Risk managers in the growing battery energy storage system market must bolster their cyber resilience as they face emerging cyber threats

What happened?

As the energy grid digitalises, Aon’s Cyber Security Advisory team has identified operational technologies used in BESS control systems as an ‘invisible’ point of vulnerability that could be exposed by increasingly sophisticated threat actors.

cyber attack (4)

Aon’s 2021 Global Risk Management Survey reported that cyber attacks are ranked as the number one threat facing businesses today and in the future.

Energy businesses, in particular, are facing an increasingly complex cyber risk landscape, with new forms of volatility and current geopolitical tensions driving scrutiny on the security of essential energy infrastructure.

Energy storage installations around the world are projected to reach a cumulative 411 GW - or 1,194 GWh - by the end of 2030, according to the 2H 2022 Energy Storage Market Outlook from BloombergNEF (BNEF).

This growth is going hand-in-hand with the increasing digitalisation of the energy system.

What does it mean for risk managers?

Due to the nature of this digital evolution, OT assets are now connected more than ever, which may leave firms exposed to unknown risks and open to attacks from threat actors.

Andrew Hainault, managing director, EMEA – Security Advisory at Aon, said: “In our experience, cyber security for OT is playing catch-up with information technology (IT).

We see examples of clients who have relatively mature cyber security programmes for IT, with corresponding control frameworks that are established and measured, yet have noticeable control gaps for OT.

”“In our experience, cyber security for OT is playing catch-up with information technology (IT).”

“Indeed, OT environments often fall outside the remit of IT and consequently are invisible when it comes to enterprise cyber risk management. To make matters worse, manufacturers are generally not conversant with secure development lifecycles and therefore continue to deploy systems that are not properly hardened for internet-accessible environments.”

Paul Gooch, head of Cyber Open Market at Tokio Marine Kiln, the lead underwriter for Aon’s Cyber Property Damage (CYPD) Facility, said: “For BESS to be effective in ensuring reliability and grid stability, they will need to be fully integrated into the electrical grid architecture. Such integration necessitates the adoption of a communication infrastructure, which will increase the potential surface area for cyber attacks.”

While only a handful of successful attacks on clean energy systems have been reported to date, new forms of sophisticated malware emerged in 2022 – including Chernovite’s ‘Pipedream’ – that pose a significant threat to industrial control systems connected to the energy grid, including BESS.

In this context, Aon has cautioned that even BESS asset owners with robust IT security measures in place may be overlooking significant vulnerabilities in their OT systems.

”OT environments often fall outside the remit of IT and consequently are invisible when it comes to enterprise cyber risk management ”

Operational systems often have security limitations that prevent regular updates, and the lifespan of operational equipment means that component lifecycles are longer than in the IT world.

Furthermore, there may be gaps in reviewing vulnerabilities and managing controls to protect assets from digital threats, as well as the implementation and management of effective controls.

Should these gaps in cyber security for OT be exploited by a threat actor, the consequences may far outweigh the impact of a cyber attack on IT systems – leading to severe operational, financial and physical impacts for BESS organisations.

Paul Gooch said: “Lithium-ion (Li-ion) batteries – currently the most commonly used in BESS – require careful monitoring and control of their voltage, current and temperature conditions.

“If a threat actor were to interfere with this monitoring and control, physical damage could occur – ranging from battery cell degradation, caused by overcharging or over-discharging, to a ‘thermal runaway’ event resulting in overheating, fire or explosion.”

”Sustained cyber resilience is contingent on the ability of businesses to continually assess, mitigate, and transfer their risks”

What should risk managers do next?

Faced with this potential exposure, Aon advocates that risk managers in the sector take steps to reinforce their cyber security strategies now, before a major cyber attack.

Sustained cyber resilience is contingent on the ability of businesses to continually assess, mitigate, and transfer their risks, as well recover from operational and financial loss.

These capabilities are crucial to ensure that storage owners are better placed to access insurance cover and maintain business continuity both in preparation for and in the event of a cyber attack on their IT or OT systems.