Energy-Storage.news Premium speaks with Phil Tonkin, field chief technology officer at Dragos, and Dr. Peter Fox-Penner, a Brattle principal, on BESS cybersecurity.
In December 2025, consultancy firm The Brattle Group and cybersecurity solutions provider Dragos released the whitepaper ‘Securing Battery Energy Storage Systems from Cyberthreats: Best Practices and Trends’.
The whitepaper recommends strategies for creating secure systems, verifying supply chains, organising network architecture, and strengthening operational resilience to improve cybersecurity for battery energy storage systems (BESS).
BESS installations have become more standardised to reduce costs and simplify the system. Consequently, organising cyberattacks has become easier because less sophistication is required to be successful.
Try Premium for just $1
- Full premium access for the first month at only $1
- Converts to an annual rate after 30 days unless cancelled
- Cancel anytime during the trial period
Premium Benefits
- Expert industry analysis and interviews
- Digital access to PV Tech Power journal
- Exclusive event discounts
Or get the full Premium subscription right away
Or continue reading this article for free
This has been an ongoing concern in the industry, but Brattle and Dragos claim that the issue will continue to grow if it is not properly addressed.
In March of last year, Adile Ajaja, director of operations, IT and cybersecurity at provider of fully integrated BESS and a utility subsidiary, EVLO, wrote in a guest blog for ESN, that “No utility is safe from hackers, often backed by nation-states or organised groups. It only takes one breach to unleash widespread disruption, making utilities a prime target for those looking to exploit critical infrastructure or geopolitical gains.”
Ajaja continued, “Now, more than ever, it’s crucial for utilities and their energy storage providers to actively prevent and plan against cybersecurity threats. Fortunately, there are a growing number of security options to deploy and best practices to offer guidance.”
Because BESS contain various technologies, often from different countries, implementing cybersecurity best practices is a global concern for the BESS industry.
“The operational role and architecture of BESS determine how security must be managed. Cyber-capable components such as battery management systems (BMS), power conversion systems (PCS), and energy management systems (EMS) each contain software and communications pathways that require secure maintenance throughout the system’s life.”
Hutton continued, “These elements demand greater scrutiny than passive components like battery cells or structural parts. Remote access is essential for performance optimisation and troubleshooting, but it must be governed by strict protocols to prevent misuse. Similarly, global supply chains support rapid scaling but can obscure visibility into the origins and update histories of components, making transparency critical.”
Dragos is a cybersecurity firm specialising in cybersecurity software designed for industrial settings, such as industrial control systems (ICS), supervisory control and data acquisition (SCADA), distributed control systems (DCS), and operational technology (OT).
The Brattle Group provides consulting and expert testimony in economics, finance, and regulation for corporations, law firms, and public agencies.
BESS vulnerabilities
Tonkin states that the main vulnerability of BESS is their direct connectivity to the internet.
He explains that the distributed nature of these sites means they often rely on commodity communication services, such as cellular or satellite, to connect, especially given their remote locations and high volume.
This approach expands the attack surface because it uses uniform technology and layered networking from IT, which increases vulnerability. Managing these systems requires ongoing operational instructions and involves multiple parties, further increasing exposure.
Tonkin further explains that BESS have not been specifically targeted in coordinated cyberattacks; instead, their vulnerabilities make them easier targets.
He explains, “There have been a number of cases where people who operate (BESS) have been hit by commodity malware, not necessarily a targeted adversary that’s gone after those assets, but somebody who’s just found them to be exposed when scanning generally for vulnerabilities. So, criminal groups are getting into them, but not necessarily through a deliberate targeted attack.”
Tonkin says, “We identify two main types of ransomware groups. The first is organised teams that target specific victims, purchasing access and maintaining persistence to maximise their impact. These teams usually work collaboratively. The second type consists of opportunists who use scripts they’ve bought or created to scan for vulnerabilities, quickly exploiting them to encrypt files and demand ransom. Generally, the latter group is more active in this space, rather than targeted attacks aimed at particular organisations.”
Tonkin and Fox-Brenner assert that electric grids are vulnerable to attacks from state adversaries, activist groups, and ransomware groups. They warn that as the importance of these grids for stability grows, the chances of deliberate targeting will also rise.
Under the foreign entity of concern (FEOC) rules, US downstream project suppliers and upstream manufacturing facilities are ineligible for significant aid from prohibited foreign entities (PFEs) if they hope to qualify for tax credits.
China is classified alongside countries such as Russia, Iran, and North Korea, which face substantial US market restrictions. Notably, China’s extensive involvement across almost the entire supply chain — apart from software, which is already limited — keeps the primary concerns centered on China.
The industry continues to debate whether Chinese suppliers can stay competitive, considering the higher costs for buyers and the tariffs on Chinese BESS, which hit about 55% starting January 1, 2026.
When considering the vulnerability of BESS and BESS equipment based on its country of origin, Fox-Brenner says:
“There have been documented cases of Chinese equipment used in BESS systems, like specifically inverters, where we have found so-called backdoors to them, or hidden communication equipment.”
“I’m not aware of similar findings for equipment originating from other countries. Now, there aren’t nearly as many manufacturers and volumes coming out of other countries, because China dominates the inverter market. But China is unique in that we have found instances of communications equipment in Chinese inverters and some other solar equipment that is unique,” he continues.
Tonkin adds, “Adding to this, the specific security and geopolitical issues involving the Chinese government raise concerns about how remote connectivity and undocumented components might lead to actions by China or hinder security efforts due to strained relations. For instance, Chinese-made components were hard to maintain during COVID because Chinese engineers couldn’t access other countries to perform upkeep”
Further stating, “In cybersecurity, it’s crucial to keep devices patched and maintained as vulnerabilities are identified. These flaws aren’t usually intentional but result from code defects or new functionalities. Fixing these issues requires a continuous relationship between the asset owner and the original developer, so that when new vulnerabilities emerge, the owner can request updated firmware or software to address the problems.”
Implementing cybersecurity best practices
The whitepaper emphasises that a proactive cybersecurity approach helps asset owners and operators reduce risks and save resources. Addressing common threats during design and construction enables companies to deploy controls more efficiently and economically.
Although new threats will continue to emerge, requiring ongoing adaptation, many effective solutions are already available and can be implemented early to avoid costly retrofits later. As BESS capacity approaches levels similar to large baseload power plants, the companies assert that protecting these assets is vital not only for operators but also for national energy security.
Tonkin says that Dragos often works with major utilities implementing BESS, gaining insight into their cybersecurity practices driven by regulations. Traditional investor-owned utilities prioritise control centre security, but grid-scale implementations raise concerns about layered controls.
EPC contractors, often new entrants, trust suppliers and focus on low costs, risking gaps. Larger utilities tend to follow best practices, but industry-wide awareness is limited. Collaborations with OEMs like Fluence and vendors such as Tesla reveal that security design depends on trusted partners who embed controls from the start. Many smaller projects rely on system integrators to layer controls, often resulting in vulnerabilities due to lack of partnership and oversight.
Dragos’s field chief technology officer further states that lack of education on cybersecurity best practices is a significant barrier to implementation.
“I used to work for National Grid, a utility in the Northeast, and we had 600 people in our security team. That’s a bigger capability than the size of some of these utilities as a whole. So if you’re dealing with a local cooperative, we tend to find that the local energy co-ops might have one person that does the IT and security and the operational technology they’re delivering, having to deliver a lot more broad capabilities with reduced access to specific skills,” Tonkin says.
He explains, “As an industry, cybersecurity must support smaller entities by providing secure products and accessible training programs. Initiatives like Dragos’s Community Defence Programme, which provides software at no cost, and the OT-CERT programme, offering plans and best practices, help peers collaborate and address security challenges. This report, developed with Brattle, aims to inform and motivate action based on solid technical rationale.”
Another recommendation from the whitepaper to reduce cyberattacks is to mandate verified Hardware and Software Bill of Materials (HBOMs and SBOMs) for OEMs and vendors. This helps identify and evaluate whether software components originate from trustworthy sources and allows analysis of geographic, corporate source components, and related vendors.
In the event that an HBOM and SBOM cannot be acquired, Tonkin says, “If you can’t get it, and therefore you can’t fully understand where the risks might be or what might manifest because of that—it could be unknown vulnerabilities, or it could be that there’s something hidden in it, or it doesn’t behave the way it’s supposed to—you can mitigate a lot of those things through good defense in depth and controls. So, if there’s a hidden back door into a device, it can’t be exploited if it can’t communicate out to its command and control server, or if someone can’t gain access to exploit it.”
The Energy Storage Summit USA will be held from 24-25 March 2026, in Dallas, TX. It features keynote speeches and panel discussions on topics like FEOC challenges, power demand forecasting, and managing the BESS supply chain. For complete information, visit the Energy Storage Summit USA website.