Energy storage technologies must have the best protections available from hacking threats, writes Adile Ajaja, director of operations, IT and cybersecurity at EVLO.
Cybersecurity threats are now among the most pressing challenges facing the energy sector. In the past year alone, cyberattacks on US utilities surged by 70%, affecting a broad spectrum of providers from small municipal co-ops to large investor-owned power companies.
Enjoy 12 months of exclusive analysis
- Regular insight and analysis of the industry’s biggest developments
- In-depth interviews with the industry’s leading figures
- Annual digital subscription to the PV Tech Power journal
- Discounts on Solar Media’s portfolio of events, in-person and virtual
Or continue reading this article for free
Electric utilities are perceived by hackers as particularly vulnerable, with the number of susceptible grid network access points growing by 60 per day and continued reliance on ageing grid infrastructure in the US, averaging 40 years old.
No utility is safe from hackers, often backed by nation-states or organised groups. It only takes one breach to unleash widespread disruption, making utilities a prime target for those looking to exploit critical infrastructure or geopolitical gains.
Now, more than ever, it’s crucial for utilities and their energy storage providers to actively prevent and plan against cybersecurity threats. Fortunately, there are a growing number of security options to deploy and best practices to offer guidance.
As Director of Operations, IT and Cybersecurity at EVLO, a provider of fully integrated battery energy storage solutions (BESS) and a utility subsidiary, I lead a team of experts working at the forefront of cybersecurity.
Our core focus is on safeguarding utility and independent power producer (IPP) customers from cyber threats that could compromise their BESS, which are recognised as critical by the North American Electric Reliability Corporation (NERC), and therefore attractive targets for attackers aiming to destabilise the grid through utility operations.
The threats are diverse and sophisticated. They include and are not limited to:
- Ransomware attacks, where operators become locked out of the BESS assets, or sensitive operational data is held for ransom.
- Operational disruptions, including spoofing, command injections, and distributed denial of service (DDoS).
- Remote access risks through cloud-based entry points.
Codes, regulations and standards
Safeguarding North America’s power grid against these risks are the mandatory NERC Critical Infrastructure Protection (NERC-CIP) standards, which require for BESS to implement robust security management controls, regular system monitoring, and incident response protocols to prevent unauthorised access and ensure continuous system reliability.
For added protection, NERC compliance can be layered with other optional, yet thorough standards providing guidance for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), such as NIST, ISO 27001, SOC 2 or CIS Controls. Integrating multiple certifications, governances, and standards ensures comprehensive security for BESS deployments.
In fact, utilities and independent power producers should look for a BESS controlled by an energy management system (EMS), such as EVLO’s proprietary EVLOGIX, that comes NERC-CIP ready with high-grade encryption and authentication mechanisms to ensure robust cybersecurity. EVLOGIX also offers secure code management, which includes Static Testing (SAST), Software Bill of Materials (SBOM) management, and vulnerability scanning.
Above and beyond merely complying with required regulations and standards, EVLO has a security-first mindset. This approach is rooted in the extensive cybersecurity expertise of its parent company, Hydro-Québec, a utility that has spent decades securing critical infrastructure and ensuring grid reliability.
Together, they have developed several best practices, including a strict supplier code of conduct to prevent behavioral cybersecurity incidents.
Being born out of a utility lays the foundation for EVLO’s commitment to exceeding expectations in cybersecurity, with an overarching philosophy based on three core principles: broad prevention, rapid detection, and lossless remediation.
BESS best practices
To begin, it is important to note that BESS suppliers must carefully review the origin of components, engaging only reputable suppliers who conduct thorough testing and analysis of their materials. Sky-high standards for supply procurement have never been more important, especially in today’s tense geopolitical climate.
Establishing contracts only with trusted and verified suppliers protects the quality of the BESS itself and prevents bad actors and cybersecurity risks on the supply chain side.
To protect the BESS ahead of its deployment, rigorous testing should always be conducted. Furthermore, every software update, patch, and configuration change should undergo thorough additional testing in controlled environments to preemptively identify vulnerabilities.
For example, EVLO conducts extensive real-world testing at its live 25kV test line facility, simulating real-world cyber threats to proactively test the system’s defences. Regular penetration tests (pen tests) and vulnerability scans identify any potential security gaps in the battery systems’ electronic components and refine protective controls.
Following testing and installation, the BESS’ energy management system must include remote connectivity and real-time system monitoring to prevent threats and unauthorised access onsite.
While the goal is always to prevent threats in the first place, if one does emerge, operators must be well-prepared and able to count on the rapid response of an expert team to ensure real-time support and effective response to any cybersecurity threats.
Disaster recovery plans are essential for helping BESS assets recover quickly and reliably in the event of server loss or communication failures. The concept of cyber resilience has also gained traction; this implies, for example, that data backup and recovery solutions restore critical functions if infrastructure is compromised, ensuring continuity even in worst-case scenarios.
A proactive, multi-layered approach to BESS cybersecurity is a top value add for utilities, and developers are encouraged to explore new solutions to reinforce their system’s cyber defence.
Recently, EVLO collaborated with one of the largest utilities in the mid-Atlantic on a highly secure new BESS solution, integrating advanced security protocols tailored to the utility’s requirements. The solution developed is one of the most cybersecure BESS deployments in the entire industry and sets a new benchmark for safety in energy storage.
A cybersecure future
In the future, BESS operators will need to move beyond reactive security measures to embrace predictive, adaptive, and AI-driven cybersecurity solutions to combat increasingly sophisticated threats. AI and machine learning continuously provide enhanced automated risk detection and response capabilities.
EVLO is exploring how machine learning algorithms can enhance real-time anomaly detection in EVLOGIX, ensuring proactive risk mitigation. Zero-trust architecture will continue to strengthen cybersecurity with more stringent access to critical BESS assets. EVLO has long had zero-trust principles embedded into its secure remote access framework, ensuring that even authorised users operate on a ‘least privilege’ basis.
Finally, the industry should follow and support government and regulators’ action as they continuously work to protect BESS through increasingly stringent safety mandates and standards.
For instance, last year NERC expanded its compliance scope for Generator Operators of Inverter-Based Resources (GO-IBRs) to include standalone BESS. Starting May of 2025, any utility-scale BESS with 20 MVA or more, will have to register for NERC compliance.
This will push for stronger access controls and identity management, enhanced monitoring and threat detection, and supply chain security requirements.
Measures like these enhance the security and reliability of the entire grid. Meanwhile, the executive branch remains focused on cybersecurity research; in October 2024, the DOE announced nearly US$23 million in funding for eight projects focused on developing tools and technologies to improve cybersecurity in clean energy infrastructure.
While EVLO has celebrated incredible achievements in cybersecurity, we are always striving for continuous improvement. As cyber threats evolve, the measures to prevent and respond to them must also advance. Now and for the decades to come, BESS assets will play an increasingly critical role in maintaining reliable power and a secure grid. Future-proofing energy storage assets will take experimentation, collaboration, and a holistic approach that stresses safety throughout the product lifecycle.
For more information on BESS cybersecurity and EVLO’s offerings, visit evloenergy.com
About the Author
Adile Ajaja is Director of Operations, IT and Cybersecurity at EVLO, a fully integrated battery energy storage systems and solutions provider. Adile leads a team of experts focused on safeguarding utility and independent power producer customers from cyber threats that could compromise their energy storage systems.
