Last week, the European Commission moved to restrict EU funding for battery storage projects using power conversion technology sourced from China, Russia, Iran and North Korea[1]. The decision, based on classified intelligence and publicly available evidence, was described as a response to “serious” cybersecurity threats. It was not widely reported, but the implication was unmistakable: Europe’s energy security establishment has concluded that the supply chain for grid-scale battery systems is a national security question, not merely a procurement one.
The United Kingdom might be outside the EU, but it is definitely not immune to the threat.
Digital attacks, physical consequences
Electricity grids are cyber-physical systems, a category that demands particular attention because digital attacks can produce direct, real-world physical consequences. Unlike conventional IT breaches, attacks on grid infrastructure can cut power, physically damage equipment, and cascade into failures across every piece of critical infrastructure that relies on electricity.
Three structural trends are driving the threat upward. First, the digitalisation of grid infrastructure: Smart grid technology and the proliferation of IoT devices have dramatically expanded the attack surface, multiplying the entry points available to adversaries. Second, the growing sophistication of those adversaries: State-backed groups and organised cybercriminals now possess advanced, purpose-built capabilities that were, a decade ago, the exclusive territory of the most well-resourced intelligence agencies. Third, the deep interdependence of electricity systems with other critical services such as transport, healthcare, water treatment and financial systems, amplifies the impact of any attack. Furthermore, these attacks can be conducted entirely remotely, which dramatically lowers the barrier to entry.
Attackers exploit both IT and operational technology (OT) systems through phishing and credential theft, industrial malware, denial-of-service attacks on control networks, supply chain compromise via vendors and software updates, and false data injection that misleads operators into incorrect decisions. Defence is difficult even for well-resourced operators. Legacy infrastructure was not designed with cybersecurity in mind and specialised OT security expertise is scarce. Detection of advanced persistent threats can remain hidden inside networks for months.
Not a hypothetical: Real world examples of attacks on power grids
In December 2015, hackers infiltrated three Ukrainian electricity distribution companies using spear-phishing emails, deployed BlackEnergy malware to control SCADA systems, and remotely shut down substations – leaving 225,000 people without power for up to six hours[2]. It was the first demonstrated cyberattack to directly cut electricity supply at scale. The following year, attackers returned with Industroyer (CrashOverride), a new strain of malware built specifically for power infrastructure and sufficiently automated to operate without real-time human guidance. It caused a blackout affecting a significant portion of Kyiv. The evolution between 2015 and 2016 was the point: Each attack is also a test run.
The UK has also been hit. In May 2020, Elexon, the company at the heart of the UK’s electricity balancing and settlement system, was hit by a ransomware attack. Elexon confirmed the attack was confined to internal IT systems and laptops and that electricity supply was not affected[3]. The IT/OT boundary held that time, but that boundary is thinning as grid infrastructure becomes more digitally integrated. Grid-scale battery systems sit precisely at that boundary: They are simultaneously financial assets managed through software, and physical devices capable of shifting megawatts in seconds.
The battery isn’t the risk – It's the supply chain
In May 2025, US security researchers discovered undocumented communication modules and hidden radios embedded in Chinese-manufactured solar inverters and battery systems[4]. These components were not listed in any product documentation. They created hardware backdoors capable of circumventing utility firewalls and enabling remote access to the devices, access that could, in principle, be used to switch off inverters or destabilise grid-tied renewable installations at will. The backdoors were absent in the product documentation and were designed to be dormant until activated.
Supply chain compromise – attacking infrastructure indirectly through a vendor rather than directly through a network – is among the most difficult attack vectors to detect and defend against. When the vendor is also the manufacturer of embedded hardware, and when that manufacturer operates under a legal jurisdiction that may require cooperation with state intelligence services, the risk profile changes qualitatively. This is not conjecture; it is the operational logic that led Lithuania to pass legislation effectively restricting remote control of energy installations by unfriendly foreign states, and that led the U.S. Congress to compel the decommissioning of CATL batteries at a Marine Corps installation[5].
Meeting cybersecurity standards costs more upfront and makes compliant vendors equipment more expensive. That differential is not profit margin – it is the cost of the security engineering, the auditable software stack, and the legal accountability that comes with operating under a European or equivalent jurisdiction. Vendors who do not meet these standards are not cheaper because they are more efficient. They are cheaper because they have externalised the risk onto the operator, and ultimately onto the public.
The transition away from fossil fuels requires investment in battery storage – It does not require accepting unsecured battery storage. These are not the same thing, and conflating them, whether by opponents of the transition or by procurement teams under cost pressure, serves neither energy security goals nor the public interest.
Procurement must keep pace with regulation
The UK is deploying grid-scale battery storage at pace, as it should. Battery storage is essential to managing a grid with high proportions of intermittent renewable generation, but urgency in procurement is also a risk multiplier. When decisions are made quickly or under cost pressure, questions about software provenance, remote access rights, and the long-term security posture of a vendor are the ones most likely to go unasked.
The scale of the threat makes complacency dangerous. The UK’s National Cyber Security Centre recorded 204 nationally significant cyber incidents in the year to September 2025 – more than double the previous year[6]. Formal incident reporting likely understates the true picture, as existing notification policies lag behind the evolving threat landscape.
The EU has responded with a layered regulatory framework in response. The Network and Information System (NIS) Directive (2016) established the first mandatory cybersecurity obligations for essential service operators including electricity, while NIS2 (2023) expanded scope and introduced supply chain security requirements. The EU Cybersecurity Act (2019) established product certification schemes, and the May 2026 funding restrictions on high-risk inverters and BESS components demonstrate the practical application of that framework.
The UK’s Cyber Security and Resilience Bill, currently in committee, follows the same logic, notably introducing powers to designate “critical suppliers” in the supply chains of essential service operators and bringing them under direct regulatory oversight. Procurement decisions made today will be subject to that scrutiny tomorrow. The window to get this right at the design stage is narrowing.
Five questions every procurer should be asking
Responsible procurement of grid-scale BESS should require clear answers to five questions before a contract is signed:
- Where is the hardware designed and manufactured, and under whose legal jurisdiction?
- Where does the software originate, and who controls its update pathway?
- Who retains remote access rights, and what are the contractual and technical limits?
- Where does system-generated data flow, and where does it ultimately reside?
- What happens to vendor access if the relationship ends or geopolitical conditions change?
We’ve got to get this right, or we’ll be rebuilding later
The UK’s energy transition and its energy security are not competing objectives. We can decarbonise the grid and secure it, but we must be deliberate about our component choices. Procurement frameworks must treat cyber provenance as a primary criterion alongside price and performance. We made this mistake once with the 5G rollout, resulting in cumulative costs of about £2bn and a delay of 2-3 years[7]. The grid is more complex and more consequential, and we cannot afford a similar misstep in the energy system, one that in all probability would be even more expensive. The EU has acted. The U.S. has acted. The UK’s own legislation signals that regulation is coming. The question is whether procurement policy can move fast enough to meet it.
[1] Rayner, T. (2026) EU funding ban on high-risk inverters, including Chinese suppliers, extends to BESS PCS. https://www.ess-news.com/2026/05/04/eu-funding-ban-on-high-risk-inverters-including-chinese-suppliers-extends-to-bess-pcs/ [Accessed 15 May 2026].
[2] Whitehead, David E., K. Owens, D. Gammel and J. Smith (2017) Ukraine cyber-induced power outage: Analysis and practical mitigation strategies, In: 2017 70th Annual Conference for Protective Relay Engineers (CPRE), 3–6 April 2017, College Station, Texas, USA. IEEE. DOI: 10.1109/CPRE.2017.8090056
[3] Elexon. (2020) BSC Bulletin 335 – Elexon’s internal IT systems have been impacted by a cyber attack. https://www.elexonportal.co.uk/news/view/27108?cachebust=ebf1vtjsp0 [Accessed 15 May 2026].
[4] Mcfarlane, S. (2025) Rogue communication devices found in Chinese solar power inverters. https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/ [Accessed 15 May 2026].
[5] Martina, M. (2024) Exclusive: Duke Energy to remove Chinese battery giant CATL from Marine Corps Base. https://www.reuters.com/business/energy/duke-energy-remove-chinese-battery-giant-catl-marine-corps-base-2024-02-09/ [Accessed 15 May 2026].
[6] National Cyber Security Centre. (2025) UK experiencing four ‘nationally significant’ cyber attacks every week. https://www.ncsc.gov.uk/news/uk-experiencing-four-nationally-significant-cyber-attacks-weekly [Accessed 15 May 2026].
[7] HM Government. (2020) Oral statement to Parliament: Digital, Culture, Media and Sport Secretary’s statement on telecoms. https://www.gov.uk/government/speeches/digital-culture-media-and-sport-secretarys-statement-on-telecoms [Accessed 15 May 2026].