS) have been hit by commodity malware, not necessarily a targeted adversary that\u2019s gone after those assets, but somebody who\u2019s just found them to be exposed when scanning generally for vulnerabilities. So, criminal groups are getting into them, but not necessarily through a deliberate targeted attack.\u201d<\/p>\n

Tonkin says, \u201cWe identify two main types of ransomware groups. The first is organised teams that target specific victims, purchasing access and maintaining persistence to maximise their impact. These teams usually work collaboratively. The second type consists of opportunists who use scripts they\u2019ve bought or created to scan for vulnerabilities, quickly exploiting them to encrypt files and demand ransom. Generally, the latter group is more active in this space, rather than targeted attacks aimed at particular organisations.\u201d<\/p>\n

Tonkin and Fox-Brenner assert that electric grids are vulnerable to attacks from state adversaries, activist groups, and ransomware groups. They warn that as the importance of these grids for stability grows, the chances of deliberate targeting will also rise.<\/p>\n

Under the foreign entity of concern (FEOC) rules, US downstream project suppliers and upstream manufacturing facilities are ineligible for significant aid from prohibited foreign entities (PFEs) if they hope to qualify for tax credits.<\/p>\n

China is classified alongside countries such as Russia, Iran, and North Korea, which face substantial US market restrictions. Notably, China\u2019s extensive involvement across almost the entire supply chain \u2014 apart from software, which is already limited \u2014 keeps the primary concerns centered on China.<\/p>\n

The industry continues to debate whether Chinese suppliers can stay competitive, considering the higher costs for buyers and the tariffs on Chinese BESS, which hit about 55% starting January 1, 2026.<\/p>\n

When considering the vulnerability of BESS and BESS equipment based on its country of origin, Fox-Brenner says:<\/p>\n

\u201cThere have been documented cases of Chinese equipment used in BESS systems, like specifically inverters, where we have found so-called backdoors to them, or hidden communication equipment.\u201d<\/p>\n

\u201cI\u2019m not aware of similar findings for equipment originating from other countries. Now, there aren\u2019t nearly as many manufacturers and volumes coming out of other countries, because China dominates the inverter market. But China is unique in that we have found instances of communications equipment in Chinese inverters and some other solar equipment that is unique,\u201d he continues.<\/p>\n

Tonkin adds, \u201cAdding to this, the specific security and geopolitical issues involving the Chinese government raise concerns about how remote connectivity and undocumented components might lead to actions by China or hinder security efforts due to strained relations. For instance, Chinese-made components were hard to maintain during COVID because Chinese engineers couldn\u2019t access other countries to perform upkeep\u201d<\/p>\n

Further stating, \u201cIn cybersecurity, it\u2019s crucial to keep devices patched and maintained as vulnerabilities are identified. These flaws aren\u2019t usually intentional but result from code defects or new functionalities. Fixing these issues requires a continuous relationship between the asset owner and the original developer, so that when new vulnerabilities emerge, the owner can request updated firmware or software to address the problems.\u201d<\/p>\n

Implementing cybersecurity best practices<\/p>\n

The whitepaper emphasises that a proactive cybersecurity approach helps asset owners and operators reduce risks and save resources. Addressing common threats during design and construction enables companies to deploy controls more efficiently and economically.<\/p>\n

Although new threats will continue to emerge, requiring ongoing adaptation, many effective solutions are already available and can be implemented early to avoid costly retrofits later. As BESS capacity approaches levels similar to large baseload power plants, the companies assert that protecting these assets is vital not only for operators but also for national energy security.<\/p>\n

Tonkin says that Dragos often works with major utilities implementing BESS, gaining insight into their cybersecurity practices driven by regulations. Traditional investor-owned utilities prioritise control centre security, but grid-scale implementations raise concerns about layered controls.<\/p>\n

EPC contractors, often new entrants, trust suppliers and focus on low costs, risking gaps. Larger utilities tend to follow best practices, but industry-wide awareness is limited. Collaborations with OEMs like Fluence and vendors such as Tesla reveal that security design depends on trusted partners who embed controls from the start. Many smaller projects rely on system integrators to layer controls, often resulting in vulnerabilities due to lack of partnership and oversight.<\/p>\n

Dragos\u2019s field chief technology officer further states that lack of education on cybersecurity best practices is a significant barrier to implementation.<\/p>\n

\u201cI used to work for National Grid, a utility in the Northeast, and we had 600 people in our security team. That\u2019s a bigger capability than the size of some of these utilities as a whole. So if you\u2019re dealing with a local cooperative, we tend to find that the local energy co-ops might have one person that does the IT and security and the operational technology they\u2019re delivering, having to deliver a lot more broad capabilities with reduced access to specific skills,\u201d Tonkin says.<\/p>\n

He explains, \u201cAs an industry, cybersecurity must support smaller entities by providing secure products and accessible training programs. Initiatives like Dragos\u2019s Community Defence Programme, which provides software at no cost, and the OT-CERT programme, offering plans and best practices, help peers collaborate and address security challenges. This report, developed with Brattle, aims to inform and motivate action based on solid technical rationale.\u201d<\/p>\n

Another recommendation from the whitepaper to reduce cyberattacks is to mandate verified Hardware and Software Bill of Materials (HBOMs and SBOMs) for OEMs and vendors. This helps identify and evaluate whether software components originate from trustworthy sources and allows analysis of geographic, corporate source components, and related vendors.<\/p>\n

In the event that an HBOM and SBOM cannot be acquired, Tonkin says, \u201cIf you can\u2019t get it, and therefore you can\u2019t fully understand where the risks might be or what might manifest because of that\u2014it could be unknown vulnerabilities, or it could be that there\u2019s something hidden in it, or it doesn\u2019t behave the way it\u2019s supposed to\u2014you can mitigate a lot of those things through good defense in depth and controls. So, if there\u2019s a hidden back door into a device, it can\u2019t be exploited if it can\u2019t communicate out to its command and control server, or if someone can\u2019t gain access to exploit it.\u201d<\/p>\n

The Energy Storage Summit USA will be held from 24-25 March 2026, in Dallas, TX. It features keynote speeches and panel discussions on topics like FEOC challenges, power demand forecasting, and managing the BESS supply chain. For complete information, visit the\u00a0Energy Storage Summit USA website.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Standardisation is making US BESS an easy target for cyberattacks https:\/\/www.energy-storage.news\/standardisation-is-making-us-bess-an-easy-target-for-cyberattacks\/ Publish Date: 2026-01-14 07:13:00…<\/p>\n","protected":false},"author":1,"featured_media":178208,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.energy-storage.news\/wp-content\/uploads\/2026\/01\/pexels-pixabay-60504.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,31,32,27],"class_list":["post-178206","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-exploit","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/178206"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=178206"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/178206\/revisions"}],"predecessor-version":[{"id":178209,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/178206\/revisions\/178209"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/178208"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=178206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=178206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=178206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}