Minimising risk without missing opportunity

Energy management systems are essential to the energy transition, but they also raise important questions. How safe are these systems? What about cybersecurity? And what happens when things go wrong beyond your control, like network outages or cloud disruptions? With smart software, clear safety measures and robust cybersecurity, you can minimise the risks without missing out on valuable opportunities.

A battery does nothing on its own

Let’s first clear up a common misconception: a battery, on its own, doesn’t do much. It’s simply a vessel for storing energy. Without a control layer, nothing actually happens. That control comes from the energy management system (EMS), intelligent software that decides how and when a battery should charge or discharge. Besides this crucial energy management system, there’s also the battery management system (BMS), which is supplied by the battery manufacturer. Its role is to ensure the battery operates safely, for example by preventing overheating. However, the BMS does not control energy flows. That responsibility lies entirely with the EMS and the inverters. As cyber threats and digital crime intensify, this responsibility is becoming more crucial than ever.

“Cyberattacks on the energy sector have more than doubled since 2020, according to data from Dragos and EnergiCERT.”

Security risks: layered defence is essential

To protect data and systems against security threats, a multi-layered defence strategy is essential. At iwell, we’ve implemented the following measures:

• Restricted and controlled access: Only a small group of employees can access the EMS via a secure VPN connection. This is protected by two-factor authentication and limited to strictly controlled devices.
• Network segmentation: Our energy management system operates on an independent network, fully separated from the end user’s infrastructure. This means a cyberattack elsewhere doesn’t compromise our systems.
• Regular penetration testing: External cybersecurity experts regularly carry out specific penetration tests to identify and resolve vulnerabilities. These learnings are applied to further enhance our safety protocols.
• Security training for employees: It’s true, people often remain the weakest link in cybersecurity. That’s why our teams receive regular training to recognise phishing, malware and other digital threats.
• Secure updates: Occasionally, the BMS requires a software update to improve battery performance. These updates happen under strict supervision. The supplier is granted temporary access, but only with our explicit approval. 

“According to the KnowBe4 report, 34% of cyberattacks targeting the energy sector occurred via phishing. Security training should be prioritized.”

But what if something does go wrong?

Despite strong security protocols, you can never eliminate the risk of an incident entirely. That’s why a solid incident response plan (IRP) is essential. At the heart of a good IRP is problem analysis and resolution. Immediately launch a thorough root cause analysis to identify what went wrong. Take swift action to resolve the issue and prevent recurrence. Transparency and timely communication are equally important. If an incident affects users of a battery system, inform them as soon, clearly and completely as possible. Guide them throughout the process, so they always know what’s going on and what to expect.

Not all disruptions are security-related, though. Sometimes the issue is technical. For example, a network problem with a cloud provider that temporarily makes an EMS-battery system unreachable remotely. However, when you operate on a separated infrastructure (as described above), the battery system will still function locally. Hugely important as well: a robust backup strategy. This guarantees that configuration and usage data are always securely stored across separate cloud environments. Thus, enabling quick system recovery and minimal data loss.

Risk management instead of risk aversion

Discussions around the safety of battery systems often focus on risk. But avoiding every potential threat also means missing out on valuable opportunities. Instead, iwell believes in proactive risk management by taking specific steps to manage and mitigate risks effectively. We retain full control over our own energy management system, we minimise cyber threats through strict security measures and we make sure our systems continue operating, even in the face of disruptions. Batteries are only one part of the puzzle. Real control lies in the software and infrastructure surrounding them. And that control, we firmly hold.