Updated December 8, 2025
Cybersecurity issues in the energy sector aren’t hard to uncover. A few years ago, Colonial Pipeline, a major provider of gasoline and jet fuel that originates in Houston, was hacked by an eastern European group calling itself Darkside. When hearing about companies getting hacked, we usually think about things like the loss of personal information and credit card numbers. While that’s bad enough, in the case of Colonial Pipeline it meant they couldn’t transport up to three million gallons of fuel per day through their dual 5,500 mile-long pipeline network. They later paid a $4.4M ransom to restore services.
The energy sector is particularly vulnerable to cyber attacks. This article will look at the reasons why, and how both standard security practices and increased awareness can help protect against state-sponsored and rogue groups to improve energy sector cybersecurity.
Cybersecurity in the energy sector vulnerabilities
Unlike banks or large corporations, which tend to have more centralized control over their assets, energy companies have a much more difficult time hardening their infrastructure. This is mainly due to a mix of geographic locations producing energy. It’s also due to complex relationships with multiple third party providers. Security experts often refer to this as a larger “attack surface” – meaning there are more ways in for hackers to cause disruptions.
While disruptions in other industries can be localized, the energy sector is also particularly vulnerable to attacks because of its close dependencies with other providers. A single attack that causes an outage in one geographic region can, for example, cause a ripple effect as the grid attempts to provide power in other regions. A serious event such a Colonial Pipeline’s can cause not only a shortage of fuel, but a nationwide spike in prices.¹
Digital vs. physical assets
Unlike other industries, energy company vulnerabilities extend to both digital and physical infrastructure. This means that proper security needs to encompass not only traditional IT infrastructure, but also “operational technology” (OT) infrastructure that can directly impact the delivery of energy to potentially millions of customers. The popularity of “Internet of Things” (IoT) devices is driven in part by the desire to harvest and harness the data generated by OT infrastructure, which creates a larger attack surface.
As an example, battery integrators, OEMs and operators typically manage a myriad of IoT edge devices. Here, IoT devices include OT systems, such as battery management systems, string, block and site controllers, inverters PLCs, data aggregators, SCADA and other BESS equipment. Given the very distributed remote environments they are deployed in, this type of equipment lacks the comprehensive protection offered by a corporate firewall.
Modbus and SNMP protocols are often used to monitor BESS’s, and both can introduce security vulnerabilities. Modbus supports TLS encryption over TCP/IP, but not authentication. A device using SNMP can broadcast its brand name, model and location, potentially allowing a hacker to gain access to reset the device, create account credentials, or lock other users out in a ransomware scenario (image source).
How cybersecurity in the energy sector can improve
In another cyberattack on the energy sector, bad actors targeted Ukraine’s power grid following Russia’s annexation of Crimea² in 2015. The Ukrainians learned from this event, and in subsequent years put in place robust systems built to withstand such assaults. Few reported successful cyber attacks followed on Ukrainian infrastructure since Russia’s invasion began. One outage reported impacted tens of thousands satellite internet and communication subscribers.³ Overall, however, Ukrainian infrastructure is resilient to further attack.
What lessons can we learn from the Ukrainians? What best practices can we put in place to harden our own energy grid components? There are three attack vectors worth highlighting:
Inside jobs
In the 2015 Ukraine case, individuals with intimate knowledge of those systems led the attack. Back doors, default passwords, and obsolete user accounts that system administrators fail to terminate are used by former colleagues, contractors, and consultants to attack the systems of their former partners.
A battery farm operator may have a deep understanding of the grid and power demands. They may also have substantial expertise in chemistry, meteorology, and physics. But not necessarily the same competencies in data access and security. This becomes an issue with ad hoc applications built in-house that lack basic security features. While it may seem to be the most expedient business solution at the time, particularly in the early stages of a company, these in-house applications later are a major source of risk months or even years later.
How to select and vet third parties
Implementing full end-to-end production solutions often requires the assistance of technology partners. It’s important for every company, but especially those involved in providing critical infrastructure, to know how third parties and supply chain partners treat access credentials and data security. Considerations include when hiring consultants, how rigorous is the screening process? Are they evaluated only on their technical ability or are their data management workflows also verified? Ask the consulting company for their NIST System Security Plan (SSP)5. If they don’t have one or if they tell you it’ll take a month to deliver it, then you know you’re not dealing with a company with security policies audited recently.
A rigorous off-boarding procedure for personnel is another common “red flag” issue for battery integrators, OEMs and operators. System administrators need to be extremely vigilant in their security routines. It pays to perform external security audits, up to and including network penetration attempts (pen tests) by “white hat” hackers who will find the weaknesses before attackers do.
Social engineering
Malware that destroyed files and erased hard drives on workstations and servers affected Ukraine’s systems. Social engineering is the typical route for inserting such malware on a network. Emails that appear innocuous, or seem to come from trusted sources, may contain links where users are tricked into revealing their username or password, or other sensitive information. Emails may also contain attachments that look to be standard Word documents or Excel spreadsheets. But they may actually be viruses that can infect the computer system. Networks are contaminated when infected laptops connect, or when infected USB sticks are inserted into company systems.
Combating such phishing attempts is among the toughest challenges in increasing cyberattack resilience. It only takes one weak link – one distracted or gullible employee among thousands – for attackers to establish a digital beachhead inside the organization.
Three remedies that build resilience against social-engineered attacks are as follows:
Enforce “multi-factor authentication” on all company user accounts.
If people reuse, guess or share passwords, the attacker will still face a much higher hurdle for success since a validated mobile device or authenticator app is required to complete a login. For battery operators, give special consideration to code repositories (GitHub). Craft interfaces used to directly access block controllers, inverters, and at-site data aggregators. Applications and laptops used by field services teams should feature two-factor authentication (2FA). Shop floor applications should feature authentication for shop floor, formation testing and data aggregation devices.
Employ the “principle of least privilege.”
Users only get those access privileges needed to complete the task. That means challenging your IT and software teams about Role-Based Access Controls (RBAC)6, a common software feature to enforce the principle of least privilege.
Security protocols education and training are most important.
Not only should security protocols be in place, but people should receive regular training to follow them. For battery integrators, OEMs and operators, third party sub-suppliers and field service providers that enjoy certain privileges on your systems present a particular education challenge.
Denial of service attacks
Ukraine’s systems were also made unavailable through denial-of-service (DoS) attacks. While such attacks are impossible to prevent, redundant systems should be put into place and tested periodically. This will help ensure services don’t completely stop when primary systems are under attack.
Battery integrators, OEMs and operators are particularly vulnerable if they do not manage these edge/IoT devices properly and with rigor. Edge devices typically contain a credential that allows them to authenticate over the Internet with cloud systems. Having a compromised edge device means potentially compromising that communication channel. Hardening the operating system and using technologies such as secure boot and on-disk encryption are vital steps to ensure the safety and integrity of these devices.
Energy sector cyberattacks increased from 101 in July 2019 to 874 in July 20207.
Our journey with cybersecurity in the energy sector
To support data analytics for energy storage, at Peaxy we collect telemetry data from energy storage systems around the world. Over time, we developed expertise in deploying IoT edge devices that are robust and secure, including SOC II Type 2 certification. Our customers in the Department of Defense and Department of Energy have extremely demanding cybersecurity requirements. Our engineering team receives dedicated training to ensure their development environment and process is secure. We work on secure machines configured for maximum protection. All data is kept on FIPS 140-2 certified self-encrypted drives.
Securing the infrastructure that keeps the energy sector moving is more important than ever. While companies that handle our power and water needs have been subject to hacking over decades, energy storage companies are relatively new to the scene and their systems may not be battle-hardened. OEMs and operators need to take steps to make their facilities and systems more resilient. This is especially true given the lessons learned from previous attacks. In addition, consider the very real prospect of stepped-up cyberattacks on our energy infrastructure, battery integrators. There’s never been a better time to partner with a security-focused company like Peaxy to give you the confidence and peace of mind that your systems are safe.
Frequently Asked Questions (FAQ)
1. Why is cybersecurity in the energy sector becoming more critical?
As the grid becomes more digitized and distributed, utilities and operators depend on interconnected systems—SCADA platforms, DER controls, IoT devices, and digital twins. This expanding attack surface increases the risk of cyber-physical disruptions, making robust cybersecurity essential for reliability and compliance.
2. What unique challenges does the energy sector face compared to IT-only environments?
Energy systems combine operational technology (OT) with legacy equipment, vendor-specific protocols, and real-time control requirements. Unlike traditional IT, downtime in OT environments can have immediate safety, financial, or grid-stability consequences.
3. How can operators strengthen cybersecurity without slowing down operations?
Adopting versioned data models, asset-level monitoring, and automated anomaly detection allows security teams to identify risks without interfering with normal dispatch and control workflows. Digital twins can further simulate system behavior before deploying updates or patches.
4. Why is visibility into OT and field assets so important?
Many cyber incidents begin in overlooked or poorly instrumented edge devices. Improved telemetry, standardized data collection, and unified monitoring make it possible to detect unusual behavior early—before an attacker can move laterally or disrupt critical functions.
5. How can energy organizations reduce the risk of supplier or vendor-related cyber breaches?
Introducing vendor security attestation, reviewing firmware provenance, and using sandbox environments for testing updates help prevent compromised components from entering production systems. Coordinated security frameworks also ensure alignment between operators, integrators, and OEMs.
1 https://cybersecurityguide.
2 https://en.wikipedia.org/wiki/
3 https://www.cnn.com/2022/03/
5 https://nvlpubs.nist.gov/
6 https://en.wikipedia.org/wiki/
7 https://www.bitlyft.com/
