LONGi Energy Storage has achieved IEC 62443-4-2 certification for the battery management system (BMS) in its utility-scale energy storage system (ESS), adding a product-level cybersecurity credential to an earlier IEC 62443-4-1 process-level certification. The milestone establishes one of the first dual-standard validations in the grid-connected storage hardware sector.
Background
IEC 62443 is the internationally recognized series of standards for cybersecurity in industrial automation and control systems (IACS), jointly developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). The framework is structured in four groups, with Part 4 focused on product suppliers: IEC 62443-4-1 covers secure product development lifecycle requirements, while IEC 62443-4-2 defines technical security requirements for individual IACS components, including embedded devices, software applications, host devices, and network devices.
The standard has historically applied to industrial automation in sectors such as oil and gas and manufacturing but has gained increasing adoption across energy. The European Union's incoming Cyber Resilience Act (CRA) is expected to make IEC 62443-4-1 and 4-2 compliance effectively mandatory for any hardware or software component with a digital interface sold on the European market. The EU's NIS2 Directive already incorporates foundational aspects of the IEC 62443 framework, and industry analysts note that full vendor compliance timelines across the energy segment remain measured in years.
Battery management systems occupy a uniquely critical position in grid-connected storage assets. They govern cell-level monitoring, state-of-charge estimation, fault response, and communications with upstream energy management systems. A compromised BMS can degrade asset performance, introduce grid-stability risks, or serve as a supply-chain entry point for broader infrastructure attacks.
Details
LONGi Energy Storage's BMS has achieved IEC 62443-4-2 certification for technical security, following its earlier IEC 62443-4-1 certification for secure development lifecycle practices, validating cybersecurity capabilities at both the process level and the product level. According to the company, the dual certifications cover the full development-to-deployment arc of the product.
IEC 62443-4-2 evaluates embedded cybersecurity functions within the product itself, including identification and authentication control, access management, system integrity, and data confidentiality. The standard applies these requirements across four component types - embedded device, software application, host device, and network device - enabling asset owners and procurement teams to assess component-level security against defined security levels (SL-1 through SL-4). Each level corresponds to a distinct class of threat actor and attack sophistication.
The ISA/IEC 62443 standards set cybersecurity benchmarks in all industry sectors that use IACS, including electric power generation and distribution. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), IACS-targeted cyberattacks increased by 100% during 2024, with SCADA system ransomware attacks costing an average of $13 million per incident.
LONGi is active across multiple storage markets. The company recently completed grid connection of a 13.75 MW/50.16 MWh BESS project in central Italy and established a service center in Madrid, positioning Europe as a key growth market where regulatory cybersecurity requirements are tightening fastest.
Part 4-2 of the IEC 62443 framework creates a procurement and certification baseline for component suppliers, aligning with system-level security needs of asset owners. Industry sources note that many asset owners already use IEC 62443 to structure OT security programs and procurement requirements. A third-party certification against 4-2 provides verifiable, auditable assurance that a BMS component meets defined security levels, reducing the due-diligence burden on utilities, independent power producers, and data-center operators procuring storage assets at scale.
Outlook
The certification arrives as EU regulators finalize the CRA's harmonized standards list. Industry observers say this process could formally designate IEC 62443-4-1 and 4-2 as the presumptive compliance pathways for grid-connected hardware components. Procurement teams at utilities and IPPs are expected to accelerate inclusion of IEC 62443-4-2 product-level certification in vendor qualification criteria, particularly for high-capacity and long-duration storage projects where cybersecurity exposure is greatest. Vendors that have not yet initiated a secure development lifecycle program under IEC 62443-4-1 face a multi-year certification runway before they can credibly compete on dual-standard grounds.
