Skip to main content

Securing the Smart Grid: Cyber challenges of connected energy assets

The old grid vs the connected grid

With the shift to renewable energy, the European energy grid has become increasingly connected. Consumers are turning prosumers and with the installation of more renewable power, the power mix has turned more renewable driven. As a result of this growth, Europe has decreased its dependency on single, high impact power generation and diversified its supply. Energy prices are changing a lot, and the electricity grid is less stable than before. The renewable electricity production often occurs at different times than the demand for power. This leads to a gap in supply and demand, which brings low electricity prices in the day-ahead market, while renewables get limited during the day and turn costly in the evening.

For the transmission service operators (TSO), this poses challenges to keep the grid balanced and have enough reserves to guarantee the uptime and frequency of the grid. The TSOs pay for flexibility services that help keep the grid balanced and keep the frequency at the right level.

Over the last few years, connectivity has made a big leap in the energy sector. Energy assets like inverters, car chargers, heat pumps, and windmills have been connected to the internet. With this increase in price volatility, paid flexibility services, and connectivity in power assets, Virtual Power Plants (VPP) are getting integrated into the energy sector.

A conceptual illustration of a Virtual Power Plant (VPP) integrating renewable energy assets such as solar panels, wind turbines, and battery storage. The image represents how these distributed resources are connected to balance fluctuating supply and demand. It highlights the role of VPPs in optimizing power production, supporting grid stability, and enabling demand-side flexibility through assets like Batteries, EV chargers and smart devices.

Fueling Virtual Power Plants

By integrating these connected assets in a Virtual Power Plant (VPP), they can be combined and used to optimize power production.

Using hardware or API connections, the VPP controls assets with fluctuating demand and supply. Combining energy assets like photovoltaics — plants with wind parks and batteries — makes the VPP more resilient against production fluctuations that come with weather changes. Adding their assets to a VPP gives renewable energy producers access to more revenue streams.

On the demand side, a VPP can use assets like car chargers and heat pumps to increase or decrease demand if the grid needs it. For example, car chargers that throttle down charging speed or delay charging provide relief on the grid. The TSO, in turn, pays for this service which is then shared with the asset owners.

Current regulations like NIS2 and NCCS primarily focus on traditional infrastructure, leaving a gap in oversight for decentralized systems like VPPs, which increasingly influence grid stability.

Integrating diverse energy assets - Challenges and risks

With the increase in connected energy assets, it is crucial to note that the more connections that need to be maintained, more data needs to be processed. 500,000 assets connected through a VPP can provide a significantly large amount of data and data-readings. These assets all have different types of connections and hardware configurations. One example is the variety of inverter brands that are active in Europe, with Chinese brands shipping the highest amount of gigawatts (GWs) of inverters to the EU.

According to data from Wood Mackenzie, the top 12 brands of PV inverter shipments between 2015 and 2023 all have more than 10GW of inverters shipped to the EU. These manufacturers control significantly more than the 5GW reserve capacity of the European grid. Additionally, they have access to the inverters, often through a cloud portal. Many stakeholders throughout the supply chain have remote access to these inverters.

Inverters connect to the internet through either a local router or cellular SIM card, transmitting operational data to the manufacturer’s cloud platform for remote monitoring and control. These devices operate in grid-following mode, requiring a stable grid signal to function. If voltage or frequency deviates from acceptable parameters, the inverter automatically shuts down, resulting in a system-wide shutdown during grid disturbances.

With aggregators and VPPs growing, these pools of energy assets are exceeding 10GW. For these organizations the cyber security risks and the impact of attacks can be critical. They should be using isolated systems with redundancies, but this is not required nor regulated. 

More connected. More risks.

With the grid getting more connected, cybersecurity risks are increasing, which is shown by the numerous examples of hacked energy assets by ethical hackers.

The Horus scenario presented by Willem Westerhof gives an overview of vulnerabilities found in a range of inverter brands. Through APIs, compromised third party access, where credentials would give access to more than 250,000 connected plants, 27 scenarios were presented where access to inverters or other connected assets could be used to bring down the grid in the Netherlands and 14 scenarios for Europe. These presented scenarios give an example of how the connected IoT assets that are currently used, form a risk for the power grid.

Besides the Horus scenario,  there are more vulnerabilities that have been found. Consider the access to the SolarMAN administrator portal and the Growatt backend, where the inverters ownership and settings could be changed.

Real-life cyberattacks

Not all vulnerabilities are found by ethical hackers. In 2015 and 2016, attacks on Ukraine’s power grid involved the use of BlackEnergy and Industroyer/CrashOverride malware. These attacks manipulated industrial control systems to cause widespread blackouts across the country. The attacks were repeated during the 2022 invasion using Industroyer2, attempting to disrupt power generation and distribution. In Germany, there have been three attacks on wind parks in 2022 and 2023 that disabled remote monitoring on various IT systems.

Some countries have already taken measures to combat these risks on a national level. In Lithuania, there is a new law in effect to limit the access from manufacturers of inverters from countries deemed as high risk. Systems that exceed 100 kW cannot be accessed remotely by the manufacturers; this includes new and old installations.

Increased dependency on cloud solutions

As cybersecurity risks escalate, the global approach to data handling has shifted especially in the energy sector, where most connected assets now rely on cloud platforms. Many of these platforms are hosted in jurisdictions outside the EU, including China and the U.S., raising serious concerns about operational integrity and energy sovereignty. Sensitive grid data, including real-time operational and customer information protected under GDPR, is increasingly exposed to remote access and control.

To safeguard national resilience, the EU should prohibit remote control of aggregated energy assets above critical thresholds by entities outside secure jurisdictions. This includes direct control via aggregators and indirect influence through firmware or software updates. Hosting operational technology (OT) systems abroad risks compromising grid stability and emergency response capabilities.

Energy providers should adopt hybrid cloud architectures, enforce strict data residency requirements, and implement secure-by-design principles aligned with standards like IEC 62443 and the NIS Directive. While current EU regulations promote risk management, they fall short of mandating secure jurisdictions. Strengthening data sovereignty ensures that physical IT infrastructure and control applications remain within the EU or trusted regions, reducing vulnerabilities in critical infrastructure.

Defending critical infrastructure: The Atos approach

Atos enables energy sector organizations to secure both local and distributed critical systems through a comprehensive suite of cybersecurity, cloud, and integration solutions. Our expertise spans hybrid cloud architectures, data center services, and end-to-end service management, designed to address the complexity of operating large, distributed, and heterogeneous environments such as Virtual Power Plants (VPPs).

We employ advanced security practices including network segmentation, zero trust, and automated updates, aligned with international standards like NIST and IEC 62443. Our consulting and assessment services help clients identify vulnerabilities, strengthen compliance, and implement robust risk management strategies.

This end-to-end collaboration with utilities, technology partners, and government agencies ensures holistic protection for critical infrastructure. After all, the future of energy and the future of our environment depend on it.

Connect with us to discover how Atos can secure your operations and support your digital transformation.

 

Hans Boksem

IoT Specialist SalesFuture Makers Research Community

View detailsof Hans Boksem >
  • Email Hans Boksem
  • Follow Hans Boksem on LinkedIn

Daan Van Mierlo

Master student digital technology of Industrial Engineering and Management at Hanze University of applied sciences

View detailsof Daan Van Mierlo >

    Categories

    Related posts

    View all blog posts

    Dive Deeper

    • Offering

    Internet of Things

    Learn more

    Share this blog article