Interview with Peter Baard of Alliander on cybersecurity in the storage sector

Energy Storage NL is holding an interview series with its participants. The month of April is dedicated to "cyber security month," a campaign series to draw more attention to cyber security in the storage sector. This time speaking to Peter Baard, Epic Owner at Alliander. In this interview, Peter talks about the importance of cyber security within the storage sector, vulnerabilities and measures to consider, and offers advice on how organizations can start securing their energy storage systems.

Can you briefly explain your role and work at Alliander, Energy ISAC and DIVD?

I have been working within the energy sector for twenty years, fourteen of which at Gasunie and six years at NV Rendo, a smaller grid operator. I joined Alliander in August last year. Over the years I have been in various sector security groups and gained experience with digitalization and security issues within the energy sector. At Alliander I am involved in digitalization within the gas sector as epic owner and as security ambassador energy chains I have a lot of focus on resilience. Through my broad network in the sector and my knowledge of chain processes, I work on improving cyber security within the changing energy system. I also chair the Energy ISAC, an alliance of grid operators and energy suppliers focused on sharing threat intelligence and improving joint cyber resilience. At DIVD, a collective of ethical hackers and security researchers, I focus on security research focused on the energy sector. My motivation is to minimize cyber threats and ensure a resilient energy system. It is becoming increasingly complex, digital and vulnerable, and the impact of failures or attacks can be enormous.

What motivated you to specialize in cybersecurity within the energy sector?

My focus is on the energy system as a whole, with the market forces of supply and demand, and thereby energy storage, playing an increasingly crucial role. The energy transition is increasing dependence on renewable, more decentralized energy sources such as solar and wind. Because these sources are not constantly available, the need for storage solutions is growing. As a result, the digital components within the energy system are also increasing, creating new cyber risks. My specific focus is on the risks created by the decentralization of the energy system and the potential for large-scale disruption through a multitude of smaller, digital energy components such as inverters, charging stations and storage. Where previously we had a few major players guarding the balance of the grid, we now see a fragmented landscape with many smaller devices and systems. This digitization and decentralization create new vulnerabilities that are not yet always well covered by regulations and security measures. My goal is to identify these risks and develop solutions to make the energy system as a whole more resilient.

How important is interagency cooperation in improving cyber resilience in the energy system?

Collaboration is critical to strengthen cyber resilience in the energy system. Cyber threats are complex, evolve rapidly and impact multiple parties simultaneously. In addition to formal collaborative structures such as ISACs and regulators, informal collaboration between technical experts across organizational boundaries is also necessary. Grid operators and energy suppliers must not only share information about threats, but also jointly develop strategies to prevent and mitigate attacks. Unfortunately, cooperation does not always come naturally. Corporate interests and image issues come into play, making some parties reluctant to share information. Still, it is essential that companies, governments and security groups work together to better protect the industry. Cyber threats do not stop at a company's borders; a weak link can impact the entire chain. That is why I advocate a culture of openness and shared responsibility within the industry that includes the smaller and less security aware organizations.

What do you think are the biggest cyber threats to energy storage and battery systems?

One of the biggest threats is ransomware and other financially motivated cyberattacks. Cybercriminals can hold storage systems hostage and force companies to pay ransoms to get their systems operational again. There is also the risk of manipulation of energy storage systems to cause market disruptions. For example, consider a scenario in which an attacker manipulates battery systems so that they inject or consume energy at undesirable times, increasing energy prices or making the grid unstable. Coordinated attacks by state actors also pose a serious threat. They can compromise systems for geopolitical or strategic reasons. Furthermore, dependence on digital infrastructure is a vulnerability in itself. Many "smart" energy system components battery storage systems are entirely dependent on cloud platforms. If these fail due to an attack or failure, the batteries can no longer be intelligently controlled, with dire consequences.

To what extent are smart battery storage systems vulnerable to cyber attacks?

Smart battery storage systems are quite vulnerable to cyberattacks, mainly because they rely heavily on external digital control and connectivity. Many systems operate through cloud solutions and can be managed remotely, making them attractive to hackers. Another problem is that installation practices often leave much to be desired. Many systems come standard with weak passwords and no two-factor authentication, making them easy to compromise. In addition, many energy management systems are linked to these batteries, so an attack on an energy management system can indirectly affect battery storage as well.

What is the current status of cyber resilience of the energy system?

The cyber resilience of the energy system is currently inadequate. Organizations within the energy sector score below average on basicsecurity.com, even worse than municipalities. This applies to overall digital resilience but also to the security of e-mail and websites connected to the Internet. For example, many organizations do not have a security.txt file on their websites, which is a simple text file you put on your Web server that contains contact information for automated security notifications, allowing researchers and ethical hackers to quickly and efficiently report vulnerabilities. The lack of this means that security problems often go undetected until it's too late.

In addition, industry websites are sometimes inadequately protected against attacks such as defacement, where people with bad intentions take over a website and use it for propaganda or disinformation which can lead to image damage. Basic measures are also frequently lacking to prevent phishing, which is one of the main ways cybercriminals penetrate internal networks.

A simple first step would be for companies to test their digital security through platforms such as internet.co.uk or basicsecurity.co.uk and actively work toward a "green" score. This can be done by making agreements with their hosting providers for better security and by implementing basic measures. Especially with an upcoming NATO summit, it is crucial that companies not only have their internal cybersecurity in order, but also project that they are digitally resilient. Because an incident can cause not only technical damage, but also reputational damage and possible political consequences.

What measures should companies take to better protect their battery and energy storage systems from cyber attacks?

Companies must ensure stronger authentication, such as two-factor authentication and secure password management. In addition, storage systems should continue to function fundamentally without the Internet so that they are not completely dependent on external connectivity. Having periodic pen tests and security audits performed is essential to discover and address vulnerabilities in a timely manner. An important aspect here is security by design, where security is a core part of the design and development of systems.

In addition, encryption plays a crucial role in protecting data and communications between systems. Encryption helps ensure data integrity and prevents malicious parties from intercepting or manipulating the content of communications. However, encryption alone is not sufficient if keys are poorly managed. Therefore, it is necessary to implement proper key management policies and ensure that encryption keys are not easily accessible to attackers.

In addition to technical measures, awareness is an important aspect. Both developers and end users must be trained in cybersecurity principles so that they are aware of the risks and their role in securing systems. Through a combination of strong authentication, encryption, security audits and awareness, companies can significantly improve the cyber resilience of their battery and energy storage systems.

What role do laws and regulations play in protecting energy storage systems from cyber attacks?

Current legislation provides insufficient protection. The upcoming CRA legislation and the NIS 2 directive being translated into Dutch law bring improvements, but many critical devices are outside the regulations. Installers also play an important role: if devices are installed poorly, they remain vulnerable. One of the biggest challenges is the lack of awareness, especially among new market players and installers. There is also a shortage of cybersecurity experts, which makes it difficult to deploy sufficient expertise. Cybersecurity is still too often seen as a cost rather than a necessity, and the fragmented landscape of vendors makes it difficult to implement uniform security measures.

How will cyber threats and technologies evolve, and how can companies and governments better work together to improve cybersecurity in energy storage?

The complexity of cyber threats will continue to increase over the next five to 10 years. Cyber attacks are becoming more sophisticated and more often automated using AI, allowing vulnerabilities to be exploited more quickly. The growing digitization of the energy system increases reliance on digital processes, thereby increasing risks. At the same time, decentralized storage systems with local intelligence will play a greater role, creating new challenges.

To deal with these threats, so-called zero-trust architectures will increasingly be used to restrict unauthorized access. In addition, AI-driven threat detection will help identify and mitigate attacks faster. Stricter regulations and minimum security requirements are necessary to ensure digital resilience for new and existing digital components of the power system.

Effective cooperation between companies and governments is crucial here. Faster information exchange through ISACs and informal networks can help improve responses to threats. In addition, common standards and minimum requirements for cybersecurity should be established so that energy storage companies can adhere to clear guidelines. Stricter oversight of installations and implementation of secure systems is essential to structurally improve cybersecurity.

What is your advice to companies just starting to secure their energy storage systems?

My advice is to start with the basic measures, such as setting strong passwords, using two-factor authentication, software update discipline and segmenting networks to limit damage in the event of an attack. In addition, have an independent security audit performed to identify vulnerabilities and focus on the most critical risks. It is important to seek collaboration with others in the industry and participate in initiatives such as ISACs. Finally, it is essential to view security not as a one-time investment, but as an ongoing process that includes regular updates, training and improvements. By working proactively and collaboratively on cybersecurity, we can better protect the energy system from ever-growing threats.

On Wednesday, April 16, Energy Storage NL together with Holland Solar, Techniek Nederland, Nedzero, Energie Nederland and Topsector Energie will organize the network meeting Cybersecurity in the renewable energy sector at host company DENS in Helmond. Sign up for this event via our website.