It’s that time of year again—October is here, and that means it’s Cybersecurity Awareness Month!
October was declared Cybersecurity Awareness Month by the President of the United States and Congress in 2004. It is a month for public and private sectors to work together to raise awareness of cyber threats on a local, national, and global scale.
At Powin, cybersecurity is of critical importance all year long, not just in October. Battery Energy Storage Systems (BESS) play an essential role in the modern, low-carbon energy grid, and if compromised, malicious entities could disrupt the grid resulting in grid instability, blackouts, or damage to physical infrastructure. These threats and their potential consequences to society make robust cybersecurity essential.
Working to minimize cybersecurity and financial risks for our customers and their data is our top priority. While far from a complete list, here are some of the innovative internal methods we employ to keep our systems safe from cyberattacks.
Inspect: Testing the Best to Prepare for the Worst
We conduct thorough gap and vulnerability analyses to identify potential weaknesses in our IT/OT systems and ensure they are addressed before they can become threats. Regular third-party audits provide an external perspective, keeping us accountable and ensuring our defenses are tailored to counter emergent threats.
Our approach includes software threat modeling using the STRIDE framework. We conduct real-world simulations preparing us for attacks and critical infrastructure failure to ensure our remediations are swift and painless. Ongoing penetration testing performed by certified cybersecurity experts posing as cyber criminals, actively find vulnerabilities to exercise our defense strategies and detect vulnerabilities. We continually push the limits of our defenses to ensure they can withstand attacks.
Protect: Resilient Defense for a Reliable Grid
To combat these threats, we employ a multi-layered approach to protecting system security from cyberattacks. It all begins with our fundamentally sound building blocks:
Proprietary Firmware, Battery Management System (BMS), and Energy Management System (EMS). Each of these systems is developed and tested by Powin’s U.S.-based engineering team, isolated from any third-party involvement. The control starts and stops with Powin.
Our proprietary, patented firmware, BMS, and EMS controls comply with robust localized cybersecurity standards and regulations, promoting data privacy and system integrity.
Redundant, Independent System Operation. If network connectivity is lost, each Powin BESS enclosure is designed to operate independent of the larger system: This helps guarantee safe, uninterrupted operation while isolated and avoid costly downtime.
The Purdue Model for Industrial Control Systems (ICS). This industry-standard model, developed by the Purdue Laboratory for Applied Industrial Control (PLAIC) of Purdue University, provides conceptual framework for hierarchy of system components. We employ this approach to micro-segmentation which defines and separates ICS architecture into two zones, IT and OT, then further separates OT into six zones. This micro-segmentation between layers creates “air gaps” and is one of many ways we embody zero-trust architecture in our IT/OT systems.
BESS Control Security. Powin StackOS Gatekeeper screens and blocks unauthorized commands far before they reach critical components, ensuring BESS systems are exclusively in customer control. Each instance of Gatekeeper is custom-tailored to customers’ security needs to ensure the system is always operated safely, securely, and predictably. Designed for flexibility, the system integrates seamlessly with customer IT and OT infrastructures.
Secure Controls. All control signals are protected through robust encryption whether they’re in transit or at rest. All control systems employ no-trust fundamentals, leveraging multi-factor authentication and application-specific user roles preventing unauthorized access.
Customer Data and Data Security. Protecting our customers’ personal and operational information is controlled at organizational and individual levels. Organizationally, we operate in concert with industry-standard regulations such as NERC-CIP, AESCSF, and NIS2.
Each individual at Powin approaches data security with a layered approach including strong access controls, encrypted endpoints, mobile device security, ongoing employee training, and randomized phishing tests.
Physical Security Integration. To help prevent sabotage or unauthorized control by bad actors, our energy storage systems include 24/7 monitoring and access logging, multi-tiered system access controls, and tamper-proof enclosures.
Detect: Identifying Threats in Real-time
Cyber criminals never sleep and neither do we. Powin employs 24/7 real-time threat detection to identify and neutralize vulnerabilities. We utilize advanced event logging for proactive and reactive threat mitigation, capturing detailed data on system operations and user interactions.
Our systems also employ automated alerting and response to handle compromised or offline systems, ensuring seamless failover and recovery. In the event of a system failure or cyber threat, automated alerts trigger immediate responses to restore functionality and minimize downtime.
Powin also performs routine automated codebase vulnerability scanning and correction to protect against emergent malware and exploits. These scans ensure that any vulnerabilities in the code are promptly identified and addressed, helping to safeguard our systems from both known and unknown cyber threats.
Respond: Prepared for the Unexpected
Our cloud services are engineered for resiliency, rapid recovery, ensuring our control center’s remote monitoring and control systems are restored quickly in the event of an incident affecting cloud infrastructure.
Additionally, localized, intelligent controls enable safe, secure, independent system operation if it becomes isolated from the larger Powin system. Our real-time incident response protocols, supported by continuous monitoring by dedicated teams and incident management tools, enable us to swiftly identify, contain, and eliminate threats.
Reflect and Perfect: The Journey is the Destination
Our commitment doesn’t stop at testing and evaluation. We are dedicated to constant self-reflection and improvement, regularly refining our security practices, adopting new tools and standards, and evolving our approach to align with emerging threats and regulations.
Cybersecurity All Year Long. Not Just October.
As innovative as our protections against cyberattacks may be, we know that individuals and groups with malicious intent are equally creative.
The information above is only a sampling of the methods and technologies used to combat cyber criminals internally at Powin. There’s more to our Enterprise Cybersecurity Program than can be covered in one article. Check back later this month for a follow-up post that delves into some of the many external cybersecurity methods we employ, including regulatory compliance, assessment, and best practice frameworks.
In the meantime, we encourage you to be vigilant in all matters cybersecurity, personal and professional.
- Dean Beckley, Chief Information Security Officer at Powin
- Eric Stone, Senior Product Manager at Powin
For the latest updates and news please visit our website or connect with us on LinkedIn.
