Cybersecurity as a powerful tool to enable resilient energy storage projects
As the energy storage industry evolves, robust cybersecurity safeguards are more crucial than ever to bolster the resilience of grid infrastructure.
The increasing digitalization of grid operations has expanded the cyber attack surface, creating new vulnerabilities that must be addressed through cybersecurity measures. As an example of this increasing risk, the North American Electric Reliability Corporation noted in 2024 that, for US power grids, “the number of susceptible points in electrical networks [is increasing] by about 60 per day.”
As energy storage investors navigate the complexities of the quickly evolving cybersecurity risk and regulatory landscape, Fluence sees cybersecurity as an opportunity to drive customer value by helping to derisk projects against revenue loss and unavailability due to cyber non-compliance and cyber-derived incidents.
According to a 2025 report by Trustwave SpiderLabs, the average cost of a data breach in the energy sector is $5.29 million, with potential consequences that extend far beyond financial losses, to include operational disruption, physical damage, and reputational harm. With a 146% increase, in 2025, of operational technology sites suffering physical impairment of operations due to cyberattacks, it is not surprising that a report released by DNV in early 2025 found that two out of three energy professionals (65%) reported that their executives considered cyber risk to be the greatest threat they faced.
As a result of continuously escalating cybersecurity threats, governments around the world are increasingly seeing regulation as an important tool for improving baseline cybersecurity across industries. Europe, for example, is experiencing sweeping changes. These changes include:
A requirement for member states to transpose the Network and Information Security (NIS) 2 directive into national law;
The Cybersecurity Resilience Act mandating secure development requirements for manufacturers of products with digital components;
The Radio Equipment Directive, regulating radio and telecommunications equipment;
The Network Code on Cybersecurity, governing cybersecurity requirements for cross-border electricity flows; and
Evolving changes to the EU Cybersecurity Act and the EU Regulation on Critical Entities Resilience.
Revenue loss and penalties
The cost of one week of downtime for a 100 MW battery storage system, due to a cyberattack, can easily reach $300,000 in lost revenue.
On the compliance side, a one-month project delay due to non-compliance can result in revenue losses of around $1.2 million, for a 100 MW energy storage project. Many investors are waking up to increased penalties, which, under the European NIS 2 Directive, can reach up to €10 million ($11 million) or 2% of global revenue, on top of reputational damage.
Today, it is not uncommon for energy storage developers to attempt to transfer cybersecurity compliance responsibility to system providers. While energy storage system suppliers play a critical role in cybersecurity, many compliance requirements cannot be fully transferred from the storage owner or operator.
The World Economic Forum found that 60% of respondents it questioned viewed regulation as too complex or too numerous and reported difficulty verifying whether third-party suppliers were compliant. Clear alignment in the procurement phase, regarding what asset owners are accountable for and what specific requirements asset owners have for suppliers, is of paramount importance for achieving a cyber-secure, cyber-compliant system.
Looking at the developing cybersecurity framework in Europe, the upcoming review of the European Energy Security Framework will likely provide another spotlight on cybersecurity in the energy sector.
New legislative proposals provide some guidance on what might be to come. For renewable energy auctions, the European Commission is already establishing pre-qualification requirements for cybersecurity, addressing supply chain risks from countries of concern. Such rules will likely spill into the energy storage sector next. Individual countries like Lithuania are already a step ahead, having enacted a law that bans operational control from countries that are considered threats to national sovereignty.
Regulators will likely take a closer look at supply chain risks and the country of origin of digital products, especially critical IT hardware and software components, and the ability of entities outside of the European Union to control assets in Europe’s critical energy infrastructure.
Such a review is already underway for the solar supply chain at the EU level. The ban of 5G equipment from selected Chinese suppliers in several European countries and the retroactive replacement of already-deployed 5G equipment in Germany and the United Kingdom might not replicate in exactly the same way in the European energy infrastructure but it certainly is a scenario that project developers and investors should consider. The decommissioning of a battery energy storage system from a Chinese supplier on US military bases, due to national security concerns, has already taken place.
Defense-in-depth
De-risking customer projects through robust cybersecurity safeguards is foundational. Defense-in-depth strategies, that balance layers of controls to prevent, detect, respond to, and recover from cyberattacks are key to supporting operational resilience.
Energy storage suppliers must provide systems that enable asset-owner compliance with the NIS2 directive and other global regulations, to reduce non-compliance risks and project delays.
Fluence’s approach is built on trust and transparency. We recognize that companies around the world are wading through regulatory pluralism with multiple, diverse regulatory frameworks coexisting and no single global cybersecurity regulatory body. Our approach is to harmonize these requirements using globally recognized industry standards that cover the breadth and depth of requirements across these regulations. By aligning with standards such as NIST Cybersecurity Framework, ISO 27001, and IEC 62443, we support the foundation of regulatory requirements and scale beyond compliance to address risks specific to battery energy storage systems.
For buyers, insurers, and financiers of battery energy storage assets, it is essential to understand the importance of cybersecurity. The landscape is changing, and proactive steps to derisk exposure are more important than ever. By prioritizing cybersecurity, we can protect our energy infrastructure and pave the way for a sustainable and secure future.
About the authors:
Katherine Hutton is global product manager for cybersecurity at Fluence
Lars Stephan is director of marketing, policy, and public affairs in the Europe, Middle East, and Africa region.
Written by
Popular Posts
