Aon, a global professional services firm, has urged asset owners and operators in the battery energy storage system (BESS) market to enhance their cyber resilience against emerging cyber threats, identifying operational technologies used in BESS control systems as an ‘invisible’ point of vulnerability.
As the energy grid digitalises, cyber attacks are ranked as the number one threat facing businesses today and in the future, according to Aon’s 2021 Global Risk Management Survey.
Energy businesses, in particular, are facing an increasingly complex cyber risk landscape, with new forms of volatility and current geopolitical tensions driving scrutiny on the security of essential energy infrastructure, Aon said.
According to the 2H 2022 Energy Storage Market Outlook from BloombergNEF (BNEF), energy storage installations around the world are projected to reach a cumulative 411 GW – or 1,194 GWh – by the end of 2030. This growth is going hand-in-hand with the increasing digitalisation of the energy system.
However, due to the nature of this digital evolution, Operational Technologies (OT) assets are now connected more than ever, which may leave asset owners exposed to unknown risks and open to attacks from threat actors.
“In our experience, cyber security for OT is playing catch-up with information technology (IT). We see examples of clients who have relatively mature cyber security programmes for IT, with corresponding control frameworks that are established and measured, yet have noticeable control gaps for OT,” Andrew Hainault, managing director, EMEA – Security Advisory at Aon, said.
While only a handful of successful attacks on clean energy systems have been reported to date, new forms of sophisticated malware emerged in 2022 – including Chernovite’s ‘Pipedream’ – that pose a significant threat to industrial control systems connected to the energy grid, including BESS.
Aon has cautioned that even BESS asset owners with robust IT security measures in place may be overlooking significant vulnerabilities in their OT systems.
Should these gaps in cyber security for OT be exploited by a threat actor, the consequences may far outweigh the impact of a cyber attack on IT systems – leading to severe operational, financial and physical impacts for BESS asset owners, Aon said.
“Lithium-ion (Li-ion) batteries – currently the most commonly used in BESS – require careful monitoring and control of their voltage, current and temperature conditions. If a threat actor were to interfere with this monitoring and control, physical damage could occur – ranging from battery cell degradation, caused by overcharging or over-discharging, to a ‘thermal runaway’ event resulting in overheating, fire or explosion,” Paul Gooch, the lead underwriter for Aon’s Cyber Property Damage Facility, said.
To reinforce their cyber security strategies, Aon recommends that BESS asset owners take steps to continually assess, mitigate, and transfer their risks, as well as recover from operational and financial loss.
These capabilities are crucial to ensure that storage owners are better placed to access insurance cover and maintain business continuity both in preparation for and in the event of a cyber attack on their IT or OT systems, Aon noted.
