Battery storage improves access to green energy: thanks to these storage systems, electricity from wind and solar power is permanently available, regardless of the time of day or weather conditions.

Moreover, energy supply for commerce, agriculture, and industry is secured by battery storage systems in regions without a stable grid connection. They also offer a significant advantage to companies with large-scale renewable energy generation systems: if the main supplier reduces or stops supplying energy due to impending grid overload, the systems can store the surplus energy and release it when needed, or use it directly themselves.

Various parties need remote access to battery storage systems for them to function smoothly: integrators need to perform software and firmware updates; customers want to be able to check their storage system's charge status at any time via an app; and the battery storage manufacturer collects data from the systems to continuously optimize its solutions.

Cybersecurity as a key factor for battery storage

NTT DATA was tasked with integrating the Endian Secure Digital Platform. Christian Koch, NTT DATA's Senior Vice President of Cybersecurity, is familiar with the special requirements of the renewable energy sector: “Battery storage systems are part of critical infrastructure and are therefore considered prime targets by cybercriminals because a successful attack could cause significant economic damage and disruption to the energy supply.”

Endian CEO Raphael Vallazza adds: “Any remote access can become a target for cybercriminals. That's why battery storage systems and their IT and OT components must be consistently protected.” 

As battery storage systems count as critical infrastructure, the storage system manufacturer placed great importance on working with a European cybersecurity provider. This was done to ensure that the solution would be subject to high European data protection and security standards, and that the data collected would remain within the EU.

Secure remote access for efficiency and control

The implementation of cybersecurity measures in battery storage systems is made possible by a reliable framework provided by an internationally recognised standard, IEC 62443, for the cybersecurity of industrial plants. It defines clear guidelines designed to securely network plants. Role-based access is particularly relevant here, as manufacturers, service technicians and customers all need access to the same plant for different purposes. Granular management of roles and permissions prevents unauthorised access or manipulation and enables everyone to receive only the necessary permissions.

Network segmentation — the division of a network into smaller, separate areas — is equally important. Even if a system becomes infected with malware despite all protective measures being in place, network segmentation can limit the spread of the malware to a small area.

For battery storage systems that feed energy into the public grid, the strict requirements of transmission system operators are also relevant, as are the requirements of the relevant regulatory authorities. For example, they demand end-to-end encrypted VPN remote access. Additionally, systems in Germany must be able to be shut down remotely at any time to ensure grid stability.

Furthermore, battery storage systems are often located in regions with neither a stable power supply nor a reliable internet connection. Therefore, remote access via 5G had to be enabled for the project.

NTT DATA implements the Endian Secure Digital Platform

With these specifications in mind, the manufacturer of battery storage systems turned to NTT DATA. The consulting firm was commissioned to find a suitable solution, implement it, and, if necessary, provide ongoing operational support. Together with the manufacturer, NTT DATA defined all requirements for secure networking and secure operation and then decided to use the Endian Secure Digital Platform. “With the Endian Secure Digital Platform, we have found a solution that meets the highest security standards. At the same time, it offers maximum flexibility for different user groups and for further growth,” says Christian Koch. The platform enables the networking of IT and OT infrastructure, offers secure remote access, and supports highly granular yet extremely simple management of users, networks, and end devices.

The Endian Secure Digital Platform consists of three layers: Endian 4i security gateways secure the connection of the systems in the field. These gateways are available in different versions, as pure software solutions, virtual or as hardware. They are equipped with several finely tuned security tools, such as firewall, intrusion detection and prevention, deep packet inspection (DPI), network monitoring, and protection against zero-day threats. 

As soon as remote access is requested, the gateways establish a secure VPN tunnel that ensures that communication is encrypted and cannot be read or manipulated. The Endian Switchboard management tool controls the administration of all networked devices and connections. It can be used to create individual rights for specific user groups or even for individual users. Finally, the endpoint connectivity tools enable users to connect securely to the platform. 

On-site security, flexible rights assignment in the cloud

NTT DATA implemented an Endian 4i Edge XL gateway for each battery storage system to enable networking. This robust hardware variant of the Endian 4i series was specially designed for use in industrial environments. NTT DATA installed the switchboard, which is used to manage all gateways and access permissions, as an on-premises solution in its own data center. The networks of the battery systems were then analyzed in order to separate them from each other using appropriate firewall rules. The firewall only allows connections that have been explicitly approved in advance. Unauthorized access is prevented by default. 

NTT DATA also set up remote access via the switchboard and used it to define the rights for the different user groups. Each operator of a battery storage system received their own isolated user instance. At the same time, the manufacturer of the battery storage systems retains overall control in order to perform support or diagnostic accesses as needed.