The Cybersecurity Blind Spot in a Rapidly Scaling Grid

Battery Energy Storage Systems (BESS) are no longer pilot projects or niche assets. They are becoming foundational to grid reliability across North America. In many ways, they can be considered the central nervous system of the modern grid. As renewables scale and energy demand rises — driven by electrification, industrial reshoring, and data center growth — storage is increasingly responsible for frequency regulation, peak shaving, reserve margins, and grid balancing.

As BESS becomes operationally critical, however, cybersecurity maturity is not keeping pace. The issue is not a lack of regulation. It is the growing gap between regulatory compliance and real operational visibility.

Storage is Software, and software can be manipulated

Modern BESS environments are deeply digital. A battery site includes battery management systems (BMS), inverters, programmable logic controllers (PLCs), energy management systems (EMS), remote access gateways, and vendor maintenance channels. These systems communicate continuously across internal and external networks. It’s a simple truth: with batteries, you don’t just own a box of cells — you own software that charges them. And software can be manipulated.

Monitoring of industrial control environments has revealed how attackers probe operational systems. In some cases, external entities have connected to PLC web servers and attempted to switch systems into STOP mode, while others have issued specific Modbus request sequences to scan and interrogate control logic. These are not abstract IT intrusions, but rather direct interactions with operational controls.

At the same time, cyber incidents causing operational disruption in energy environments have surged. In 2024, incidents leading to disruption rose 146 percent, increasing from 412 to more than 1,000 affected sites, with many attacks impacting multiple locations. Nation-state cyberattacks with physical impact climbed to 76 in the same year, a full three times earlier levels.

These numbers reflect a clear reality: attackers are targeting operational environments, not just data.

Exploitation is accelerating

Another critical factor is speed. The speed at which attackers exploit vulnerabilities is also accelerating. Analysis shows that 31 percent of known exploited vulnerabilities are weaponized within one day of disclosure, and roughly 60 percent are exploited within the first year. Meanwhile, the UK’s National Cyber Security Centre reported that just three widely used vulnerabilities were linked to 29 significant incidents in a single year, illustrating how quickly attackers concentrate on newly exposed weaknesses.

In BESS environments, where remote connectivity, vendor updates, and embedded components are common, delayed patching or incomplete asset visibility creates a narrow margin for error.

Compliance frameworks such as NERC CIP establish mandatory requirements to protect the Bulk Electric System. Penalties for non-compliance can reach up to $1 million per violation per day, on top of generation loss, risks to insurance premiums, and reputational damange. Executives must attest to adherence, and enforcement actions are publicly disclosed. While these standards are necessary, compliance often focuses on documentation, policy mapping, and periodic attestations. It does not always guarantee continuous insight into what firmware is running at a remote storage site, which ports are open, or whether an unauthorized service is communicating externally.

In practice, organizations may be compliant on paper while lacking real-time operational awareness.

Critical renewables are increasingly exposed

Historically, cybersecurity investment in the energy sector has been concentrated on large, legacy generation assets. Coal, gas, and nuclear facilities have long been treated as primary reliability anchors.

Today, that model is changing. Storage and renewables are not peripheral but are central to reliability. In some regions, BESS assets are directly influencing dispatch decisions and frequency control. At the same time, many renewable systems are built through complex global supply chains. Battery modules, control boards, communication hardware, and firmware may originate from multiple vendors across jurisdictions. Even when integration occurs domestically, embedded technology risk persists.

While this does not imply inherent compromise, it does mean that visibility into deployed components, communication patterns, and software provenance is essential. As geopolitical tensions evolve, critical infrastructure cannot afford blind spots inside distributed, software-driven assets.

The one-two punch of data centers and storage

The urgency is amplified by the growing interdependence between data centers and the grid. Data centers are rapidly expanding across North America, placing significant new load demands on transmission systems. Many are incorporating on-site generation and storage to manage resilience and cost.

When storage assets support both grid balancing and data center continuity, the stakes shift from data theft to physical and economic disruption. A compromise of operational controls could affect not just a single facility, but interconnected energy and digital ecosystems.

Digital ambition is accelerating. Cyber resilience must keep pace.

Beyond “Stop Every Attack”

Cybersecurity in operational environments is not about eliminating every threat. That’s something we simply cannot do. Cybersecurity in these environments should really focus on shifting the economics of attack. Attackers are, in many ways, business people who behave rationally and seek return on investment. When their efforts bump into defenses that increase cost, complexity, and detection likelihood, adversaries often pivot and move on, looking for an easier path.

As an operator in a BESS environment, defense means:

• Continuous asset visibility across OT components
• Network segmentation between IT and operational systems
• Monitoring for anomalous control traffic and state changes
• Independent validation of remote access pathways
• Evidence retention that satisfies both operational and regulatory scrutiny

Alert fatigue and uncorrelated logging can obscure critical signals. Visibility must be focused and actionable.

Compliance is the floor, not the ceiling

Regulation will continue to expand. Insurance carriers increasingly demand technical proof of cybersecurity maturity. Boards are more aware of fiduciary exposure. Public scrutiny intensifies after every major infrastructure incident. But compliance alone does not equal security.

Battery Energy Storage Systems are becoming foundational infrastructure in a decarbonizing, electrifying economy. They are software-enabled digital control environments embedded inside physical assets. Treating them as ancillary or secondary from a cybersecurity perspective is no longer viable.

As storage scales across North America, operators must ask a simple question: do we truly see what is running inside our most critical assets or are we relying on checklists and assumptions?

The answer will define resilience in the next era of grid reliability.

Rafael Narezzi, co-Founder and CEO of Centrii, is a business and technology leader with more than 20 years of experience. At Centrii he oversees the company's mission to create efficient, secure, and sustainable energy solutions for the renewable sector and beyond. Rafael is also the founder of South America's leading cyber security event, Cyber Security Summit, as well as a regular speaker at industry events, and published author.

Centrii | centrii.com