Cybersecurity in BESS Projects
Battery Energy Storage Systems (BESS) typically operate in conjunction with digital control solutions, so cybersecurity must be incorporated from the very first stages of project planning. Such systems are rarely completely isolated from external connections—they are connected to the power grid, integrated with facility consumption, production processes, inverters, controllers, and remote monitoring.
Remote control and data transmission help us use energy more efficiently, but they also create more connection points. Every location through which the system transmits data, receives control signals, or is accessible remotely must be assessed and protected.
Where are the greatest cyber risks for BESS systems?
Remote access accounts, the inverter control environment, the monitoring platform, the router, the firewall, maintenance logins, or software used by the supplier—each of these connections to the outside world creates an additional risk of cyber vulnerability.
A security gap can be quite basic: several people using the same account, passwords that haven’t been changed for a long time, or administrator rights granted to all employees without exception. If such gaps are left unaddressed, it becomes impossible to track who logged into the system and what changes were made. As long as everything runs smoothly, there are no problems, but when the system malfunctions, you have to find out who changed the settings and whether that person was even authorised to do so.
It is also worth defining suppliers' and maintenance partners' rights in advance. Even before signing a contract, it’s helpful to know whether partners will be able to connect to the system independently, or if your approval will be required each time; who will handle software updates; and whether you’ll be able to quickly restrict this access yourself if necessary.
The security of the platform and data itself is no less important. It is worth finding out whether the system is dependent on the manufacturer’s servers or can operate independently, where exactly the data is stored, and who has access to it. If third-party software, an additional controller, or an external monitoring environment is introduced into the project, a security vulnerability may arise in that component.
What kind of losses can unprotected administrative access cause a company?
The greatest risk arises when the same access point allows not only data monitoring but also control of the system itself. With such access rights, it becomes possible to alter operating modes, power limits, inverter or controller settings, and monitoring accounts.
In such a case, the storage system may begin to operate in direct opposition to the planned scenario: it may stop storing energy when electricity is cheap, fail to discharge during peak hours, and so on. For a business, this can mean a sudden spike in electricity costs, lost financial benefits, and valuable time wasted troubleshooting the issue.
The risk doubles if the BESS control equipment shares the same network as other facility systems. In such a case, a poorly secured storage system connection becomes an open gateway to the entire internal infrastructure: routers, accounting systems, video cameras, databases, or other remotely controlled devices.
BESS management software should under no circumstances be left on the company’s general network without first clearly defining user permissions. It is wisest to assign access rights based on need: some employees only need to monitor data, others may require technical maintenance functions, and full administrator access should be reserved for a very narrow circle of responsible individuals.
What is important to consider before submitting a security compliance declaration?
It is best to develop a cybersecurity plan before installing the equipment. Once the project has been implemented, these issues become significantly more complex. It may turn out that partners’ access rights are undefined, that important documents are missing, that there is no clear configuration history, or that additional security measures are suddenly required. Then you have to reconfigure the system, coordinate responsibilities, and search for the missing information. And that means not only wasted time but also additional costs.
Some projects also require technical security measures. These can include firewalls, access restrictions, incident logging, update management, or continuous cyber monitoring. It is important to select all these tools on a case-by-case basis, taking into account the system, its management method, and specific requirements.
If an energy storage system with a capacity greater than 100 kW is planned, additional safety requirements apply in Lithuania. Starting May 1, 2025, such a declaration is mandatory during the project implementation phase for newly installed power plants or energy storage facilities. A cybersecurity audit report must be submitted along with the security compliance declaration.
During this audit, experts evaluate more than just the equipment itself. The entire system is examined: how access is managed, how data flows, how the network is secured, which suppliers are involved in the project, and how identified vulnerabilities will be addressed. Finally, to ensure a successful project handover, an audit report, a vulnerability remediation plan, and additional documentation must be prepared and submitted to ESO.
How does Pinus LT’s expertise benefit energy storage projects?
First and foremost, we assess how much energy is planned to be stored, when it will be used, how the storage system aligns with the facility’s consumption, and the power ratings of the inverter and controllers. We also plan in advance how remote monitoring will be carried out and who will maintain the system after its launch.
When installing BESS systems, it is critically important to see the big picture—how all components will work together and who will manage the system itself. This allows us to allocate supplier responsibilities in advance and prepare for security requirements.
The Pinus LT team helps you think everything through in advance. Even before purchasing the equipment, we’ll work with you to identify the steps that require cybersecurity professionals' expertise. If you’re planning an energy storage project for your business or farm, we’ll help you design a solution that’s technically sound, easy to manage, and ready for safe use.