The Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has partnered with the Idaho National Laboratory (INL) to propose strategies aimed at mitigating risks from foreign-manufactured Battery Energy Storage Systems (BESS) and addressing vulnerabilities in the U.S. energy grid supply chain. The U.S. House of Representatives has also moved forward with the SHIELD Against CCP Act, designed to combat threats targeting U.S. critical infrastructure, particularly the electric grid and energy systems.

In this article, we will explore the vulnerabilities present in BESS sourced from Chinese manufacturers and the associated cybersecurity risks these systems pose to U.S. supply chain security and grid reliability.

Additional Reading

Is the CVE Program in Jeopardy?

New US Rule Finalizes Ban on Chinese and Russian Software in Connected Vehicles

Key Learnings from the Auto-ISAC SBOM Report

Battery Energy Storage Systems (BESS) and Their Critical Role

BESS is fundamental to maintaining the stability and reliability of modern energy grids. These systems store energy for future use, allowing utilities to balance supply and demand, integrate renewable energy sources, and improve grid resilience. However, as with any technology, the complexity and interconnectedness of BESS introduce new cybersecurity risks, particularly when critical components come from foreign sources with ties to adversarial state actors.

Dr. Emma Stewart, the Chief Power Grid Scientist at INL, highlighted during a hearing last month at the US House Select Committee that over 90% of Chinese manufacturers rely on at least one critical component made in China. This dependency raises concerns about cybersecurity risks that could undermine grid reliability and expose the U.S. supply chain to state-sponsored threats.

A diagram of a power plant AI-generated content may be incorrect.

The Chinese-Dominated Battery Market: National Security Risks

Chinese manufacturing is 60% cheaper than U.S. manufacturing for BESS and 31% cheaper for battery packs. Cost savings seem to outweigh supply chain and critical infrastructure security, where vulnerabilities can be directly attributed to battery storage systems. 

Despite the risks associated with foreign-manufactured BESS, the United States remains the largest exporter of Chinese-manufactured lithium-ion batteries, accounting for 25% of China’s $60 billion battery export market in 2023. This continued both economic and geopolitical factors complicate reliance on PRC-based suppliers.

The Biden administration’s decision to raise tariffs on Chinese lithium-ion batteries, from 7.5% to 25% by January 2026, has further complicated the market landscape. Coincidentally, President Trump’s recent decision to raise tariffs on China by an additional 10% (reaching a whopping 48.4%) will directly impact Chinese-manufactured batteries and battery energy storage systems (BESS). These tariffs, along with ongoing tensions between the U.S. and China, are reshaping the dynamics of the battery storage market, although the price advantage of Chinese manufacturing is difficult to overcome.

US House Committee Hearing: End the Typhoons. March 5, 2025

Vulnerabilities in Chinese-Manufactured BESS and Proactive Security Measures

As noted by the DOE CESER, addressing the vulnerabilities in foreign-manufactured BESS requires a proactive, multi-layered approach to ensure grid security. Key recommendations for mitigating these risks include:

  1. Comprehensive Vulnerability Analysis: Perform thorough vulnerability assessments of all components sourced for BESS, focusing on firmware integrity, software dependencies, hardware components, and communication protocols.
  2. Cyber-Informed Engineering (CIE): Ensure software is designed with security in mind, embedding robust security features during the engineering phase.
  3. Modify SLAs with Suppliers: Reevaluate and amend service-level agreements (SLAs) to prevent the handover of control of critical infrastructure to PRC-linked companies. Many Chinese BESS suppliers hold considerable procurement power, which could result in problematic clauses that compromise cybersecurity.
  4. Strategic Replacement of Components: In high-risk locations such as substations, grid control centers, and critical energy storage facilities, consider replacing vulnerable control components with those from trusted suppliers.

What other proactive security measures can you take?

  • Better SLAs and strict sourcing requirements: To reduce dependency on PRC-manufactured components, source from trusted suppliers and third parties that meet NIST and DOE CESER cybersecurity standards. Perform due diligence on all suppliers before entering any SLA or contract negotiation. 
  • Generate an SBOM: Require all suppliers, utility operators, and BESS stakeholders to provide a comprehensive Software Bill of Materials (SBOM), detailing sourcing information, component origins, version control, artifacts, metadata, and licenses. Every component must be accounted for to prevent critical vulnerabilities from entering your supply chain. 
  • Implement strict access controls and network segmentation. Access to BESS must be restricted to authorized users. Ensure that all communication between critical BESS components and external systems, especially those from foreign suppliers, is conducted over isolated, encrypted channels. This limits the risk of exfiltration or manipulation of sensitive data by foreign state actors.

Fortify Your Critical Infrastructure and Supply Chain with C2A Security

The recent initiative from the DOE CESER, INL, and the U.S. House of Representatives aims to strengthen U.S. critical infrastructure against cyberattacks from adversarial state actors. C2A Security’s EVSec platform complements these efforts, providing a comprehensive solution to cybersecurity concerns in the electric vehicle ecosystem, including BESS, grid systems, and chargers.

EVSec enhances cybersecurity in operational technology (OT) and supply chain management by providing the following key capabilities:

  • Automated Compliance and Software Vetting
    EVSec conducts thorough software vetting for battery storage systems, ensuring all software components are identified, verified, and compliant with U.S. Department of Commerce (DoC) prohibitions. It offers context-based vulnerability management, focusing on real-world threats that impact system performance, not just generic vulnerabilities.
  • Security Assessments and Testing
    Modifications are required to comply with evolving regulations, so EVSec facilitates rigorous security assessments, testing, and validation. The platform provides on-demand analytics, dashboards, and reports, enhancing decision-making and minimizing compliance delays and costs.
  • SBOM Management
    EVSec simplifies SBOM creation and management, ensuring that all software components within BESS are thoroughly documented and tracked over time. Using context-based risk analysis, it identifies vulnerabilities that affect the overall system, ensuring a targeted approach to risk mitigation. This functionality automates risk management and mitigates the impact of vulnerabilities found throughout the supply chain.
  • Audit-Ready Reporting and Monitoring
    With EVSec, users can generate audit-ready reports, track supplier compliance, and monitor adherence to security standards throughout the product lifecycle. The platform’s real-time sharing and centralized collaboration features ensure full visibility into compliance and regulatory requirements.

Schedule a demo to learn how C2A Security can help protect your power grid and supply chain from CCP-related threats.