Grids are becoming smart in every part of the world, although some countries invest more than others in modernizing their electricity networks. According to online data portal statista, cumulative investment in power grids is forecast to increase in all regions between 2024 and 2050, with the largest amount coming from the Asia-Pacific region. But as this happens, cyber attacks on the grid are also on the increase. A report by Tech Monitor indicates that the average number of weekly cyber attacks against utilities measured in 2024 had quadrupled since 2020. Most of them do not provoke widespread damage and grid shutdowns. Nevertheless, awareness must remain high and measures put in place to thwart them.
What is a smart grid?
Smart grids can be described as digitally enhanced electricity grids. Legacy grids need to be modernized and, instead of rebuilding networks from scratch, injecting new digital tech in the existing systems is the most affordable way to prepare for new demands, such as the integration of renewable energies. More complex – and sometimes long-winded – definitions of the smart grid abound: according to the IEC Electropedia, for instance, smart grids utilize information exchange and control technologies, distributed computing and associated sensors to integrate the behaviour and actions of the network users and other stakeholders, and to efficiently deliver sustainable, economic and secure electricity supplies.
Several terms are frequently used in smart grid parlance, including automated substations, digital interfaces, networked sensors, intelligent electronic devices (IEDs), advanced two-way communications and distributed energy resources (DER). One of the most obscure is SCADA, which stands for supervisory control and data acquisition. All of these terms are defined in the IEC Electropedia, but what needs to be understood before the jargon is that, as grids add digital communications and interconnection where they were previously none, they are becoming easier to attack by cyber criminals. According to Forbes, in an article looking at the situation in the United States, “most of the US energy grid critical infrastructure components operate in a digital environment that is internet accessible. The trends of integration of hardware and software combined with growing networked sensors are redefining the surface attack opportunities for hackers.” The same trends can be witnessed around the rest of the world as we move more and more into the all-electric and digital age.
Cyber attacks are evolving
Digital publication for power and energy engineers, EE Power, lists different ways cyber criminals can impact the grid, which include denial of service (DoS) attacks, malware or time synchronization attacks, to name but a few. DoS attacks, for instance, involve flooding networks with a wide number of spurious requests, hindering real demands from being dealt with. In time synchronization attacks, real-time data can be manipulated, leading to false information being circulated – for instance, about the current energy levels in the grid. Malware can be used to infect computers and ask for ransoms, for example. The variety of ways cyber criminals can do damage is mindboggling and continuously evolving.
The pros and cons of AI
Artificial intelligence (AI) is becoming a useful tool in the fight against cybercrime, as it increasingly affects power systems. It can most notably help detect attacks and inform users about their nature. According to this article, researchers in the US state of New Mexico have developed AI algorithms which use code to monitor for cyber attack abnormalities at device, system and utility level. AI is also increasingly used as a result of the automation of the grid, enabling electricity load forecasting and for any fault detection, not only as a result of cybercrime, and can help the grid to “self-heal”.
But the downside is that it can also be used as a tool to help hack various systems. According to the Federation of the European Electricity Industry, Eurelectric, “Cyber criminals are leveraging AI to automate attacks, bypass security measures and create highly convincing phishing scams.”
The joint committee between ISO and the IEC prepare standards for AI that address some of these issues. ISO/IEC TS 8200, for example, specifically deals with the controllability of automated AI systems.
Tools and solutions
Most countries around the world have opted for legislation to avert cyber attacks. In the European Union, for example, the NIS 2 Directive was adopted by member states in 2024. It expands the scope of cybersecurity requirements to electricity, oil and gas networks. The EU also recently published the Cyber Resilience Act (CRA) to enhance security in the digital infrastructure.
Alongside regulations, IEC International Standards are key tools to ensure a cyber-secure grid. As IEC cyber security and grid expert Frances Cleveland explains, “There are ongoing efforts inside my working group, responsible for developing the IEC 62351 cyber security standards for the grid, which I call the ‘How to do it’ standards. The IEC has also developed the IEC 62443 Standards that tell you ‘What you need to do’. These standards are being extended to include horizontal cybersecurity requirements, meaning that different areas like the energy sector are modifying the base IEC 62443 Standards to reflect their more specific needs. We are working on the cybersecurity requirements for substations right now and will be addressing distributed energy-specific requirements. IEC 62443-4-2 can also be used for testing the cybersecurity of devices, such as EVs, photovoltaic panels and other distributed energy resources.”
The IEC 62351 series provides cybersecurity requirements as well as guidance on designing security into systems and operations before building them, rather than applying security measures after the systems have been implemented. Some of the different security objectives of these cybersecurity requirements include authentication of data transfer through digital signatures, ensuring only authenticated access, the prevention of eavesdropping, the prevention of playback and spoofing, and intrusion detection. The IEC 62443 series specifically addresses the industrial automation and control systems (IACS) used in critical infrastructure.
However, the time required to develop standards is a constraint and makes it difficult to keep up with the latest cybersecurity threats that are evolving very fast. As IEC TC 57 expert Dustin Tessier explains, “standards lag in addressing complex protections and cybersecurity applications, notably for single points of failure in centralized platforms.”
The ISO/IEC 27000 series is generally understood to address information security management and certification in IT-specific environments – not OT-based critical infrastructure like electricity grids. But as these get smarter, the line between IT and OT is blurring. (For more on this blurring line, read Keeping the world's critical infrastructure cyber secure | IEC e-tech)
The convergence between IT and OT explains why ISO/IEC JTC1/ SC 27 recently released ISO/IEC 27019, which provides information security controls for the energy utility industry, and covers a very wide range of smart grid-related technologies, including central and distributed process control, monitoring and automation technology sensors and actuators and DER integration, to name just a few.
The case of nuclear energy
Nuclear energy is seen by many countries as a way of reducing carbon emissions and it is also useful to balance the grid as it integrates more intermittent renewables. But nuclear power plants are also becoming more vulnerable to cyber threats as they become increasingly digitized.
These threats ramp up the risks to yet another level. In a worst-case scenario, hackers could take control of operations and not only wreak havoc on the grid but also induce a nuclear reactor meltdown, leading to widespread radioactive contamination.
The IEC takes these threats very seriously and cooperates with the International Atomic Energy Agency (IAEA), a UN agency that works to promote the safe, secure and peaceful use of nuclear technologies and which sets global safety standards for nuclear energy. Experts from IEC Technical Committee 45 take part in the technical working group on nuclear power plant instrumentation and control (TWG-NPPIC), which was founded by the IAEA in 1971 to give advice on and promote research into nuclear plant technology, notably human system interfaces.
A specific cybersecurity standard, IEC 62645, was developed “to prevent and/or minimize the impact of attacks against information and computer programmable digital systems on nuclear safety and plant performance”.
The standard proposes a table of high-level correspondence with the horizontal IEC 62443 series, listing dozens of subclauses related to the context of the organization, lifecycle implementation for programmable digital system security and security controls. (Read more about these standards in this interview with the Chair of IEC TC 45.)
Keeping up with cyber criminals is an ongoing battle – and one which requires the joint efforts of regulators and technical experts. For the time being, the energy sector has the right tools to do so, but the toolkit needs to be constantly updated as attacks get more sophisticated.
Author: Catherine Bischofberger
The International Electrotechnical Commission (IEC) is a global, not-for-profit membership organization that brings together 174 countries and coordinates the work of 30.000 experts globally. IEC International Standards and conformity assessment underpin international trade in electrical and electronic goods. They facilitate electricity access and verify the safety, performance and interoperability of electric and electronic devices and systems, including for example, consumer devices such as mobile phones or refrigerators, office and medical equipment, information technology, electricity generation, and much more.
The views and opinions expressed in this article are the author’s own, and do not necessarily reflect those held by pv magazine.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.