Engineer control energy storage system or battery container unit with cityscape background
  1. Blogs
  2. Unfettered Blog

Cyber-vulnerable battery systems are catching fire and communicate directly to China

Feb. 14, 2025
There’s minimal attention being paid to cybersecurity in the design, operation and training surrounding BESS systems

Control system cyber incidents have been publicly identified in the power, water, pipelines, oil and gas, building controls, rail and maritime transportation sectors that have caused significant physical effects. Another family of significant control system cyber incident cases has recently emerged that also have caused significant physical impacts – battery energy storage systems, known in the industry as “BESS.”

Get your subscription to Control's tri-weekly newsletter.

Background

BESS systems are critical for reliable grid operations where power from intermittent solar or wind loads need to be stored when excess power is available to be dispatched later when there is a lack of power generation. Like other cyber-physical systems, BESS systems utilize instrumentation and control systems including process sensors, control systems with logic circuits, communication systems, and inverters that convert the direct current electricity stored in the batteries into alternating current electricity used by the electrical grid. Control systems coordinate the operation of the BESS, including the battery management system (BMS), energy management system (EMS), BESS plant controllers, BESS inverters, fire suppression detection and suppression systems, and their associated subsystems. 

The publicly available Electric Power Research Institute (EPRI) whitepaper “Insights from EPRI’s Battery Energy Storage Systems (BESS) Failure Incident Database: Analysis of Failure Root Cause” reported that “a significant fraction of BESS failure incidents had an unknown root cause.” When I was managing the EPRI Nuclear Instrumentation & Diagnostics Program, I tried finding actual cases dealing with specific causes, specifically loss of oil in nuclear safety-related pressure transmitters. There were no cases identified in U.S. Nuclear Regulatory Commission (NRC), Institute for Nuclear Power Operations (INPO), or other relevant databases addressing this specific issue by name.

Consequently, the more than 200 cases I identified had to be found by “reading between the lines.” The same happened after starting the EPRI control system cybersecurity program – none of the cases were originally identified as being cyber-related. With the appropriate understanding, I believe a significant fraction of the BESS cases that were identified in the EPRI report as being from “unknown root causes” were due to control systems, and of that number, a significant number would have been control system cyber-related. The EPRI report went on to state:

“Of the incidents that were classified, there was no single cause that contributed to a majority of failures. The balance-of-system components and controls were the leading causes of failure, with the cell having a relatively small number of failures attributed to it. Control failures include those due to control-system incompatibility, incorrect installation of the control system, defects leading to errors in sensors or controls.”

Control system issues not identified in the EPRI report include improper settings, lack of control-system coordination and inappropriate operation limits. The EPRI report did not directly mention any of the BESS incidents as being cyber-related.

BESS threats

As in most industrial and manufacturing processes, temperature is a very important consideration. For BESS, temperature considerations manifest themselves in thermal runaway. This phenomenon occurs when a battery becomes self-destructive due to uncontrolled thermal conditions leading to a chain reaction within a battery, causing a rapid increase in temperature and pressure. This reaction starts when the battery’s internal temperature reaches a point that causes a breakdown of the battery’s internal components. It can escalate quickly, potentially leading to a fire or explosion. To date there have been more than 60 thermal runaway fires at BESS facilities.

Cyber threats

Thermal runaway in lithium-ion batteries can be caused by control system cyber incidents (whether malicious or unintentional) because battery monitoring systems as well as fire detection and suppression systems are monitored and controlled by instrumentation and control systems that have no cybersecurity or authentication. Additionally, a significant amount of BESS software is made in China, and the Chinese government is a notorious cyber threat actor.

The possibilities of cyber threats are many. Altered control systems settings can affect the timing and coordination of monitoring and safety systems. Additionally, cyber intrusions can be developed to insert settings in unused registers within the control system that could lie dormant until activated at the attacker’s discretion.

In addition to BESS software, many BESS instrumentation and control systems are also either made in China or have Chinese components. These are security and safety issues. As the Director of National Intelligence (DNI) National Intelligence Council’s wrote in their 2021 National Intelligence Estimate,

“China is the world’s leading supplier of advanced grid components for ultra-high-voltage systems, such as transformers, circuit breakers, and inverters, which we assess creates cyber vulnerability risks.”

Moreover, counterfeit process sensors made in China have been found in North America. Presidential Executive Order (EO) 13920 was issued addressing large Chinese-made power transformers because of extra electronics found in a large Chinese-made electric power transformer installed at U.S. utility substation, and a February 2024 EO issued on hardware backdoors in Chinese port cranes because of hardware found in the cranes that should not have been there.

BESS fires from unintentional incidents

As mentioned, there have been more than sixty BESS runaway fire events. The following is an example of an unintentional control system cyber-induced runaway fire case.

Vistra is a Fortune 500 integrated retail electricity and power generation company based in Irving, Texas. The company is the largest competitive power generator in the U.S. with a diverse portfolio, including natural gas, nuclear, solar and battery energy storage facilities. Vistra operates the largest battery storage facility in the U.S. at Moss Landing, California. Vistra’s senior director of community affairs said that two “overheating events” happened at the battery plant in 2021 and 2022 because the batteries got wet. A third incident happened in 2022 at the neighboring Elkhorn battery plant owned by PG&E. On Jan. 16, 2025, a large fire at the Moss Landing BESS facility burned tens of thousands of batteries and released heavy metals into the environment.

I will focus on the Sept. 4, 2021, incident. Fire damaged roughly 7% of the facility’s battery modules and other facility systems. Smoke was detected by the Very Early Smoke Detection Apparatus (VESDA) units, which caused water to be released and stopped the flow of electrical current through the affected cores (an automated process referred to as e-stop). Due to an apparent programming error in the VESDA, these actions occurred at detected smoke levels BELOW the specified design level at which water was intended to be released, and e-stop intended to be initiated.

This incident demonstrates the difference between network security and engineering as this incident did not have to exceed any high levels or have a denial-of-service to cause a catastrophic problem. As a result, the VESDA system was reviewed to ensure it is programmed in accordance with the specifications. (This raises the question about the vendor’s software validation and verification process as there have been several fires with this vendor’s battery systems).

BESS cyber compromise

The following is an example of a malicious compromise of a cyber vulnerable Chinese-made BESS system.

Duke Energy agreed under pressure from the U.S. Congress to decommission energy storage batteries produced by Chinese battery giant CATL installed at Marine Corps Base Camp Lejeune in North Carolina over concerns that the batteries posed a security risk. Reuters reported that Duke Energy had made plans to decommission the CATL-made batteries that had been installed less than a year before, in March 2023. However, by year’s end, Duke Energy had disconnected the battery storage project, citing concerns raised by lawmakers and experts around CATL’s close ties to China’s ruling Communist Party.

The batteries and their inverters may have had cyber vulnerabilities that could be used to compromise the electricity grid. According to CATL, its energy storage products sold to the U.S. contained only "passive" devices, which were not equipped with communication interfaces. While the Duke Energy executives told the congressional staff that they were confident in the security of the batteries, they also expressed a desire to address congressional concerns. Those executives disclosed in the December 2023 meeting with Congressional staff that Duke Energy had been considering CATL batteries for about two dozen other projects.

Duke Energy stated that the battery system had been designed with “security in mind,” and that the batteries “were not connected in any way to Camp Lejeune’s network or other systems.” However, according to sources speaking on background, China connected with the battery systems at Camp Lejeune, and then reconnected after the system was ostensibly disconnected by the U.S. (This could be similar to the backdoors in large Chinese electric transformers or Chinese port cranes. Both the Chinese transformer vendor and port crane vendor also stated there were no backdoors in their products despite “extra hardware” having been found in each.) 

This incident should raise “red flags,” as Duke is a leader in grid cybersecurity. The demonstration of the back door into the battery system eventually led Senators Tim Scott and Marco Rubio and members of the Senate Foreign Relations Committee to introduce the Blocking Bad Batteries Act, to prohibit the State Department from procuring batteries produced by certain PRC-linked companies. As Senator Ted Cruz stated:

“The significant known cyber risks to Battery Energy Storage System (BESS) systems more broadly, such as security limitations that prevent regular updates and gaps in reviewing vulnerabilities, raise several concerns that a malicious actor, or government, could seek to exploit.”

Similar issues with backdoors in Chinese-made equipment led to presidential executive orders against large Chinese-made electric transformers and Chinese-made port cranes. 

Lack of relevant cybersecurity standards

The electric utility cybersecurity standards (North American Electric Utility Corporation – NERC Critical Infrastructure Protection – CIP) do not apply to BESS systems because BESS systems are considered distribution, not transmission. The National Fire Protection Association (NFPA) standard for BESS fire protection is NFPA 855. NFPA 855 has no cybersecurity requirements.

Cybersecurity gaps in proposed solutions

EPRI in their report and Vistra’s response to the September 2021 fire proposed solutions to address thermal runaway incidents. However, neither solution addressed cybersecurity. The Duke Energy case demonstrates that an appropriate control system cybersecurity training program is necessary even for an industry leader in grid cybersecurity. The NFPA standards for BESS systems do not include cybersecurity and BESS systems, being electric distribution systems, are out of scope for NERC CIP standards.

What needs to be done

U.S. BESS suppliers need to “gear up” to supply BESS systems on an acceptable schedule and cost. Utility organizations should specify that BESS systems need to be U.S.-based. U.S. BESS system suppliers should not include Chinese (or other adversarial countries) software, systems or components. Cybersecurity needs to be part of the hardware, software and personnel training. NFPA and grid regulators need to develop appropriate control system cybersecurity standards and regulations for BESS systems and personnel.

Summary

BESS systems are cyber-vulnerable. There have been cases where intentional and/or unintentional cyber incidents have caused or contributed to thermal runaway fires. There have been other cases where BESS systems have been cyber-compromised. Yet there appears to be minimal attention being paid to cybersecurity in the design, operation and training surrounding BESS systems. There needs to be a focus on cybersecurity standards and training for BESS systems cybersecurity as China has demonstrated they are exploiting cybersecurity gaps in BESS systems in addition to other critical systems such as large electric transformers, inverters and port cranes.

About the Author

Joe Weiss | Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

Email

Continue Reading

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

Latest from Unfettered Blog

shutterstock_2541409041
shutterstock_1353888704
shutterstock_2514594583

Most Read

Sponsored