Battery energy storage has gone from a niche grid asset to a strategic one. Utilities are leaning on these systems to firm up renewables, defer transmission upgrades, and meet the load growth coming from data centers. Forecasts now put BESS deployment growth at 20 to 45 percent over the next five years. The problem is that the security maturity of these assets has not kept pace with the speed of deployment, and the recent string of incidents and disclosures should make every utility executive pause before signing the next procurement order.
This is not a future risk. It is a present one, and the news cycle of the past two years has made that uncomfortable to ignore.
The Incidents That Should Be on Every Executive Briefing
In late 2023, Duke Energy disconnected CATL battery units from a microgrid at Camp Lejeune Marine Corps Base after lawmakers raised concerns about the supplier.
By February 2024, Duke had committed to decommissioning that system entirely and announced it would phase CATL out of its civilian projects by 2027. CATL maintains its products contain only passive components and cannot communicate with the grid, but the political and security calculus shifted regardless.
When a utility considered a leader in grid cybersecurity decides the reputational and operational risk is not worth it, that signal travels.
Then came the inverter findings.
Throughout 2025, U.S. energy officials reported discovering undocumented communication components inside some Chinese-made solar inverters and batteries.
Think of it like buying a thermostat for your office and finding a second cellular radio inside that nobody told you about, possibly calling your biggest competitor.
In early 2026, the Department of Energy shared an assessment of roughly 30 inverters that national laboratories had examined. While the DOE did not find definitive evidence of intentionally malicious wireless functions, two cases showed communications that did not match vendor documentation. Undocumented capabilities in equipment that sits between your battery cells and the grid are the kind of finding that keeps CISOs up at night.
Layered on top of that is the threat actor picture. CISA, the NSA, and the FBI have publicly warned about Volt Typhoon, the Chinese state-linked actor that has been pre-positioning inside U.S. critical infrastructure networks, including in the energy sector, with the apparent goal of preserving disruption options for a future crisis. They are not alone.
Industry threat intelligence consistently identifies more than a dozen distinct groups with the intent or capability to target the electric grid. The 2015 Ukraine grid attack remains the textbook case for how nation-state actors translate network access into physical disruption, and BESS expands the attack surface considerably.
The financial math is sobering on its own. Industry analysts estimate that a single 100 megawatt BESS outage could result in roughly 1.2 million dollars in lost monthly revenue. A larger event affecting 100,000 customers and 3,000 megawatt hours could approach 39 million dollars in economic impact for a single day. That is before you account for safety, regulatory exposure, or the cost of public trust lost.
Why BESS Is Uniquely Hard to Secure
A modern battery storage facility is not really a battery. It is a distributed computing environment with batteries attached. You have battery management systems, energy management systems, power conversion systems, inverters, SCADA links, cloud telemetry, and vendor remote access channels. Each one is a potential entry point. If a hacker compromises the right component, they can disable safety protections, falsify state-of-charge readings, manipulate grid frequency response, or, in the worst case, push a system toward thermal runaway.
A useful analogy is to think of a BESS as an apartment building rather than a single home. You secure the front door, sure, but you also have to think about the service entrance, the rooftop access, the maintenance contractors who come and go, the network closet in the basement, and the cellular antenna on the roof that the elevator company installed and never told the building manager about. Every one of those is a potential way in, and every tenant on every floor is affected if just one of them gets compromised.
Three Structural Problems Make This Harder Than Traditional Grid Cyber Work.
The first is regulatory scope. NERC CIP does reach battery storage, but only when that storage is part of the Bulk Electric System. A BESS that interconnects at transmission voltage and meets the registration thresholds gets pulled in as a generation resource, and the owner inherits the same CIP obligations as any other BES asset. The catch is that a large and fast-growing share of storage never connects at that level. Distribution-connected and behind-the-meter BESS sit below the BES line, and for those assets, CIP has not historically applied. Even the current effort to close part of this gap leaves it open. FERC Order 901 and NERC’s inverter-based resource registration initiative are bringing previously unregistered resources, BESS included, under mandatory standards by 2026, but that work explicitly stops at the edge of the local distribution system. So whether anyone is required to harden a given battery still comes down to where it connects, and plenty of it connects exactly where the rules run thin. NFPA 855, the fire protection standard these facilities actually do have to meet, contains zero cybersecurity requirements. IEC 62443 is the closest functional fit, but it is a framework, not a mandate. The result is that many BESS deployments reach commercial operation with minimal cyber hardening, because, depending on how they interconnect, nothing forces the issue.
The second is supply chain opacity. Even when a utility specifies a North American or allied supplier, the firmware, controllers, and communication modules underneath that brand label often trace back to a small number of foreign manufacturers. Without a verified software bill of materials, you do not actually know what is inside your asset.
The third is the remote access design. Most BESS facilities are managed through cloud control systems, often by the vendor. That is efficient for operations and brutal for security. Every persistent vendor connection is a trust relationship that a determined attacker will eventually probe.
What Protection Actually Looks Like
Securing a BESS fleet is not about buying a single product or running a single audit. It is about building visibility, segmentation, and verification into the asset lifecycle from procurement onward.
Visibility comes first. You cannot defend what you cannot see, and most utilities have limited insight into what their BESS controllers, inverters, and battery management systems are actually doing on the network. Continuous OT monitoring that understands BESS-specific protocols and behaviors gives you the ability to detect anomalies, unauthorized communications to unexpected destinations, firmware changes, and lateral movement from a compromised vendor connection. If an inverter starts beaconing to an IP address it has never talked to before, you want to know in minutes, not weeks.
Segmentation is the engineering answer. The BESS control network should be isolated from corporate IT, from other OT zones, and from the public internet by design. Vendor remote access should be brokered through monitored jump hosts with session recording, not direct VPN tunnels into the control environment. The Purdue model exists for a reason, and it applies here.
Verification is where penetration testing and security assessments earn their place. A targeted assessment of a BESS deployment should examine firmware integrity on controllers, the security of vendor cloud channels, the configuration of inverters and battery management systems, the resilience of safety interlocks against control system manipulation, and the realistic exploitability of the entry points an attacker would actually use. This is not a checkbox compliance exercise. It is the closest thing you can get to knowing how your asset will behave under pressure without actually being attacked.
For executives weighing where to invest, the practical sequence is straightforward. Start with an assessment of your current BESS estate to understand the real risk picture. Use that to drive monitoring deployment so you have ongoing visibility instead of a point-in-time snapshot. Use architecture or engineering knowledge to properly segment your networks, limit third-party access, and then bake those lessons into procurement, contracts, and SLAs so the next system you buy does not recreate the same problems.
The Window To Act Is Now
The combination of rapid BESS growth, documented supply chain concerns, and active nation-state interest in U.S. grid infrastructure creates a situation where waiting is the worst available option. The utilities that move now to assess, monitor, and harden their battery storage assets will be the ones that avoid becoming the case study everyone else learns from.
If you operate or are planning a BESS deployment, the right next conversation is not whether to take cybersecurity seriously. It is whether your current visibility and assurance are good enough to defend an asset that adversaries are already studying. We help utilities answer that question through targeted BESS-focused penetration testing and assessments, and through continuous monitoring solutions built for the reality of how these systems actually operate. If that is a conversation worth having, we are ready when you are.
Read more about how Insane Cyber helped secure a critical battery infrastructure. Download our recent white paper today.
