Securing BESS in a Digital Age
When battery storage systems fail, it won’t just be a hardware issue. Increasingly, it will be a software breach.
Cybersecurity has become one of the most urgent and complex challenges in the battery energy storage system (BESS) industry. As BESS are deployed at scale to support renewables, provide backup power, and balance the grid, they are also becoming targets. And not just any targets — critical infrastructure targets.
At EticaAG, we believe physical safety and digital security are inseparable. That’s why we’ve taken a layered, standards-driven approach to cybersecurity. But before we get into our seven-layer architecture, let’s examine the broader threats the industry faces.
Why Cybersecurity in BESS Matters
Battery energy storage systems used to be relatively isolated. Now they’re networked, software-controlled, and cloud-connected. That connectivity introduces massive value and massive risks.
A modern BESS isn’t just a container of batteries. It includes:
- Battery management systems (BMS)
- Energy management systems (EMS)
- Power conversion systems (PCS)
- Remote monitoring tools
- Network switches, routers, and firewalls
Each of these components can become an entry point for a cyberattack. If compromised, a hacker could disable protections, falsify battery readings, or manipulate grid functions.
Even a small breach can create serious consequences:
- Damaged equipment due to unmanaged charging or thermal runaway
- Unplanned outages at critical sites like hospitals or data centers
- Violated safety thresholds that risk public health
- Loss of trust from utilities, regulators, and communities
This isn’t hypothetical. Government agencies like FERC and DOE have issued warnings. Private utilities are asking for cybersecurity guarantees during procurement. And regulators are beginning to treat cybersecurity as a prerequisite for approval.
Common Threats Facing Energy Storage Systems
To protect BESS effectively, we first have to understand the ways they can be compromised.
Some of the most common cyber-physical threat vectors include:
- Remote Access Exploits: Many systems use remote diagnostics and control. Weak credentials or open ports make easy entry points.
- Man-in-the-Middle Attacks: Intercepting traffic between system components to inject malicious commands or read sensitive data.
- False Data Injection: Sending spoofed readings to the BMS to disable safety logic or trigger degradation.
- Denial of Service (DoS): Overwhelming the network to interrupt EMS coordination or device communication.
- Insider Threats: Misused credentials, forgotten backdoors, or untrained operators creating risk from within.
These attacks don’t require advanced nation-state actors. Many can be executed with basic tools, especially when the system has not been properly segmented, encrypted, or monitored.
The Compliance Gap: Standards Struggle to Keep Up
Cybersecurity regulations for energy storage are evolving, but they’re still playing catch-up. Most of today’s standards were designed for traditional generation or general industrial control systems (ICS).
Some of the key standards in use include:
- IEC 62443: Widely accepted framework for securing industrial automation and control systems. Relevant to BESS but not specific.
- NERC CIP: Applies to bulk electric systems. BESS may fall under its scope when integrated with transmission infrastructure.
- UL 2900: Focused on software cybersecurity, but rarely mandated.
Because of this regulatory gap, many deployments are rushed to market with minimal cyber hardening. That’s risky.
At EticaAG, we treat cybersecurity not as a checkbox but as a design pillar. We’ve modeled our systems around IEC 62443-4-1 and 4-2, integrating protection from the physical layer to the cloud API.
EticaAG’s Security by Design Approach
When we say “secure by design,” we mean it.
Security is embedded in our firmware, hardware, and communication protocols. Our engineering and software teams build around principles like zero trust, least privilege, and defense-in-depth.
And we don’t rely on a single line of defense. We use a seven-layer architecture, mapped to the OSI model, to ensure that even if one control is bypassed, multiple others still stand between the attacker and system compromise.
Let’s walk through those layers.
EticaAG’s Seven Layers of Cybersecurity Protection
Layer 1: Physical Isolation and Intrusion Detection
We start with the basics. Our communication between BMS and Battery Control Unit (BCU) is handled via closed-loop CANBus, which has no external interface. This makes external data injection virtually impossible.
We also install door detection sensors that alert the system if a cabinet or enclosure is opened without authorization. These sensors are tied to both local alarms and the EMS.
Layer 2: Secure Switching and Hardware Encryption
Our MOXA EDS switches are industrial-grade, IEC 62443-compliant, and packed with features like:
- Broadcast storm protection
- MAC sticky filters
- Port locking and VLAN segmentation
- RADIUS and SSH authentication
In addition, we embed encryption chips directly on our BCU boards. These chips support elliptic curve cryptography, secure key storage, and true random number generation certified under NIST SP 800-90.
This ensures that even if a device is physically removed, the data and access keys remain protected.
Layer 3: Firewall and Network Segmentation
Each BESS unit is protected by a MOXA EDR firewall capable of deep packet inspection, NAT filtering, and stateful inspection.
We implement:
- Static IP addressing to eliminate DHCP spoofing
- IP whitelisting so only known systems can initiate contact
- Subnet isolation to prevent lateral movement between devices
These measures limit the blast radius of any compromise.
Layer 4: Encrypted Communications and Connection Monitoring
All communication between our EMS and other system components runs over SSL/TLS encryption. This prevents packet sniffing, tampering, or session hijacking.
We also transmit heartbeat packets at fixed intervals to confirm that devices are online and uncompromised. Any disruption automatically triggers a response in the EMS.
Layer 5: Session Control and Timeout Handling
The EticaAG EMS uses JWT-based session tokens to authenticate users without storing credentials in plain text or transmitting them repeatedly.
Session timeouts are enforced automatically. If an operator walks away or disconnects, the session closes.
This eliminates one of the most common access control vulnerabilities: persistent admin sessions.
Layer 6: TLS Payload Encryption
We go beyond just wrapping communication in SSL. The data payloads themselves are TLS-encrypted to preserve confidentiality and ensure data integrity.
If data is tampered with or altered during transmission, it is automatically rejected.
Layer 7: Secure Interfaces and Logging
Finally, the application layer.
Our web-based EMS interface is only accessible over HTTPS, and all user accounts are controlled by role-based access control. That means a technician doesn’t have the same privileges as an integrator or administrator.
All API endpoints are RESTful and require token-based authentication.
Every API call, configuration change, and login attempt is logged. These logs can be exported for forensic analysis, audit, or compliance checks.
Why This Matters for Project Stakeholders
Cybersecurity isn’t just a concern for utilities anymore. Developers, EPCs, and end users are all feeling the pressure.
- Developers need to assure financiers and permitting authorities that their BESS systems won’t introduce grid vulnerabilities.
- EPCs need systems that are plug-and-play secure so they don’t have to retrofit solutions post-installation.
- Facility operators need to know their energy resilience solution won’t become a cybersecurity liability.
A breach or a weak link doesn’t just impact uptime. It impacts credibility.
Physical Safety Isn’t Enough Anymore
At EticaAG, we’re known for our non-flammable, immersion-cooled battery systems. But fire risk isn’t the only risk.
The next generation of threats won’t come with smoke. They’ll come through exposed ports, spoofed credentials, and unsecured APIs.
We’re ready for that future. Our seven-layer cybersecurity stack was designed to meet it head-on.
If you’re building for resilience, don’t stop at batteries that won’t burn. Choose systems that won’t break digitally either.
Let’s secure the future of energy — both physically and digitally.
