Who Controls Your Energy? On the (In)Security of Residential Battery Energy Storage Systems

Abstract

The home Battery Energy Storage System (BESS) industry is on the rise [1]. Newer models are built as Internet-connected devices that offer new service models for customers and manufacturers alike. This approach, as can be observed from emerging Internet of Things (IoT) devices in the last decade, brings new challenges and issues with it. First of all, threats to user privacy and botnet attacks come to mind. More importantly, there are now substantial advances to put flexible BESS in more critical roles in the power grid and let them provide primary balancing power in order to compensate fluctuations [2].However, while the safety properties of such systems are currently being explored by researchers [3], their security is mostly unexplored and unregulated. To explore the state of security of residential BESS, we systematically analyzed commercially available storage systems from ten different manufacturers, who have a combined market share of more than 60 percent in Germany [4]. We show that all of them have security issues and four of them contain severe security flaws. In order to exemplify the deficit in the industry to properly secure Internet connected devices, we present three attacks in detail.