Newsletter
Distributed

Polish grid attack reveals cyber-insurance gap for battery storage

A 2025 cyberattack affecting roughly 30 renewable energy sites in Poland has sharpened insurer focus on battery energy storage system (BESS) risk, highlighting a coverage gap at the intersection of cyber and property policies.
By
Brian Publicover
Jun 04, 2026
Image: Pixabay

A cybersecurity incident affecting approximately 30 wind and solar sites across Poland on Dec. 29, 2025, provided underwriters with a real-world example of an attack pathway against distributed renewable assets to assess rather than model.

The cybersecurity incident involved malicious activity affecting communications infrastructure and control systems at distributed energy sites, reducing or disrupting visibility between generation assets and distribution system operators. Generation was not directly manipulated. At a wind or solar site, that distinction has operational significance. For battery storage, it matters less – because the control layer exposed to an attacker is also the layer governing cell safety.

“The attack pathway demonstrated in Poland – compromise of internet-facing edge devices, absent multi-factor authentication, and reused credentials, therefore leading to access to remote terminal units, protection relays and operator interfaces – was already understood to be feasible,” said Tom Dryden, partner and head of cyber Europe at McGill and Partners. “What that example provided was confirmation that a capable actor will pursue that pathway against distributed assets and will do so with destructive, rather than just financial, intent.”

The affected Polish facilities continued to generate throughout the incident. Battery energy storage systems do not offer the same margin.

Control layer

“The control layer an attacker would access – the battery and energy management system – is also the layer that governs charge rate, state of charge and cell temperature,” Dryden told pv magazine. “Compromise or manipulation of that layer is not just a supervisory inconvenience but a direct means of forcing a cell beyond its safe operating threshold, with thermal runaway as the foreseeable consequence.”

For underwriting purposes, Dryden said, that moves the cyber-physical thermal-runaway scenario “from a modeled tail risk to a demonstrated exposure” – not because physical damage occurred in Poland, but because the incident confirmed that capable actors are actively pursuing the distributed edge of the power system.

The insurance market’s response to that exposure is complicated by a structural feature of how energy assets are covered. Conventional property and energy policies typically exclude malicious cyber triggers, subject to wording and market variations. Dedicated cyber-insurance policies are designed to respond to malicious acts – but do not automatically cover physical damage. A BESS operator whose battery management system is compromised and whose asset subsequently ignites may, depending on wording and endorsements, find the loss sitting at the seam between two markets.

“A scenario like a malicious-cause thermal-runaway loss can fall between the two, unless carrying a properly designed cyber-insurance policy,” Dryden said. He added that the solution McGill and Partners has developed uses “an affirmative cyber wording addressing both the cyber physical exposure, and intangible exposures from a malicious ransomware or DDoS attack” – though the structure and limits of that wording are not publicly disclosed, and as with any manuscripted market solution, apply within current market constraints.

Charalambos Konstantinou, associate professor and principal investigator of the SENTRY Lab at King Abdullah University of Science and Technology (KAUST), describes the attack surface as layered: communications and RTU access enables disruption and disconnection; control-parameter manipulation enables generation interference; firmware compromise – the deepest layer – persists across reboots.

Konstantinou said the communications protocol mandated under IEEE 1547 lacks native authentication and integrity features, framing this as a structural observation about protocol design, grounded in prior published research, rather than a comment on the Poland incident specifically.

“Actuaries can’t price what they can’t see,” Konstantinou said, adding that his group’s firmware-integrity work is aimed at reducing that uncertainty. He and colleagues published a framework in IEEE Transactions on Power Systems in 2026 designing premiums and coverage for the operational-cost risk of attack-driven load variation in renewable-rich grids, using value-at-risk and tail-value-at-risk metrics. Konstantinou said the work indicates that large load variations can materially increase a grid’s daily operational cost – the kind of tail exposure an insurer needs to capture to price the risk accurately. The paper’s specific findings have not been independently verified by pv magazine prior to publication.

The gap between what an underwriter needs and what is currently visible is not structural.

“The detection science exists,” Konstantinou said. “Our work shows firmware-level integrity verification is viable on inverter platforms.” The obstacle is integration: device integrity today is self-protective – secure boot and signed firmware, implemented differently on each vendor’s silicon – so a device verifies itself but emits no common signal a third party can read across a fleet. “The DER communication standards were never built to carry one,” he said.

Regulatory limits

NIS2 does not close the visibility gap. The directive imposes risk management and incident reporting obligations on energy sector operators but does not explicitly mandate a firmware-integrity signal. The Cyber Resilience Act reaches device manufacturers with requirements to protect programs and configuration against unauthorized modification – but as Konstantinou frames it, “an SBOM tells you what’s in the firmware, not what’s actually executing at runtime. So the integrity attestation an underwriter would need is still neither mandated nor exposed to operators in a standardized way.” Whether that integrity must be exposed as a standardized, externally verifiable attestation is left to harmonized standards still under development, with compliance timelines extending into the later part of the decade including widely cited 2027 implementation milestones.

Transposition delays have compounded the regulatory picture. Many member states remained in transitional phases into 2026, more than a year after the October 2024 deadline. Dryden’s advice is not to treat the delay as permission to defer action.

“We wouldn’t advise operators to defer action on improving cyber resiliency, pending either national transposition or the maturation of the cyber-insurance market,” he said. “The measures that establish regulatory compliance and the measures that establish insurability are substantially the same, and they warrant implementation now, irrespective of the date on which a given member state completes transposition.”

The current insurance market is, unusually, favorable to buyers.

“The cyber-insurance market, including the more nuanced cyber-physical damage market, is currently highly competitive despite a volatile threat environment, driven mainly by oversupply of insurance capacity vs demand,” Dryden said, adding that the market was likely to stabilize on pricing over the next 12 months, with potential hardening beyond that if claims continue to rise.

For BESS operators, Dryden recommends two steps: assess and quantify cyber-physical exposure against the actual replacement cost of the principal asset rather than a nominal limit; then close the property-cyber gap through affirmative cyber cover designed specifically for the energy sector.

The real obstacle to closing the observability gap, Konstantinou said, is incentives: the manufacturer pays to expose the firmware-integrity signal, while the operator and insurer receive the benefit. That misalignment is why the gap persists despite the technical solution existing. But he sees the insurance market itself as a potential forcing function. “If underwriters discount fleets that can attest their firmware state, that pull could outrun the regulation,” he said.

The Poland incident has not moved insurance pricing. What it has done is shift the cyber-physical risk conversation, in Dryden’s words, “over from a conceptual concern into an evidenced operational threat.” The gap in coverage – and in the observability that would allow that coverage to be accurately priced – remains open.

Written by

This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.

Comments

Your email address will not be published. Required fields are marked *

Cancel reply
Please enter your comment.
Please enter your name.

Newsletter

Get the latest news about energy storage in your inbox

Sign up to our daily free newsletter below by entering your email

This website uses cookies to anonymously count visitor numbers. View our privacy policy.

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close