New research from consultancy firm The Brattle Group and cybersecurity solutions provider Dragos claims that a single 100MW/400MWh BESS outage could result in US$1.2 million in monthly losses.
The pair’s new whitepaper, ‘Securing Battery Energy Storage Systems from Cyberthreats: Best Practices and Trends’, outlines recommended strategies for designing secure systems, verifying the supply chain, structuring network architecture and enhancing operational resilience to ensure cybersecurity for BESS.
The report highlights that a proactive cybersecurity strategy helps asset owners and operators lower risks and save time and money. By tackling well-known threats during design and construction, companies can apply effective controls more efficiently and cost-effectively.
While new threats will keep arising, demanding continuous flexibility and adaptation, many effective solutions already exist and can be implemented early to prevent costly retrofits in the future. As BESS capacity nears levels comparable to large baseload power plants, the companies argue that safeguarding these assets is crucial not only for operators but also for national energy security.
Try Premium for just $1
- Full premium access for the first month at only $1
- Converts to an annual rate after 30 days unless cancelled
- Cancel anytime during the trial period
Premium Benefits
- Expert industry analysis and interviews
- Digital access to PV Tech Power journal
- Exclusive event discounts
Or get the full Premium subscription right away
Or continue reading this article for free
Over the next five years, BESS deployment is projected to increase annually by 30% in the US, 45% in the EU and between 20% and 25% in Japan, South Korea, Southeast Asia and India.
BESS installations have become more standardised to lower costs and complexity. As a result, organising cyberattacks has become easier due to reduced sophistication needs.
This risk is amplified by the emergence of industrial control system (ICS)-specific malware capable of targeting various industrial technologies.
Dragos claims it has noted numerous foreign threat groups targeting electric sector entities, including VOLTZITE, also known as Volt Typhoon. The US Cybersecurity and Infrastructure Security Administration (CISA) has also identified these groups as attempting to disrupt critical infrastructure through cyber attacks.
Dragos further claims that VOLTZITE’s connection to the People’s Republic of China (PRC) highlights the risks associated with supply chains that include foreign-controlled components and software. Often, asset owners or operators cannot inspect or oversee these elements because of restrictions in contractual agreements, which compromises the security of their systems.
At the asset level, the report contends that revenue losses from a successful cyberattack causing forced outages in the US may be as high as US$1.2 million for a 100MW/400MWh system. Similar losses could occur in other markets, such as Germany or the UK.
If the asset suffers permanent damage, the capital losses could be more than ten times higher. “The losses to the regional economy, community, and possible national defence could be larger still.”
Based on conversations with industry experts and former federal officials, Brattle and Dragos say that security concerns will likely lead to more stringent security measures towards foreign entities of concern (FEOC) in the US.
According to FEOC rules, US downstream projects and upstream manufacturing facilities cannot receive significant aid from prohibited foreign entities (PFEs) to qualify for tax credits.
China is grouped with countries which are already largely restricted from the US market, like Russia, Iran, and North Korea. More significantly, China’s deep participation across nearly every part of the supply chain—except software, which is already limited—means that ongoing concerns are primarily focused on China.
Although experts disagreed on the effectiveness of current federal policies to reduce BESS risks, they agreed that Congress and the executive branch are likely to enhance policies involving FEOC.
These initiatives will expand on bills already introduced in Congress and executive orders from the Trump and Biden administrations, which focus on safeguarding critical infrastructure, reviewing supply chains, and decreasing reliance on FEOC.
Brattle and Drago further explained that states might also take on a bigger role, as seen in California (Cal-CSIC), Texas (Lone Star Infrastructure Protection Act), Arizona (HB2736), and Georgia (SB46). Additionally, experts believe that industry-prescriptive standards could help improve supply chain security and component verification, although they are not meant to replace federal policies.
Cal-CSIC aims to reduce cyber threats. AZ HB2736 establishes a seven-year pilot program for data encryption and cybersecurity to safeguard information technology data. Georgia’s SB46 enhances state government service delivery. The Lone Star Infrastructure Protection Act limits contracts with FEOC-designated countries.
The industry has been debating whether Chinese suppliers can remain competitive, given the higher costs for buyers and the tariffs on Chinese BESS, which are expected to reach about 55% starting 1 January 2026.
South Korean manufacturers such as LG Energy Solution and SK On are upgrading some of their EV battery factories in the US to produce ESS cells. This gives them a substantial advantage in a market that is increasingly emphasising domestic supply chains.
Recently, an anonymous consultant told Energy-Storage.new Premium that South Korean manufacturers’ announcements might be sufficient to satisfy domestic BESS demand.
Dr. Peter Fox-Penner, a Brattle Principal and coauthor of the paper, stated, “BESS are becoming central to grid operations, but their increasing deployment makes it essential that cybersecurity is embedded from the start. The electricity industry and policymakers need clear, actionable guidance to ensure these assets strengthen reliability rather than introduce new points of failure.”
The Energy Storage Summit USA will be held from 24-25 March 2026, in Dallas, TX. It features keynote speeches and panel discussions on topics like FEOC challenges, power demand forecasting, and managing the BESS supply chain. For complete information, visit the Energy Storage Summit USA website.
