Battery security in the age of accelerated electrification (BatSec Series 6/6)
[ Missed the previous posts? Read part 1, part 2, part 3, part 4, and part 5. ]
Electrification is transforming numerous industries and is pivotal in shaping our energy landscape. But current battery technology has various limitations, which prevent us from reaching the tipping point in the clean energy transition.
Software-defined batteries (SDBs) address these challenges and limitations. However, the same capabilities also introduce new concerns.
For SDB systems to communicate with centralized control, transmit data for analytics and real-time optimization, and receive commands to change behaviors on the fly — they must be connected to a network (e.g., the internet.)
But any time you plug something into a network, it becomes hackable and the owners become extortable. Now you may wonder, we’ve lived in a connected world long enough — why hasn’t this been a concern?
While many expensive physical assets already have some form of digital control and supervision (e.g., SCADA), few are connected to the internet because of severe security risks. Techniques like air-gapping (i.e., not connecting an asset to the internet) increase the physical effort required to breach a system, which has often been enough to deter attacks at scale.
But as we have learned from the Stuxnet computer worm, if the target is high-value enough, hackers can find ways to breach the air gaps. Today, we’re seeing a fast-growing number of air-gap-crossing attacks, and we can no longer rely on air gaps to provide sufficient security.
Meanwhile, the numerous digital and connected devices are generally of low value. So even though the security of most IoT devices is virtually non-existent (hackers can get into your home network through the thermostat or use your smart lightbulb to power their botnets), we aren’t seeing widespread, devastating impacts — yet.
But things are about to change as AI enters the game, making it much faster and easier for criminals to go after the long tail of hackable devices. The business case/ROI of hacking will change, and things that aren’t considered security risks today will soon become liabilities.
To understand the impact of digital attacks on expensive physical assets like connected battery systems, think back to the earlier days of cybersecurity. The threat landscape was the wild west, and the lack of awareness made many organizations easy targets.
Now, the only difference is that criminals have already developed advanced techniques to infiltrate software systems. They don’t need to figure them out from square one. Battery solutions running on software without iron-clad security measures are simply sitting ducks.
Electrification of critical infrastructure
In March 2023, the White House published an updated National Cybersecurity Strategy. Pillar one concerns the defense of critical infrastructure. The incapacitation or destruction of these physical or virtual assets, systems, and networks would have a debilitating effect on security, the national economy, and/or public health and safety.
The 16 critical infrastructure sectors covered by the mandate are chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergence services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors and waste, transportation systems, and water and wastewater systems.
Many of these sectors are also entering the electrification revolution. Advances in battery technology, such as SDB, will enable the transition to clean energy at unprecedented speed and scale. But the connectivity will also leave many critical systems open to exploitation if proper security measures are lacking.
Without an airtight battery security protocol, electrification of these critical infrastructure sectors at scale won’t be feasible.
A security-first mindset for the future of electrification
SDBs will drive the future of electrification. But airtight battery security is the prerequisite: (1) To enable a multi-disciplinary team to participate and collaborate safely through sandboxing and access control; (2) To prevent bad actors from breaching these systems, including critical infrastructure, for criminal activities.
Now you may wonder, what could go wrong? Since battery systems are expensive physical assets connected to digital networks, attacks could take many shapes and forms. For example, threat actors can launch ransomware, DDoS, or supply chain attacks — like the Colonial Pipeline incident but on a much larger scale.
Criminals can also venture into a new realm — they may steal power, over-stress batteries, “tune/overclock” batteries, reprogram serial numbers to make stolen packs appear legitimate (like a digital VIN swap,) break geofencing locks, make cells look like they have fewer cycles (like odometer rollback,) or cause other types of financial harm.
Additionally, lithium-ion battery packs contain vast amounts of energy. Criminals could program them to short out and cause a fire unless a ransom is paid. We aren’t just talking about the high cost of data breaches (which can also happen) but a public safety risk.
Tanktwo battery security stays ahead of the game
Battery security isn’t an afterthought in the Tanktwo Battery Operating System (TBOS). We developed our technology from the ground up with the battery security process (BSP) as an integral part of the software architecture.
But we stay ahead of the game not by claiming that we’ll make software without vulnerabilities. Despite the most rigorous development and testing process, we know our software has (yet to be discovered) bugs and problems — like any application on the planet. We also don’t believe in the fallacy of security through obscurity.
We stay ahead by adhering to the latest and strictest software design, data management, and security best practices. We review and re-review our code and invite experts to inspect our security-critical documentation. We’re planning a bounty program to reward white hat hackers who can break our code and show us our vulnerabilities.
Most importantly, we keep a close eye on all types of vulnerability disclosures across multiple industries because of the breadth and depth of our system.
We built TBOS by combining various tried-and-true technologies, which have been proven for the past 10, 20, or 30 years. We leverage best-in-class technologies as much as possible without reinventing the wheel — which means we have security experts globally to watch for vulnerabilities and devise solutions.
For example, we monitor the Common Vulnerabilities and Exposures (CVE) database lists. If any technology we use has a suspected vulnerability, we’ll immediately analyze its relevance and address the issue.
We can’t afford not to transition to clean energy, and SDB will unlock electrification at scale. Like we won’t stop using the internet because of cyber threats, we shouldn’t stop the progress of electrification because of security concerns. By combining best practices from multiple industries to create the safest and most cost-efficient power system, TBOS offers the solution to drive the future of electrification.