Today’s grid infrastructure is increasingly digital, interconnected, and remotely controlled – a shift that brings significant efficiency and flexibility but also demands a strong, proactive approach to cybersecurity.
The global shift in policy and standards
Governments and industry bodies are moving to establish consistent security expectations for critical infrastructure. In a landmark move, Australia has adopted the ISA/IEC 62443 series as national standards for protecting operational technology.
Developed by the International Society of Automation (ISA) and International Electrotechnical Commission (IEC), this framework outlines how security should be integrated into industrial automation and control systems throughout their lifecycle.
Its modular, role-based approach allows asset owners, service providers, and equipment suppliers to apply the sections relevant to their responsibilities, ensuring alignment without prescribing a one-size-fits-all checklist.
Internationally, other governments are moving in a similar direction to define cybersecurity requirements for critical infrastructure and a broader scope of industries. In the European Union, the NIS2 Directive extends security requirements to a wider range of energy assets, including smaller-scale energy storage, while the Cyber Resilience Act will, from December 2027, require that all products with digital elements meet lifecycle security obligations.
In the United States, both federal and state measures are increasing scrutiny of supply chain integrity, remote access security, and vendor accountability. These policies vary in detail but converge on the same principle: cybersecurity must be part of the design and procurement process, not an afterthought.
Understanding the risk environment
The operational role and architecture of BESS determine how security must be managed. Cyber-capable components such as battery management systems (BMS), power conversion systems (PCS), and energy management systems (EMS) each contain software and communications pathways that require secure maintenance throughout the system’s life.
These elements demand greater scrutiny than passive components like battery cells or structural parts. Remote access is essential for performance optimisation and troubleshooting, but it must be governed by strict protocols to prevent misuse.
Similarly, global supply chains support rapid scaling but can obscure visibility into the origins and update histories of components, making transparency critical.
Recent investigations have uncovered troubling cases of undocumented communication features in power electronics, illustrating how supply chain opacity can conceal security vulnerabilities.
In response, several countries have moved to restrict or remove certain manufacturers’ equipment from critical infrastructure, underscoring that supply chain risks are not hypothetical but active concerns.
This does not mean storage systems are inherently unsafe. In fact, BESS offers a unique opportunity for resilience. Unlike legacy grid infrastructure, which can be difficult and costly to secure after deployment, battery storage can be designed with cybersecurity built in from the outset.
When properly protected, BESS can strengthen overall grid resilience by providing reliable backup power and stabilisation during disruptions affecting other grid assets. Well-secured energy storage, therefore, is not merely a risk to manage but a critical part of the cybersecurity solution.
Best practices to reduce cyber risk
While each BESS project is unique, certain foundational measures can greatly reduce exposure to cyber threats. Drawing on lessons from across the industry, these practices address common vulnerabilities and can help enable secure and resilient systems over decades of operation.
- Maintain detailed hardware and software bills of materials (HBOMs and SBOMs). These inventories identify every component and its source, enabling vulnerability tracking, verification of trusted suppliers, and faster supply chain incident response mitigation
- Design with defensible architecture and segmentation. Avoid ‘flat’ networks that allow unrestricted communication between devices. Segmentation limits the potential impact of any compromise and ensures systems can default to a safe state if needed.
- Implement secure remote access. Use role-based permissions, multi-factor authentication, and activity logging. Avoid shared accounts and default credentials, and review access permissions regularly.
- Enable continuous network visibility and monitoring. Monitor both internal device-to-device communications and external connections to detect anomalies early and respond quickly.
- Secure long-term software support and vulnerability management. Ensure contracts clearly define responsibilities for ongoing security updates, critical patching, and disclosure of vulnerabilities over the full life of the asset.
Integrating security from day one
Securing BESS is most effective when it is built in from the outset and sustained throughout the system’s life. By embedding strong protections early, operators can safeguard performance, avoid costly retrofits, and keep assets resilient as threats evolve.
When security is built into every stage of development and operations, storage can operate as a trusted pillar of modern grids, supporting reliability, protecting investments, and enabling the energy transition to advance with confidence.
About the Author
Katherine Hutton is the product manager for cybersecurity at Fluence, where she develops solutions to strengthen cybersecurity capabilities across the company’s operational technology and digital products.
She stays at the forefront of evolving threats and global regulatory requirements affecting critical infrastructure asset owners, operators, and vendors in the renewable energy sector.