How Vulnerable to Cyber Attacks are Battery Energy Storage Systems?

We know of control system cyber attacks in the electric power, water, oil and gas, building controls, and transportation sectors that cause physical damages. Another cyber threat that could represent potential physical security dangers involves battery energy storage systems, which vendors, utilities and grid operators are relying more upon to make electricity delivery more reliable.

Battery energy storage systems are critical for reliable grid operations where power from intermittent solar or wind loads need to be stored when excess power is available to be dispatched later when there is a lack of power generation. Like other cyber-physical systems, energy storage systems use instrumentation and control systems including process sensors, control systems with logic circuits, communication systems, and inverters that convert the direct current electricity stored in the batteries into alternating current electricity used by the electrical grid. Control systems coordinate the operation of the BESS, including the battery management system (BMS), energy management system (EMS), BESS plant controllers, BESS inverters, fire suppression detection and suppression systems, and their associated subsystems.

The Electric Power Research Institute (EPRI) whitepaper “Insights from EPRI’s Battery Energy Storage Systems (BESS) Failure Incident Database: Analysis of Failure Root Cause” reported that “a significant fraction of BESS failure incidents had an unknown root cause.” When I was managing the EPRI Nuclear Instrumentation & Diagnostics Program, I tried finding actual cases dealing with specific causes, specifically loss of oil in nuclear safety-related pressure transmitters. There were no cases identified in U.S. Nuclear Regulatory Commission (NRC), Institute for Nuclear Power Operations (INPO), or other relevant databases addressing this specific issue by name.

Moss Landing Power Plant, at Monterey Bay. This plant is home to one of the largest battery energy storage facilities in the world, which consists of two smaller BESS facilities.

Consequently, the more than 200 cases I identified had to be found by reading between the lines. The same happened after starting the EPRI control system cybersecurity program – none of the cases were originally identified as being cyber-related. With the appropriate understanding, I believe a large fraction of the BESS cases that were identified in the EPRI report as being from “unknown root causes” were due to control systems, and of that number, a high number would have been control system cyber-related.
“Of the incidents that were classified, there was no single cause that contributed to a majority of failures. The balance-of-system components and controls were the leading causes of failure, with the cell having a relatively small number of failures attributed to it. Control failures include those due to control-system incompatibility, incorrect installation of the control system, defects leading to errors in sensors or controls,” the EPRI report went on to state.

Control system issues not identified in the EPRI report include improper settings, lack of control-system coordination and inappropriate operation limits. The EPRI report did not directly mention any of the BESS incidents as being cyber-related.

BESS Threats

As in most industrial and manufacturing processes, temperature is an important consideration. For BESS, temperature considerations manifest themselves in thermal runaway. This phenomenon occurs when a battery becomes self-destructive due to uncontrolled thermal conditions leading to a chain reaction within a battery, causing a rapid increase in temperature and pressure. This reaction starts when the battery’s internal temperature reaches a point that causes a breakdown of the battery’s internal components. It can escalate quickly, potentially leading to a fire or explosion. To date there have been more than 60 thermal runaway fires at BESS facilities.

Transformers are one area of vulnerability for BESS projects.

Thermal runaway in lithium-ion batteries can be caused by control system cyber incidents whether they are malicious or unintentional because battery monitoring systems, battery inverter systems, and fire detection and suppression systems are monitored and controlled by instrumentation and control systems that have no cybersecurity or authentication.

Cyber Threats

The possibilities of cyber threats are many. Altered control system settings can affect the timing and coordination of monitoring and safety systems. Additionally, cyber intrusions can be developed to insert settings in unused registers within the control system that could lie dormant until activated at the attacker’s discretion.

A report from Sandia National Laboratory identified issues with port cranes but did not identify the cyber issues with Chinese-made transformers that can communicate with battery systems. Because of lack of control system cyber forensics and training, it is difficult to identify BESS control system incidents as being cyber-related or whether they are malicious or benign. Process sensors measuring pressure, temperature, flow, gas detection, etc. have no cybersecurity, authentication, or cyber forensics and were not addressed in the Sandia report. BESS control systems use power conversion systems (inverters) to convert DC to AC, issues such as Aurora need to be addressed.

In addition to BESS software, many BESS instrumentation and control systems are also either made in China or have Chinese components, which could be considered security and safety issues. As the Director of National Intelligence (DNI) National Intelligence Council’s wrote in their 2021 National Intelligence Estimate, “China is the world’s leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.”

Sandia National Laboratory global security staff works with a team from a private Canadian nuclear power plant during a cyberattack exercise on May 17, 2023.

Presidential Executive Order (EO) 13920 was issued by President Trump May 1, 2020 to address large Chinese-made power transformers because of extra electronics found in a large Chinese-made electric power transformer installed at U.S. utility substation, and a February 2024 EO issued on hardware backdoors in Chinese port cranes because of hardware found in the cranes that should not have been there.

Accidental BESS Fires

As mentioned, there have been more than 60 BESS runaway fire events. The following is an example of an unintentional control system cyber-induced runaway fire case.

Vistra is a Texas-based electricity and power generation company. The company operates the largest battery storage facility in the U.S. at Moss Landing, California. Vistra’s senior director of community affairs said that two “overheating events” happened at the battery plant in 2021 and 2022 because the batteries got wet. A third incident happened in 2022 at the neighboring Elkhorn battery plant owned by PG&E. On Jan. 16, 2025, a large fire at the Moss Landing BESS facility burned tens of thousands of batteries and released heavy metals into the environment.

In the Sept. 4, 2021 incident, fire damaged roughly 7% of the battery modules and other systems. Smoke was detected by the Very Early Smoke Detection Apparatus (VESDA) units, which released and stopped the flow of electrical current through the affected cores (an automated process referred to as e-stop). Due to an apparent programming error in the VESDA, these actions occurred at detected smoke levels below the specified design level at which water should have been released, triggering an e-stop.

This incident shows the difference between network security and engineering as this incident did not have to exceed any high levels or have a denial-of-service to cause a catastrophic problem. The VESDA system was reviewed to ensure it is programmed in accordance with the specifications. This raises the question about the vendor’s software validation and verification process as there have been several fires with this vendor’s battery systems.

U.S. Marine Corps Sgt. Logan Elkins, left, from Ohio, with 3rd Battalion, 6th Marine Regiment, and Sgt. Hobart Whitman, from Tennessee with 2nd Light Armored Reconnaissance Battalion, both infantry riflemen, participate in simulated grenade throwing drills at Marine Corps Base Camp Lejeune, North Carolina, Oct. 21, 2024. Camp Lejeune decommissioned a battery energy storage system over cybersecurity concerns.

The BESS Cyber Compromise

While some system events are not malicious, there has also been evidence of malicious compromises from a cyber vulnerable Chinese-made BESS.

Duke Energy agreed under pressure from the U.S. Congress to decommission energy storage batteries produced by Chinese battery maker CATL installed at Marine Corps Base Camp Lejeune in North Carolina over concerns that the batteries posed a security risk. Reuters reported that Duke Energy had made plans to decommission the CATL-made batteries that had been installed less than a year before, in March 2023. However, by year’s end, Duke Energy had disconnected the battery storage project, with the utility citing concerns raised by lawmakers and experts around CATL’s close ties to the Communist Party of China (CPC).
The batteries and their inverters may have had vulnerabilities that could be used to compromise the electricity grid. According to CATL, its energy storage products sold to the U.S. contained only passive devices, which were not equipped with communication interfaces. While the Duke executives told the congressional staff they were confident in the security of the batteries, they also expressed a desire to address congressional concerns. Executives told Congress that Duke had been considering CATL batteries for about two dozen projects.

Duke Energy stated that the battery system had been designed with “security in mind,” and that the batteries “were not connected in any way to Camp Lejeune’s network or other systems.” However, according to sources speaking on background, China connected with the battery systems at Camp Lejeune, and then reconnected after the system was ostensibly disconnected by the U.S. This could be similar to the backdoors in large Chinese electric transformers or port cranes.

U.S. Marine Corps Staff Sgt. Alexandra Lamas talks to a Congressional delegation at Marine Corps Air Station New River, North Carolina. The adjoining Marine Corps Base Camp Lejeune decommissioned a battery energy storage system over cybersecurity concerns.

Lack of Relevant Standards

This incident should raise red flags, as Duke is a leader in grid cybersecurity. The demonstration of the back door into the battery system eventually led Sens. Tim Scott and Marco Rubio and members of the Senate Foreign Relations Committee to introduce the Blocking Bad Batteries Act, to prohibit the U.S. Department of State from procuring batteries produced by certain companies.

Similar issues with backdoors in Chinese-made equipment led to presidential executive orders against large Chinese-made electric transformers and Chinese-made port cranes.

The electric utility cybersecurity standards (North American Electric Utility Corporation—NERC Critical Infrastructure Protection—CIP) do not appear to apply to BESS unique issues. The National Fire Protection Association (NFPA) standard for BESS fire protection is NFPA 855. NFPA 855 has no cybersecurity requirements.

Solving the Vulnerabilities

EPRI in their report and Vistra’s response to the September 2021 fire proposed solutions to address thermal runaway incidents. However, neither solution addressed cybersecurity. The Duke Energy case demonstrates that an appropriate control system cybersecurity training program is necessary even for an industry leader in grid cybersecurity. The NFPA standards for BESS do not include cybersecurity and BESS, being electric distribution systems, are out of scope for NERC CIP standards.

BESS suppliers in the U.S. need to gear up to supply BESS on an acceptable schedule and cost. Utility organizations should specify that BESS need to be US-based and use US designed and built software, systems and components. Cybersecurity needs to be part of the hardware, software and personnel training. NFPA and grid regulators need to develop appropriate control system cybersecurity standards and regulations for BESS and personnel.

Battery systems are cyber-vulnerable. There have been cases where intentional and/or unintentional cyber incidents have caused or contributed to thermal runaway fires. There have been other cases where BESS have been cyber-compromised. Yet there appears to be minimal attention being paid to cybersecurity in the design, operation and training surrounding BESS. There needs to be a focus on cybersecurity standards and training for BESS cybersecurity as it is possible to exploit cybersecurity gaps in BESS used in critical systems.

Editor’s Note: This article appeared originally at Control, an Endeavor Business Media brand covering the process and automation industries. It is republished here with the permission of the author and includes relevant updates.