Next Article in Journal
An XGBoost-Based Intrusion Detection Framework with Interpretability Analysis for IoT Networks
Previous Article in Journal
Two-Dimensional Simulation of Multiple-Acoustic-Wave Scattering by a Human Body Model Inside an Acoustic Enclosed Space
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 16
Issue 2
10.3390/app16020981
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Cybersecurity and Resilience of Smart Grids: A Review of Threat Landscape, Incidents, and Emerging Solutions

by
Bo Nørregaard Jørgensen
* and
Zheng Grace Ma
SDU Center for Energy Informatics, Maersk Mc-Kinney Moller Institute, The Faculty of Engineering, University of Southern Denmark, 5230 Odense, Denmark
*
Author to whom correspondence should be addressed.
Appl. Sci. 2026, 16(2), 981; https://doi.org/10.3390/app16020981 (registering DOI)
Submission received: 29 December 2025 / Revised: 14 January 2026 / Accepted: 15 January 2026 / Published: 18 January 2026
(This article belongs to the Section Energy Science and Technology)
Browse Figures
Versions Notes

Abstract

The digital transformation of electric power systems into smart grids has significantly expanded the cybersecurity risk landscape of the energy sector. While advanced sensing, communication, automation, and data-driven control improve efficiency, flexibility, and renewable energy integration, they also introduce complex cyber–physical interdependencies and new vulnerabilities across interconnected technical and organisational domains. This study adopts a scoping review methodology in accordance with PRISMA-ScR to systematically analyse smart grid cybersecurity from an architecture-aware and resilience-oriented perspective. Peer-reviewed scientific literature and authoritative institutional sources are synthesised to examine modern smart grid architectures, key security challenges, major cyberthreats, and documented real-world cyber incidents affecting energy infrastructure up to 2025. The review systematically links architectural characteristics such as field devices, communication networks, software platforms, data pipelines, and externally operated services to specific threat mechanisms and observed attack patterns, illustrating how cyber risk propagates across interconnected grid components. The findings show that cybersecurity challenges in smart grids arise not only from technical vulnerabilities but also from architectural dependencies, software supply chains, operational constraints, and cross-sector coupling. Based on the analysis of historical incidents and emerging research, the study identifies key defensive strategies, including zero-trust architectures, advanced monitoring and anomaly detection, secure software lifecycle management, digital twins for cyber–physical testing, and cyber-resilient grid design. The review concludes that cybersecurity in smart grids should be treated as a systemic and persistent condition, requiring resilience-oriented approaches that prioritise detection, containment, recovery, and safe operation under adverse conditions.

1. Introduction

The smart grid has emerged as one of the most critical cyberphysical infrastructures of the modern age, integrating advanced information and communication technologies, data-driven services, and distributed control platforms with traditional power systems to enable two-way flows of electricity and information [1]. This digital transformation brings numerous benefits, including improved efficiency, enhanced reliability, better integration of renewable energy sources, and increased consumer empowerment, but it also introduces significant cybersecurity challenges [2]. Indeed, the smart grid is often described as the most critical Internet-of-Things-based cyberphysical application, given its central role in national infrastructure and the extensive connectivity it entails [3]. Over the past decade, power grids have become “smarter” through the widespread deployment of sensors, smart meters, automated control systems, networked devices, and data-driven management platforms [1]. At the same time, the attack surface of the grid has expanded dramatically due to the spread of IoT devices, digital communication links, software platforms, and external service dependencies, exposing power systems to a range of cyberthreats that were never envisaged in the era of analogue grids [4]. These threats are not hypothetical: cyber campaigns targeting energy infrastructure have grown in frequency, persistence, and potential impact, underscoring an urgent need for robust security and resilience measures [5,6]. While a growing body of survey and review literature has examined smart grid cybersecurity from perspectives such as network protection, protocol vulnerabilities, and intrusion detection, many existing works focus on isolated components or specific attack classes rather than analysing cybersecurity as an emergent property of complex, multi-layered smart grid architectures [7,8,9].
Early on, power utilities often assumed their control networks were isolated and therefore immune to cyberattacks [4]. That assumption is no longer tenable. Modern smart grids rely on complex integration between information technology and operational technology [7]. Utility enterprise networks, control centres, substations, smart devices, and even consumer home area networks are interconnected in some fashion [3]. Consequently, cyber intrusions can propagate in unexpected ways across what were once segregated systems. Attackers ranging from hobbyist hackers to organised cybercriminals and nation-state actors have demonstrated the ability to infiltrate power system environments, including enterprise networks, control systems, and externally connected platforms; maintain long-term access; disrupt operations; and in some cases cause physical damage [2]. For example, malware infections and network intrusions have resulted in grid equipment mis-operation and blackouts, while more recent incidents increasingly demonstrate long-term access persistence, ransomware-driven organisational disruption, and defensive detection rather than large-scale, publicly observable outages [10]. The increasing convergence of information technology and operational technology in the energy domain, combined with the integration of cloud-based services and data-driven control, has made energy infrastructure a high-value target and a focal point for cyber warfare and criminal extortion alike [2,7].
In this context, ensuring the cybersecurity and resilience of smart grids has become a top priority. Governments and industry stakeholders recognise that successful cyberattacks on electric power systems can have severe consequences, including prolonged power outages, equipment damage, and risks to public safety [11]. In parallel, the transformation of power systems into smart grids has altered not only the scale but also the nature of cybersecurity risk. Modern grid operation increasingly depends on layered architectures comprising field devices, communication networks, software platforms, data pipelines, algorithmic decision-making components, and externally operated services. As a result, cybersecurity challenges extend beyond the protection of individual devices or protocols to encompass trust relationships, lifecycle dependencies, organisational interfaces, and the ability of the system to detect, withstand, and recover from adverse events [7]. Recent studies increasingly recognise that cybersecurity risks in smart grids arise from architectural dependencies between field devices, communication networks, software platforms, and organisational interfaces, rather than from isolated technical weaknesses alone [9,12].
Recent years have seen a surge of research efforts, industry standards, and policy initiatives aimed at strengthening grid cyber defences [13]. Alongside preventative security measures, there is increasing emphasis on cyber resilience, understood as the ability of power systems to anticipate, withstand, recover from, and adapt to adverse cyber events without catastrophic service disruption [11,14,15]. Numerous studies have examined intrusion detection in smart grid networks, secure communication protocols for industrial control systems, vulnerability analyses of smart meters and substations, and the application of advanced techniques such as artificial intelligence and blockchain [7]. These works highlight challenges related to legacy system integration, real-time operational constraints, inadequate security mechanisms in older protocols, human factors, and the growing complexity introduced by platform-based operation and external dependencies. Nevertheless, significant gaps remain. The evolving threat landscape, characterised by adaptive adversaries and increasing reliance on IoT, cloud services, and data-driven automation, means that cybersecurity for smart grids remains a moving target.
This review paper provides a comprehensive overview of smart grid cybersecurity from a multidimensional and architecture-aware perspective. While several recent review studies have provided valuable insights by surveying attack vectors, defensive mechanisms, and emerging technologies such as artificial intelligence and blockchain [7,9,16], much of the existing literature remains fragmented, often focusing on specific subsystems, communication protocols, or detection techniques in isolation. As modern power systems increasingly rely on layered digital platforms, external service providers, and algorithmic control components, cybersecurity risks arise not only from technical vulnerabilities but also from architectural dependencies and organisational couplings across the system lifecycle [12,16]. In response to this gap, the present review explicitly links smart grid architectural characteristics, security challenges, cyberthreats, and documented real-world incidents in order to support a resilience-oriented understanding of cyber risk propagation across interconnected energy system components.
To operationalise this architecture-aware and resilience-oriented perspective, the remainder of the paper is structured to progress systematically from methodological foundations, through architectural and threat analyses, to empirical incident evidence and forward-looking defensive strategies. Section 2 presents the review methodology, outlining the scoping review approach adopted in accordance with PRISMA ScR and describing the objectives, research questions, search strategy, and synthesis process. Section 3 introduces the architecture of modern smart grids and their key components, highlighting how digitalisation, platform-based operation, and increased connectivity distinguish contemporary power systems from traditional grids while simultaneously expanding the cyber-attack surface. Section 4 examines the fundamental cybersecurity challenges in smart grids, explaining why these systems are particularly difficult to secure due to their distributed and heterogeneous nature, real-time operational constraints, long asset lifecycles, and the requirement to maintain continuous power delivery even under adverse conditions. Section 5 categorises the major cyberthreats and attack vectors relevant to smart grids, linking them to underlying architectural and operational vulnerabilities and organising them according to their impact on confidentiality, integrity, and availability, as well as commonly observed attack techniques and threat mechanisms. To ground the analysis in practice, Section 6 reviews notable cyber incidents that have affected energy infrastructures over the past decades, ranging from early malware infections in industrial environments to more recent targeted attacks on power grids, platform dependencies, and ransomware incidents affecting critical energy services. Building on the insights derived from these incidents, Section 7 synthesises defensive strategies and emerging solutions aimed at enhancing smart grid cybersecurity and resilience, including advanced monitoring and anomaly detection, secure software and update mechanisms, architectural security principles, and digital-twin-based cyber-physical testing approaches. Finally, Section 8 concludes with a discussion on pathways toward a more cyber-resilient smart grid, emphasising the need for resilience-oriented design, cross-sector coordination, regulatory alignment, and proactive security by design as the electricity system continues to evolve. Throughout the paper, recent scientific literature and industry reports are synthesised to inform both researchers and practitioners about the current state of smart grid cybersecurity and future research directions.

2. Methodology

This study follows a scoping review methodology reported in accordance with the Preferred Reporting Items for Systematic Reviews and Meta Analyses extension for Scoping Reviews, PRISMA ScR. A scoping review approach was selected because cybersecurity in smart grids represents a heterogeneous and interdisciplinary research domain spanning power systems engineering, operational technology, information and communication technologies, cyberphysical security, and organisational resilience. The objective of the review is to map existing concepts, evidence types, threat categories, documented cyber incidents, architectural vulnerabilities, and mitigation approaches, rather than to assess intervention effectiveness or conduct quantitative synthesis.
The review was guided by the following objectives:
  • Identify and classify cybersecurity threats and attack vectors relevant to smart grids across architectural layers, components, and interfaces.
  • Map documented cyber incidents affecting energy infrastructures to threat categories and impacted smart grid functions.
  • Synthesise technical and organisational approaches proposed to improve prevention, detection, response, and recovery in smart grid environments.
  • Identify research gaps and future directions for improving cybersecurity and resilience in smart grids.
  • Based on these objectives, the review addresses the following questions:
  • Which threat categories and attack vectors are reported in relation to smart grids and closely related electricity system infrastructures?
  • Which architectural components and communication interfaces are most frequently targeted or exposed?
  • Which real-world cyber incidents have affected energy infrastructures relevant to smart grids, and how do these incidents map to threat categories and impacted components?
  • Which approaches are proposed in the literature to enhance cybersecurity and resilience, and where gaps remain?
No formal review protocol was registered or published prior to conducting the review. Nevertheless, the objectives, eligibility criteria, search strategy, and data charting approach were defined a priori and applied consistently throughout the review process, and the reporting follows the PRISMA ScR checklist to ensure transparency and reproducibility.
Sources of evidence were selected using predefined eligibility criteria. Included sources comprise peer reviewed journal articles and conference papers addressing cybersecurity and resilience in smart grids or closely related electricity system infrastructures; studies proposing threat models, taxonomies, architectural analyses, or approaches for detection, mitigation, response, or recovery applicable to smart grid contexts; and publications reporting or analysing real world cyber incidents affecting electricity generation, transmission, distribution, substations, control centres, market operations, or grid supporting information infrastructures where transferable insights for smart grids are provided. Only English language publications were considered. Sources focusing exclusively on smart homes, smart cities, or generic information technology systems without explicit relevance to smart grid architectures or operational constraints were excluded, as were studies addressing only physical security without a cyber or cyberphysical dimension and commentaries lacking analytical or technical content. No restriction on publication year was applied in order to capture both foundational contributions and recent developments.
The literature search was conducted using major scientific databases relevant to power systems and cybersecurity, including IEEE Xplore, Scopus, and Web of Science. The search strategy was designed to reflect the architecture-aware and resilience-oriented scope of the review by enforcing the co-occurrence of electricity-system-related concepts and cybersecurity-related concepts. Rather than relying on a single keyword formulation, complementary search strings were constructed to capture relevant literature across different smart grid architectural layers, including grid-wide concepts, industrial control and substation systems, advanced metering infrastructure, distributed energy resources, digital platforms, and resilience-oriented security approaches. Sources focusing primarily on smart homes or smart cities were excluded from the search scope in order to maintain a clear focus on grid-scale architectures, operational technologies, and cybersecurity challenges directly relevant to electricity system operation and resilience.
Across all databases, search strings combined grid-related terms such as smart grid, power grid, electric grid, and power system with cybersecurity-related terms including cybersecurity, cyber security, cyberattack, industrial control system, SCADA, operational technology, intrusion detection, anomaly detection, and resilience. Boolean logic and grouping were explicitly applied to ensure that retrieved records addressed both an electricity system context and a cybersecurity or resilience dimension. Database-specific syntax and field restrictions were used where appropriate, and equivalent conceptual combinations were applied consistently across databases. As an illustrative example, in IEEE Xplore, the search strategy combined grid-related and security-related terms using the following structure: (“smart grid” OR “power grid” OR “electric grid”) AND (cybersecurity) AND (cyberattack OR cyberthreat OR resilience). Searches were limited to English-language publications and were not restricted by publication year in order to capture both foundational work and recent developments.
In addition to peer-reviewed literature, authoritative institutional and organisational sources were included to capture policy documents, technical guidelines, threat landscape reports, and well-documented cyber incident analyses that are not consistently reported in academic venues. These sources were identified through targeted searches of recognised governmental agencies, international standardisation bodies, and sector-specific organisations in the energy and cybersecurity domains, including energy regulators, cybersecurity agencies, and electricity sector information-sharing organisations. Institutional reports were included only when they provided verifiable, incident-specific, or technically substantive information directly relevant to smart grid cybersecurity and resilience, and they were used primarily to complement and contextualise the peer-reviewed literature rather than to replace it. In line with the scoping review methodology, no formal critical appraisal of institutional or organisational sources was conducted; however, inclusion was restricted to well-documented, authoritative publications that provided technically substantive and verifiable insights relevant to smart grid cybersecurity and resilience.
The selection of sources of evidence followed a two-stage process. First, titles and abstracts were screened against the eligibility criteria to exclude clearly irrelevant sources. Second, full texts of the remaining records were assessed for eligibility. Duplicate records were removed prior to screening, and reasons for exclusion at the full-text stage were documented. The identification, screening, eligibility, and inclusion process is reported using a PRISMA-ScR flow diagram, shown in Figure 1.
Data charting was performed using a structured extraction form aligned with the review objectives and research questions. The charting process focused on capturing conceptual, architectural, and incident-related information rather than quantitative outcomes. For each included source, the following data items were extracted: publication year and type; smart grid domain and architectural scope; threat category and attack vector including targeted components and interfaces; impacted security objectives including confidentiality, integrity, and availability where applicable; proposed prevention, detection, mitigation, response, or recovery approaches; evaluation context including simulation, testbed, field deployment, or case analysis where reported; and, for incident focused sources, the affected assets, attack characteristics, and reported consequences where available.
In accordance with PRISMA ScR guidance, no formal critical appraisal of individual sources was conducted, as the purpose of the review is to map the scope, characteristics, and distribution of existing evidence rather than to assess the quality or effectiveness of specific interventions. Priority was nevertheless given to peer-reviewed publications and well-documented incidents to support the reliability of the synthesis.
The extracted data were synthesised using a narrative and mapping-based approach. Structured tables and mappings were developed to relate cybersecurity challenges and threats to smart grid architectural components and interfaces and to link documented incidents with threat categories and defensive measures. This synthesis supports the identification of recurrent vulnerabilities, underexplored interfaces, and gaps between reported threats and existing mitigation strategies, thereby informing future research directions.

3. Smart Grid Architecture and Key Components

A smart grid can be defined as an electricity network that uses digital technology to monitor and manage the transport of electricity from all generation sources in order to meet the varying electricity demands of end users [1]. It is often described as the combination of the traditional power grid, consisting of physical infrastructure for generation, transmission, and distribution, with a layer of modern information and communication technologies that enables automated two-way communication and control [1]. The United States National Institute of Standards and Technology has conceptualised the smart grid as comprising seven domains, namely bulk generation, transmission, distribution, customers, service providers, operations, and markets [17]. The first three domains correspond to the physical power delivery infrastructure: bulk generation includes large power plants and also distributed energy resources (DERs) such as solar farms and wind turbines; transmission refers to the high-voltage network that transports power over long distances; and distribution is the lower-voltage network that delivers electricity to end users. The remaining domains capture the informational and transactional aspects: the operations domain includes control centres and systems that manage grid reliability; the market domain represents energy markets and trading mechanisms; service providers encompass the utility companies and third-party vendors offering energy services; and the customer domain covers the end users (residential, commercial, industrial consumers, many of whom can now also produce energy). Figure 2 conceptually illustrates these domains and their interactions. In essence, the smart grid overlays a rich information network onto the physical grid, enabling real-time bidirectional flows of both electricity and data, such as price signals, control commands, and sensor measurements. This creates an interactive and intelligent energy system that can self-balance, respond to faults, integrate renewable energy and storage technologies, and empower consumers to actively participate in energy management. From a cybersecurity perspective, this architectural decomposition is essential because it provides the structural basis for analysing how vulnerabilities, threats, and failures emerge and propagate across interconnected components, platforms, and organisational boundaries in modern smart grids.
Along with this conceptual architecture, it is important to identify the key technological components that make a grid smart. A non-exhaustive list of major components includes advanced sensors and intelligent electronic devices deployed throughout the grid for monitoring equipment health, voltages, and currents, high speed communication networks linking devices and control centres, supervisory control and data acquisition systems and other industrial control systems for remote monitoring and control, phasor measurement units providing synchronised high resolution grid measurements, remote terminal units interfacing with sensors and actuators in substations, and the advanced metering infrastructure on the customer side, which includes smart meters and meter data management systems [18]. Two key components in the smart grid are Supervisory Control and Data Acquisition (SCADA) systems and the Advanced Metering Infrastructure (AMI) [19]. SCADA systems serve as the brains of grid operations. They collect data from remote sites and allow operators or automated controllers to open and close breakers, adjust transformers, and start or stop generators. Originally, SCADA networks were isolated and relied on proprietary protocols, and cybersecurity was therefore not a design focus. Today’s SCADA has evolved into more open and networked architectures, often operating over TCP IP networks and sometimes leveraging cloud connectivity, which makes these systems susceptible to a variety of cyberthreats [20]. Modern SCADA software and hardware come with expanded functionality and remote access capabilities, but these conveniences can introduce weaknesses. For instance, legacy SCADA protocols like Modbus and DNP3 often lack encryption or authentication, meaning that if an attacker can gain network access, they might issue fake control commands or eavesdrop on sensor data [20]. Compromising a SCADA system can potentially give an attacker direct control of field equipment, which represents an extremely dangerous scenario that could lead to widespread outages or equipment damage [7]. While SCADA systems remain a central element of grid operation and an important reference point for cybersecurity analysis, they represent only one component within a broader and increasingly platform-based smart grid architecture.
AMI is the network of smart meters installed on customer premises, the communication links, whether wireless or wired, that connect meters to the utility, and the systems that collect and process meter data [21]. Smart meters enable automated and real-time measurement of electricity consumption, time of use pricing, remote connection and disconnection, and additional services. They function as IoT devices distributed across potentially millions of homes and businesses. The rollout of smart meters has significantly improved operational efficiency and enabled innovative programmes such as demand response, but it has also broadened the threat surface of the grid [22]. Each meter is a networked device that could be hacked or manipulated if not properly secured [23]. Moreover, the data collected in the form of detailed energy usage profiles can be sensitive from a privacy perspective, since analysis of high-resolution usage data can reveal personal activities, appliance usage patterns, and occupancy behaviour [24]. Compromising smart meters or the advanced metering infrastructure network could allow attackers to steal data, thereby violating privacy, commit fraud such as falsifying meter readings to reduce bills or enable energy theft, or even disrupt grid operations [25]. For instance, coordinated switching off of many smart meters could destabilise the grid [26]. Recognising these risks, modern advanced metering infrastructure systems employ stronger security measures than early generation meters, including encryption of communications and device authentication [27]. Nonetheless, challenges remain. Smart meters often have constrained computing resources, which makes it difficult to implement heavyweight security algorithms [28]. Many meters are installed in physically insecure and publicly accessible locations, which increases the risk of tampering [29]. In addition, the wireless mesh networks used by some advanced metering infrastructure deployments can be susceptible to jamming [30] or spoofing attacks [31]. SCADA systems and advanced metering infrastructure are two prime examples of smart grid subsystems that deliver substantial functionality but must be protected against cyberthreats that are commensurate with their criticality. Beyond SCADA systems and smart metering infrastructures, contemporary smart grid architectures increasingly rely on digital platforms and externally operated services to support core operational functions [32]. Energy management systems [33], distributed energy resource orchestration platforms [34], outage management tools [35], and electricity market participation are often deployed using cloud-based services [36]. These platforms increasingly embed algorithmic decision-making and automated control functions, meaning that data processing, optimisation logic, and machine-driven decisions form an integral but often opaque architectural layer between physical assets and operational actions. In addition, utilities frequently depend on third-party service providers for data processing, forecasting, asset monitoring, and software maintenance, resulting in architectural dependencies that extend beyond traditional utility-owned infrastructure. These externally operated components form an integral part of modern grid operation and must therefore be considered first-class elements of the smart grid architecture.
Other notable components of a smart grid include distributed energy resources and their controllers, such as inverters for solar photovoltaic systems or wind turbines, microgrid controllers that coordinate local generation and loads, energy management systems used by utilities and intelligent buildings, and a range of networking devices including routers, switches, and gateways that enable communications [1]. Each of these components can introduce new vulnerabilities if not properly secured [4]. From an architectural perspective, these components are increasingly integrated through complex software stacks and persistent data pipelines that span multiple organisational boundaries [2]. Control commands, measurement data, configuration parameters, and optimisation signals routinely traverse interfaces between field devices, control centres, market platforms, and analytics services [3]. Software updates and configuration changes are commonly delivered through vendor-provided tooling and remote access mechanisms over the operational lifetime of grid assets. As a result, software dependencies, update paths, and data flows constitute enduring architectural features of the smart grid, rather than transient operational processes [2]. This software-centric integration enables advanced functionality but also introduces long-term dependencies that shape system behaviour throughout planning, deployment, operation, and maintenance phases [2]. For example, distributed energy resource inverters often use standard protocols such as IEEE 2030.5 [37] or SunSpec Modbus [38] to communicate status information and receive dispatch signals [37,39]. If an attacker compromises these communications, they could manipulate distributed energy resource outputs or disable them entirely [40]. Home energy management systems and Internet of Things appliances on the customer side connect into the overall system through home networks and the internet, which raises important questions about secure interoperability between utility systems and customer-owned devices [41]. In effect, the smart grid blurs the traditional boundary of the utility network.
A further architectural evolution is the growing role of data analytics and algorithmic decision-making within smart grid operations [42]. Large volumes of operational data collected from sensors, meters, and distributed resources are increasingly processed by forecasting, optimisation, and control algorithms to support automated or semi-automated decision-making [43]. These analytics functions may be deployed within control centres, cloud environments, or hybrid architectures that combine local and remote processing. The resulting control actions, such as dispatch decisions or demand response signals, are thus mediated by algorithmic components that form part of the operational architecture. This shift toward data-driven and algorithm-supported control introduces additional layers of abstraction between physical assets and control actions, reinforcing the importance of understanding data and computation as integral architectural elements. Here the emphasis on open standards and interoperability, which is vital for the success of the smart grid, must be carefully balanced with robust security in order to prevent untrusted devices or networks from becoming entry points for attackers. As discussed throughout this work, one of the recurring themes in smart grid cybersecurity is managing this trade-off, namely, how to reap the benefits of connectivity and data exchange without unduly increasing the risk of cyber intrusions.
Taken together, the smart grid architecture is no longer defined solely by physical generation, transmission, and distribution assets coupled with local control systems. Instead, it comprises a layered ecosystem of field devices, communication networks, software platforms, data pipelines, algorithmic components, and externally operated services. These elements are interconnected through persistent interfaces and long-lived dependencies that enable flexibility, automation, and integration of diverse energy resources. At the same time, this architectural complexity introduces intricate trust relationships and interdependencies that fundamentally influence how cybersecurity risks arise and propagate within smart grids. Understanding these architectural characteristics is therefore essential for analysing the security challenges discussed in the following section. In particular, the software-intensive and dependency-rich nature of smart grid architectures directly shapes the types of cybersecurity challenges that arise, the feasibility of defensive measures, and the potential for cascading cyber–physical impacts.

4. Security Challenges in Smart Grids

Transitioning from traditional power grids to smart grids has not only enhanced capabilities but also spawned new security challenges [8]. Several inherent characteristics of smart grids make them more difficult to secure compared to legacy power systems or many conventional IT environments [9]. Rather than cataloguing specific attacks, this section focuses on the structural, operational, and organisational conditions that enable cyberthreats to emerge and persist in smart grid environments. We outline the key challenges and risk factors below.

4.1. Attack Surface Expansion and System Interconnectivity

The smart grid involves a vast number of interconnected devices and systems, ranging from large control centres to millions of smart meters and IoT sensors [44]. This interconnectedness is a double-edged sword. While it enables efficient two-way communication and control, it also means that a compromise in one part of the network can potentially propagate to others [9]. Every newly connected sensor or controller represents a potential infiltration point. Unlike a traditional grid, where critical control networks were isolated, modern distribution and transmission environments are tightly coupled with corporate information technology networks and third-party communication infrastructures that are operationally consequential. This creates numerous access points for attackers. For instance, an advanced metering network often relies on wireless mesh communications or cellular links that an attacker could target through eavesdropping or the injection of malicious traffic [45]. Similarly, the integration of distributed generation means that external control signals, such as price or dispatch signals from markets or operators, traverse networks that could be spoofed if not properly secured [31]. The two-way information flow, in which consumers not only receive power but also send data and inject energy back into the system, expands the avenues for unauthorised access if proper authentication mechanisms are lacking [28].

4.2. Information Technology Platforms, Cloud Dependence, and Data Handling

An increasingly prominent security challenge in modern smart grids arises from the growing dependence on cloud-based platforms and third-party digital services [32,46]. Utilities are progressively adopting cloud-hosted solutions for energy management systems, distributed energy resource orchestration, asset analytics, outage management, and market participation. While these platforms offer scalability, advanced analytics, and reduced operational overhead, they also introduce new trust boundaries that extend beyond the direct control of grid operators [20]. Unlike traditional on-premise supervisory control environments, cloud platforms are typically shared infrastructures operated by external providers, often spanning multiple jurisdictions and subject to complex contractual and regulatory conditions [47]. This shift fundamentally alters the threat model of smart grids. Cybersecurity risks are no longer confined to utility-managed networks but now encompass cloud provider infrastructures, virtualised environments, application programming interfaces (API), and identity federation mechanisms [20]. A compromise of a cloud service provider or of a widely used platform component could have cascading effects across multiple utilities simultaneously, creating systemic concentration risk [14]. Furthermore, cloud service outages or misconfigurations can impair grid visibility and control even in the absence of a malicious attack. These dependencies complicate incident response, as utilities may lack direct access to underlying systems needed for forensic analysis or rapid remediation. As cloud adoption accelerates, ensuring clear accountability, strong isolation mechanisms, and verifiable security assurances from third-party providers becomes a critical challenge for smart grid cybersecurity.
Similarly, the increasing integration of artificial intelligence and advanced optimisation algorithms into smart grid operations introduces a new class of security challenges that extend beyond traditional network and device vulnerabilities [48]. Machine learning models are increasingly used for load forecasting, fault detection, demand response optimisation, and autonomous control decisions [49]. While these techniques enhance efficiency and responsiveness, they also create dependencies on data quality, model integrity, and algorithmic behaviour that can be exploited by adversaries. Adversarial manipulation of training data, known as data poisoning, can subtly bias predictive models and lead to incorrect operational decisions without triggering conventional alarms [50]. The core challenge in this context lies not in individual attack techniques, but in the dependency of grid operation on data integrity, model behaviour, and opaque decision logic, which constrains detection, validation, and safe fallback under adverse conditions. Similarly, carefully crafted inputs may exploit model sensitivities, causing misclassification or erroneous control actions. The opacity of many machine learning models further complicates detection, as operators may lack intuitive explanations for algorithmic outputs. Over-reliance on automated decision-making can therefore amplify the impact of cyberattacks by accelerating the propagation of erroneous actions through the grid [14]. Ensuring the security and trustworthiness of AI-enabled grid functions requires new approaches, including model validation, explainability, redundancy, and continuous performance monitoring under adversarial conditions.
With smart meters and Internet of Things devices, vast amounts of data about customers’ energy usage are being collected. This raises privacy issues that were absent in the traditional grid [24]. Detailed load profiles can reveal personal information such as work schedules, appliance usage patterns, and even behavioural habits within the home [25]. Protecting this data from unauthorised access or misuse represents both a security and a compliance challenge, particularly in regions where regulations mandate the protection of customer data [51]. At the same time, utilities often need to share or analyse this data for purposes such as billing, grid planning, or the provision of value-added services. Implementing privacy-preserving data analytics, anonymisation techniques, or secure data sharing frameworks remains an evolving area within the smart grid domain [52]. A breach that exposes the energy usage records of millions of customers could erode public trust and trigger regulatory penalties. Consequently, data security, including encryption of data at rest and in transit and robust access controls for databases, constitutes an essential component of smart grid cybersecurity.

4.3. Legacy Control Systems, Protocols, and Operational Technology

Power systems historically utilised proprietary protocols such as DNP3 [53], IEC 60870-5-104 [54], and Modbus [55], along with devices that were not designed with cybersecurity in mind [56,57]. Many of these protocols lack encryption or authentication mechanisms. In the smart grid era, these legacy protocols are often layered over Internet Protocol networks or interconnected with newer systems, which exposes their inherent weaknesses [58]. For example, wireless sensor networks are used to link smart meters or grid sensors, but they may rely on protocols that are vulnerable to sniffing and replay attacks if they are not properly secured [45]. Legacy remote terminal units and programmable logic controllers may still be in use in substations [59]. These are devices that can be fragile when exposed to network scanning or malware due to outdated firmware [60]. Upgrading or patching such field devices is not trivial and often requires physical visits and may cause service interruptions. As a result, utilities tend to avoid frequent updates, leaving devices with known vulnerabilities in operation [27]. This mix of old and new technologies in the grid environment creates a patchwork of security postures in which the least secure component can undermine the entire system [16].

4.4. Software Supply Chains and Update Mechanisms

Software Supply Chain and Update Integrity Challenges: The integrity of software supply chains has emerged as a major cybersecurity concern for smart grids. Grid operations increasingly rely on complex software stacks composed of vendor-developed applications, embedded firmware, open-source libraries, and automated update mechanisms [61]. While these components enable functionality and interoperability, they also create opportunities for attackers to introduce malicious code through trusted distribution channels [62]. Supply chain attacks are particularly dangerous because they exploit implicit trust relationships, allowing compromised software to bypass perimeter defences and traditional intrusion detection mechanisms. In smart grid environments, supply chain risks are amplified by long asset lifecycles and infrequent patching. Field devices such as protection relays, remote terminal units, and intelligent electronic devices may operate for decades, during which vulnerabilities in their firmware or update mechanisms may remain undiscovered or unpatched [60]. Utilities often depend on vendors for updates and may lack the means to independently verify the authenticity and integrity of delivered software. Furthermore, maintenance laptops and engineering workstations used for configuration and updates can act as vectors for introducing compromised software into operational networks. These challenges underscore the need for robust software provenance verification, cryptographic signing of updates, and continuous monitoring of device integrity throughout the system lifecycle.

4.5. Operational Constraints and Cyber–Physical Safety Implications

Unlike typical information technology systems, power grid control systems have strict real-time performance requirements and high availability demands [20]. Certain grid operations, such as protective relaying or automatic generation control, occur on timescales ranging from milliseconds to seconds. Security controls that introduce significant latency or that may block or delay traffic, as some information technology security tools do, cannot be easily applied and must instead be carefully engineered. For example, applying heavy encryption to every control message may ensure confidentiality and integrity, but it can also introduce processing delays or consume central processing unit resources on embedded devices, thereby interfering with time-critical functions [63]. In addition, when a cyber incident occurs, response options are constrained by operational priorities [11]. In an information technology network, a common response to a detected intrusion is to isolate or shut down affected systems, a response that in energy organisations can itself trigger operational disruption. In a power grid, however, simply disconnecting a substation or shutting down a SCADA server is not always feasible, as it could result in a loss of monitoring or control that threatens overall grid stability [48]. Operators are thus in a bind: they must keep the lights on, even as they attempt to fend off or recover from an ongoing cyberattack. Attackers know this, and they may design malware to specifically exploit the fact that utilities cannot easily take systems offline for incident response.
Smart grid cybersecurity spans beyond data theft or information technology system damage, and the stakes are physical. A successful cyberattack could cause power outages, equipment destruction, or even safety hazards, such as overloading a transformer and triggering a fire. There have been instances of malware causing misoperation of breakers, leading to blackouts [64]. An attacker who gains control of a utility’s SCADA or distribution automation system might attempt to manipulate voltage setpoints, trip switches, or disable protective devices, potentially resulting in large-scale disturbances [65]. The safety instrumented systems that safeguard critical equipment, such as generators or grid batteries, are also targets. The 2017 Triton malware attack demonstrated that adversaries will even attempt to compromise safety controllers in order to cause physical damage [66]. Thus, the consequences of cybersecurity failures in smart grids are extremely high, raising the bar for what protections are needed. It’s not just about protecting data or privacy but also about preventing catastrophic kinetic effects on critical infrastructure.

4.6. Cross-Infrastructure Coupling, Organisational, Human, and Regulatory Challenges

Sector Coupling and Cross-Infrastructure Propagation Risks: Modern smart grids are increasingly interconnected with other critical infrastructures through sector coupling, including gas networks [67], district heating systems [68], electric vehicle charging infrastructure [69], and smart buildings [70]. This interdependence enhances efficiency and flexibility but also introduces complex cybersecurity challenges. A cyber incident in one sector can propagate across interfaces and dependencies, potentially destabilising multiple infrastructures simultaneously. For example, compromised gas supply data may affect gas-fired power generation [71], while attacks on electric vehicle charging networks could influence load profiles and grid stability [72]. These cross-domain interactions complicate risk assessment and incident response, as responsibilities and security postures may differ across sectors operated by distinct organisations. Coordinated defence becomes more challenging when assets are governed by different regulatory frameworks and managed by separate operators with varying cybersecurity maturity levels [73]. As sector coupling deepens, smart grid security can no longer be addressed in isolation. Instead, it requires coordinated cross-sector risk management, information sharing, and joint incident response strategies to prevent localised cyber incidents from escalating into broader systemic disruptions.
Human and organisational factors cut across all technical security challenges discussed above, shaping how vulnerabilities are introduced, detected, and managed throughout the system lifecycle. Power grids are operated by people, including engineers, technicians, and system operators, who have access to critical systems. The human element introduces both the potential for errors and the risk of malicious insiders [20]. Social engineering attacks have been used to great effect against energy sector targets, for example, phishing emails that introduced malware into Ukraine’s grid in 2015 [74]. An unwitting employee can introduce malware by clicking a malicious link or using an infected USB drive. Conversely, a disgruntled insider with knowledge and privileged access could cause severe damage, such as overriding safety interlocks or stealing confidential system configurations. Managing user access, enforcing least privilege, and monitoring insider activities are challenging tasks in large utility organisations, particularly when multiple contractors and vendors may also have remote access for maintenance purposes. In addition, the culture in some utility environments has traditionally prioritised reliability and availability of operations, sometimes at the expense of strict cyber hygiene [75]. Examples include the sharing of passwords or delays in applying patches in order to avoid downtime. Although this culture is gradually changing as awareness increases, improving training and cybersecurity awareness among grid personnel remains an ongoing challenge [76].
Beyond technical vulnerabilities, the organisational and lifecycle complexity of smart grids presents persistent security challenges. Grid infrastructures are developed, operated, and maintained by a diverse ecosystem of stakeholders, including utilities, vendors, contractors, and service providers [77]. Over long asset lifetimes, responsibilities may shift due to outsourcing, organisational restructuring, or changes in ownership. Documentation may become outdated, institutional knowledge may be lost, and configuration drift may accumulate, creating hidden vulnerabilities that are difficult to detect. The integration of new digital components into legacy infrastructures further complicates lifecycle management, as security assumptions made during design may no longer hold during operation [12]. Ensuring consistent security across planning, deployment, operation, and decommissioning phases requires strong governance, clear accountability, and continuous reassessment of risks [78]. Without such coordination, even well-designed technical security controls can be undermined by organisational gaps and unmanaged lifecycle transitions.
Finally, cybersecurity in smart grids is increasingly shaped by regulatory and data governance requirements that can both enable and constrain security practices [51]. Regulations related to data protection, transparency, and market fairness often impose obligations that intersect with cybersecurity objectives [51]. For instance, requirements for data minimisation and privacy protection may limit the extent of monitoring and logging that utilities can perform, potentially reducing visibility into malicious activity. Similarly, cross-border data sharing in interconnected energy markets introduces jurisdictional complexities and varying security expectations [14]. Compliance obligations can also affect incident response, as mandatory reporting timelines and disclosure requirements must be balanced against the need for careful forensic investigation and containment. In some cases, regulatory uncertainty may discourage proactive information sharing between utilities due to liability concerns. These tensions highlight that smart grid security challenges are not purely technical but are embedded within broader institutional and legal frameworks. Designing cybersecurity strategies that satisfy regulatory requirements while maintaining robust protection remains a significant and evolving challenge for grid operators.

4.7. Mapping Security Challenges to Smart Grid Architecture and Interfaces

To synthesise these diverse challenges in relation to the smart grid architecture introduced in Section 3, Table 1 maps each major security challenge to the architectural components and interfaces through which risk is manifested. Fundamentally the smart grid’s complex, distributed, and heterogeneous nature makes securing it a multifaceted problem, with distinct security challenges emerging across architectural components and their interfaces. Nearly every aspect of IT utilised in smart grid applications inherits potential vulnerabilities from traditional IT, yet requires solutions tailored to the grid’s specific operational and architectural constraints. For example, simply applying standard corporate information technology security solutions to a substation may not be effective due to specialised protocols, tightly coupled control interfaces, or stringent availability requirements. At the same time, ignoring established information technology security practices would leave significant vulnerabilities unaddressed. Smart grid security therefore requires an integrated approach that combines information and communication technology security best practices with the engineering constraints of power systems.
The following sections examine how the security challenges discussed above manifest as concrete cyberthreats and attack vectors in smart grid environments. Section 5 provides a systematic analysis of the cyberthreat landscape, linking structural and operational challenges to specific attack modalities in order to illustrate how abstract vulnerabilities translate into practical adversarial actions. Building on this foundation, Section 6 and Section 7, respectively, analyse real-world cyber incidents affecting energy infrastructure and review the defensive strategies and emerging solutions proposed by researchers and practitioners. Together, these sections provide a coherent progression from underlying challenges to observed threats and, ultimately, to resilience-oriented responses.

5. Major Cyberthreats and Cyberattack Vectors in Smart Grids

Smart grids are exposed to a wide spectrum of cyberthreats that span utility-managed infrastructures, third-party digital platforms, and increasingly interconnected external systems. Broadly, these threats can be categorised by their impact on the classical CIA triad, namely confidentiality, integrity, and availability of systems and data, as well as by the specific methods attackers use, such as malware, network intrusion, social engineering, and compromise of trusted platforms and software dependencies. In many cases, an attack will compromise multiple security objectives at once, particularly in digitally integrated environments where control, analytics, and data services are tightly coupled. For instance, malware may allow unauthorised control, thereby affecting both integrity and availability. Below, we outline the main categories of cyberattacks relevant to smart grid environments, along with representative examples of each.

5.1. Malware, Ransomware, and Destructive Attacks

Attacks on availability aim to disrupt or deny the normal functioning of grid systems, either directly through operational technology or indirectly through supporting digital platforms and services. Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks are prime examples, where adversaries flood communication channels or servers with traffic to overload them and prevent legitimate control signals or data from getting through [79]. In a smart grid, a denial-of-service attack could be launched against substation RTU communication links, cloud-hosted control or analytics services, making the control centre blind to field data, or against AMI networks to take smart meters offline. Jamming attacks also fall into this category, since an attacker can emit radio noise to disrupt the wireless frequencies used by meter networks or substation sensor links [80]. Another availability threat is the malicious flooding of control devices, in which an attacker sends a barrage of bogus commands or data to a programmable logic controller or intelligent electronic device, thereby preventing it from processing legitimate requests [81]. Additionally, buffer overflow attacks on grid control software or firmware can crash those systems, taking them out of service [82]. Masquerading attacks, in which an attacker impersonates a legitimate device, can also lead to loss of availability [83]. For example, a fake control message could trip a breaker unnecessarily, thereby denying service to that line. A more insidious availability attack unique to control systems is Central Processing Unit (CPU) exhaustion, by sending workloads or commands that cause controllers or RTUs to max out their processing, thus failing to respond to normal inputs [84]. The net impact of availability attacks can range from brief interruptions in monitoring to large-scale blackouts, depending on the attack vector. A coordinated DDoS on grid control centres, for instance, could severely delay operator actions during a critical event, exacerbating an outage. Ensuring high availability is paramount in grids, so defences like network segmentation, rate limiting, and redundant communication paths are used to mitigate these attacks [84]. Still, as demonstrated by real incidents, such as the 2015 Ukraine attack in which a telephony denial of service attack targeted the utility call centre to prevent customers from reporting outages, attackers often incorporate availability disruptions as part of a multi-pronged assault.

5.2. Network-, Protocol-, and Communication-Based Attacks

Attacks on confidentiality focus on unauthorised access to sensitive information in the grid, including operational data, customer data, and information processed or stored by third-party platforms. Eavesdropping or traffic sniffing is a common method in which an attacker intercepts communications on grid networks to collect data [85]. In a substation or control centre environment, this could reveal operational details, network topology, device configurations, or even passwords if communications are in plaintext. Spoofing attacks are closely related; here an attacker not only eavesdrops but also injects false identities or data, pretending to be a legitimate sender [86]. For instance, IP spoofing could be used to impersonate a trusted device on an energy management network. Replay attacks also threaten integrity and confidentiality. In this case, an attacker captures valid data, such as a legitimate control command or authentication handshake, and later replays it in order to open a breaker or log in using stolen credentials [87]. Even if the content is encrypted, replaying the exact sequence can fool systems that do not use strong nonce or challenge mechanisms. Traffic analysis represents a passive but potent breach of confidentiality. By observing patterns in grid communications, even when the data is encrypted, an attacker may infer operational states, for example, increased traffic volumes that could indicate a grid event [88]. Unauthorized access through weak authentication or stolen credentials is another major risk. An attacker who obtains VPN credentials, cloud identity tokens, or administrator passwords could access control systems and databases, read confidential data, or plant backdoors. One way intruders obtain such credentials is via password pilfering techniques, including phishing or malware that harvests keys and passwords [89]. In fact, social engineering is a significant enabler for many confidentiality breaches: spear-phishing emails can trick employees into divulging login information or executing malware that gives the attacker a foothold in the network [89]. The consequences of confidentiality breaches in smart grids include the loss of customer personal data, exposure of grid vulnerabilities or system configurations that could be leveraged for future attacks, and insight into energy trading or market information that could enable fraud. Protecting confidentiality requires encryption of communications using protocols such as TLS (Transport Layer Security) for SCADA where feasible, strong authentication mechanisms including multi-factor authentication for remote access, network intrusion detection to identify unusual data exfiltration, and continuous security training for staff to improve resistance to phishing and social engineering attacks.
Attacks on integrity are attacks involving unauthorized modification of data, commands, or decision logic, with the intent to cause the system to perform incorrect or unsafe actions. A hallmark example in power systems is the False Data Injection Attack (FDIA) [90]. Here, an adversary compromises a set of sensor measurements, training datasets, or real-time inputs, and injects carefully crafted false values. The control centre’s state estimation algorithm then computes an incorrect grid state, which can lead to erroneous control decisions such as opening lines or triggering load shedding unnecessarily [91]. FDIAs can be stealthy if done cleverly, since they can bypass bad data detection routines and mimic plausible conditions [92]. Command injection is a related threat [93]. By altering control commands, optimisation outputs, or automated control decisions in transit or at rest, an attacker can execute unauthorised operations, such as tripping a generator or changing a protection relay setting. The infamous Stuxnet attack, although targeting a nuclear centrifuge system rather than a power grid, was an integrity attack on control logic [94]. In power grids, malware that alters programmable logic controller logic or device firmware could cause incorrect control outputs or disable safety checks. Tampering attacks encompass any direct alteration of devices or data. For example, physically tampering with a smart meter to change its readings represents a form of fraud but is also a significant security concern [95]. In a broader sense, data integrity can also be compromised by timing and synchronisation attacks [96]. Many grid control functions rely on precise time, particularly when phasor measurement units are used for real-time monitoring. An attacker who manipulates time signals, for example, by spoofing Global Positioning System (GPS) clocks, can introduce errors [97]. This constitutes a time synchronisation attack in which equipment may accept incorrect time stamps, thereby disrupting the coordination of protection mechanisms or state estimation processes. Another sophisticated vector is the Wormhole attack, relevant in wireless ad hoc or mesh networks used in field communications: an attacker tunnels messages from one part of the network to another, out-of-band, to make nodes that are far apart appear closer, potentially confusing routing or timing [98]. Covert attacks, in which an intruder subtly alters system inputs in a manner that is difficult to detect, while gradually steering the system into an unsafe state [99]. For example, by slowly biasing sensor calibration data, an attacker might cause operators to observe normal readings while equipment is operating outside safe limits. Integrity attacks are particularly dangerous because they can directly lead to mis-operation. Unlike denial-of-service attacks, which are obvious when systems fail, or confidentiality breaches, which may not immediately affect operation, a successful integrity attack means the grid is operating under false pretences. Defending against integrity threats involves authentication and validation of commands, redundancy and cross checks for critical sensor data, cryptographic signatures, and intrusion detection systems that look for anomalies in system behaviour. For example, generation dispatch that does not align with load trends could indicate the presence of false data.

5.3. Software, Firmware, and Supply Chain Vulnerabilities

Software supply chain and trusted update attacks constitute a critical threat vector in smart grid environments, exploiting trusted relationships between utilities, vendors, and service providers [62]. Rather than directly attacking operational networks, adversaries compromise software updates, firmware packages, or engineering tools that are subsequently deployed by legitimate operators [100]. Such attacks enable malicious code to bypass conventional security controls and establish persistent access within highly protected environments. In smart grids, supply chain attacks may involve the manipulation of device firmware, tampering with configuration utilities used by engineers, or insertion of backdoors into vendor-maintained applications [60]. Because updates are often applied infrequently and verification mechanisms may be limited, compromised software can remain undetected for extended periods. The impact of these attacks spans all elements of the CIA triad. Malicious updates can disrupt availability by disabling devices, compromise integrity by altering control logic, and breach confidentiality by exfiltrating sensitive operational data. The difficulty of attribution and remediation further exacerbates the risk, as utilities may lack visibility into upstream development and distribution processes. Supply chain attacks therefore represent a structurally distinct and highly potent threat to smart grid security.

5.4. Human, Organisational, and Insider Related Threats

Certain cyberthreats to smart grids arise not from technical vulnerabilities alone but from the exploitation of regulatory, legal, and governance constraints that shape defensive capabilities [101]. Adversaries may take advantage of limited monitoring imposed by data protection requirements, delayed response due to mandatory reporting obligations, or fragmented visibility across organisational and jurisdictional boundaries [102]. For example, restrictions on data retention or real-time inspection of customer-related information may reduce the effectiveness of intrusion detection systems [51]. Similarly, compliance-driven delays in system isolation or information sharing can provide attackers with extended dwell time. While such constraints are essential for protecting privacy and ensuring accountability, they can inadvertently create conditions that attackers exploit to maximise impact [103]. These threats do not constitute attack techniques in the traditional sense but function as amplifiers that increase the severity and persistence of other cyberattacks [101]. Recognising and mitigating governance-enabled attack pathways is therefore an important aspect of comprehensive smart grid threat analysis [103].

5.5. Systemic and Emerging Threat Trends

The increasing reliance on cloud-based platforms and third-party digital services introduces a distinct class of cyberthreats to smart grids [20,46]. Attacks targeting cloud-hosted energy management systems, distributed energy resource orchestration platforms, and market interfaces can directly affect the availability, integrity, and confidentiality of grid operations. Unlike traditional attacks on utility-owned infrastructure, platform-level attacks may simultaneously impact multiple operators due to shared service dependencies, thereby amplifying systemic risk. Threat vectors in this category include exploitation of misconfigured cloud resources, compromise of application programming interfaces used for grid control or data exchange, credential theft affecting identity federation services, and denial-of-service attacks targeting shared platform components [104]. In addition, failures or malicious manipulation of cloud service provider control planes can disrupt grid visibility and decision-making without direct intrusion into operational technology networks [105]. These attacks are particularly challenging to detect and respond to, as utilities often lack full transparency into the underlying infrastructure and must rely on third-party incident handling processes. As cloud adoption expands, platform-level attacks represent an increasingly important threat vector that extends beyond conventional network perimeter models.
Similarly, the integration of artificial intelligence and advanced optimisation algorithms into smart grid operations introduces novel attack vectors that target decision-making processes rather than individual data points or devices. Algorithmic manipulation attacks aim to influence or degrade the performance of predictive models, control optimisers, and automated decision systems used for forecasting, dispatch, and fault management. Examples include data poisoning attacks in which adversaries manipulate historical or real-time datasets to bias model training, leading to systematically erroneous predictions or control actions [106,107]. Adversarial input attacks may exploit sensitivities in machine learning models, causing misclassification of system states or inappropriate responses to grid conditions. Here attackers may attempt to infer sensitive operational information through model inversion or membership inference techniques, thereby compromising confidentiality even when raw data remains protected. These attacks can be particularly insidious, as their effects may appear as legitimate but suboptimal operational behaviour rather than overt system failure. Algorithmic attacks therefore challenge traditional notions of integrity, extending them from data correctness to the trustworthiness of automated decision logic. While large-scale, publicly documented attacks explicitly targeting artificial intelligence models in grid operations remain limited, the increasing automation of protocol-aware malware and decision logic manipulation observed in recent incidents suggests a clear evolutionary trajectory toward algorithmically mediated attack strategies.
Finally, as smart grids become increasingly interconnected with other critical infrastructures, cyberthreats can propagate across sector boundaries [108]. Cross-domain attacks originate in one infrastructure, such as gas networks [109], electric vehicle charging systems [110], or smart building platforms [111], and indirectly affect grid stability through shared data flows, control dependencies, or coupled operational constraints. In this threat model, attackers may not directly target grid control systems but instead manipulate external systems to induce adverse grid conditions. For instance, coordinated manipulation of electric vehicle charging schedules [112] or building energy management systems [113] can create artificial load spikes or destabilising demand patterns. Similarly, compromised data from gas or heating systems may affect generation scheduling and reserve planning [109]. These attacks blur the distinction between direct and indirect threats and complicate detection, as anomalous grid behaviour may be caused by seemingly legitimate external inputs [114]. Cross-domain propagation attacks therefore expand the threat surface of smart grids beyond traditional electrical infrastructure and require coordinated defensive strategies across sectors.

5.6. Mapping Cyber Threats to Smart Grid Layers and Impacts

It is worth noting that many real-world attack campaigns combine multiple techniques across technical, organisational, and sectoral boundaries. For instance, an adversary may first steal credentials, constitute a confidentiality breach, then use them to insert false commands or malware, representing an integrity breach, and finally launch a denial-of-service attack to distract operators or inhibit response, affecting availability. A notorious example is the CrashOverride or Industroyer malware used in the 2016 Ukraine grid attack [115], as discussed in the next section. It included modules capable of communicating using grid control protocols in order to send malicious commands, which was an integrity attack, as well as wiper components designed to disable systems, constituting an availability attack [115]. Thus, a layered security approach is needed, in which a breach of one aspect, such as a phished password, does not automatically grant the ability to execute major damaging actions.
Another way to categorise smart grid attacks is by the network layers, digital platforms, or grid domains they target [9]. Some attacks target the physical layer, for example, by jamming wireless signals, which constitutes a physical layer attack on availability [116]. Others target the network or transport layer, such as spoofing IP addresses or conducting a man-in-the-middle interception of SCADA traffic [117]. Additional attacks target the application layer, for instance, malware that corrupts the SCADA human–machine interface or associated databases. Researchers often develop taxonomies that map known attack types to the layers of the OSI model as well as to the affected parts of the grid, including generation, transmission, distribution, and the customer domain [9]. For example, a man-in-the-middle (MitM) attack on a substation automation protocol might be categorized as an application-layer attack on a distribution domain, compromising both integrity and confidentiality [117]. Meanwhile, a coordinated outage induced by tripping multiple breakers through malware could be interpreted as an integrity attack on the transmission domain that ultimately affects the availability of power [115]. Regardless of classification, the interplay between cyber and physical aspects means that defenders require visibility and protection across all layers, platforms, and organisational boundaries, ranging from securing field device communications to hardening control centre applications and databases [118].
In summary, smart grids face diverse cyberthreats ranging from relatively simple but potentially widespread attacks, such as meter tampering or ransomware on enterprise networks, to long-term espionage and pre-positioning campaigns and highly sophisticated operations that infiltrate control systems and execute synchronised malicious actions. Table 2 synthesises this threat landscape by explicitly mapping the major cyberthreats and attack vectors discussed in this section to the underlying security challenges identified in Section 4, highlighting how structural and operational constraints translate into concrete attack modalities and security impacts.
The next section will examine some of these real incidents in more detail, demonstrating how these threats have manifested in practice and providing concrete illustrations of how theory meets reality in smart grid cybersecurity.

6. Notable Cyberattack Incidents in Energy Infrastructure

Historical cyber incidents provide essential empirical insight into how cyber threats materialise within real power system environments and how technical, organisational, and procedural weaknesses can cascade into large-scale operational disruption. While threat models and architectural analyses highlight potential vulnerabilities, documented incidents reveal the concrete attack vectors, system dependencies, and response limitations that shape cyber risk in practice. This section examines major publicly reported cyber incidents affecting power grids and related energy infrastructure in order to ground the preceding threat analysis in observed events and to inform the discussion of resilience strategies presented in subsequent sections.

6.1. Incident Selection and Evidence Sources

The incidents examined in this section are drawn from publicly documented cyber events that have demonstrably affected power system operations, grid control environments, or closely coupled energy infrastructure. Sources include peer-reviewed scientific studies, official reports from grid operators and regulatory authorities, and credible institutional or governmental disclosures that provide sufficient technical and contextual detail to support analytical comparison. The focus is placed on incidents that illustrate representative attack vectors, system-level impacts, and organisational response challenges rather than on exhaustive enumeration.
The selected incidents span transmission and distribution contexts as well as supporting operational technology and information technology environments. Together, they reflect a range of adversarial objectives, including service disruption, system manipulation, and loss of operational visibility. By relying on documented and verifiable cases, this section seeks to capture recurring patterns and structural weaknesses while acknowledging that many cyber incidents affecting critical infrastructure remain undisclosed or only partially reported. Consequently, the incidents discussed should be interpreted as illustrative examples that inform resilience analysis rather than as a complete record of cyber activity within the energy sector.

6.2. Major Documented Cyber Incidents in Power Systems

The following incidents illustrate how cyber-attacks on power systems have manifested across different geographic regions, operational contexts, and threat vectors, highlighting recurring vulnerabilities as well as the evolving tactics used to disrupt electricity infrastructure.

6.2.1. 1982—Siberian Gas Pipeline Explosion

One of the earliest alleged cases of cyber sabotage in the energy sector dates back to the Cold War. In June 1982, a massive explosion rocked a Soviet natural gas pipeline in Siberia. Years later, a former CIA official (Thomas Reed) revealed a stunning claim: the explosion was triggered by a CIA-planted logic bomb in the pipeline’s control software [119]. According to this account, the Soviet Union had obtained pipeline control software from a Canadian firm through industrial espionage, not realizing the CIA had modified the code. The Trojan code allegedly passed testing and ran normally for months, then at a predetermined time caused the compressors and valves to malfunction, creating pressures far beyond the pipeline’s tolerance [119]. The result was reportedly the largest non-nuclear explosion ever seen from space at that time, visible to US satellite recon. Soviet officials publicly blamed it on a technical malfunction, and some have disputed the role of the CIA, but this incident is often cited as one of the first cyberphysical attacks on critical infrastructure. If accurate, it demonstrated at an early stage that malicious software could be weaponised to destroy industrial equipment, a concept that foreshadowed later attacks such as Stuxnet. The pipeline explosion caused no reported fatalities but resulted in significant economic losses and highlighted the need for trust and verification in control system supply chains. It also exemplifies a supply chain attack, since the malware was not introduced through a network intrusion but rather through compromised software that operators themselves installed while trusting its source.

6.2.2. 2003—Davis–Besse Nuclear Plant Incident

Fast forward to January 2003, when the Slammer (SQL Slammer) computer worm was wreaking havoc on the internet [120]. Slammer was a self-propagating worm that exploited a vulnerability in Microsoft SQL Server, causing network floods [121]. At Ohio’s Davis-Besse nuclear power plant, Slammer penetrated the facility’s IT network via an interconnected contractor’s network and then jumped onto the plant’s operations network [122]. Within the plant, the worm found an unpatched server and caused network traffic to spike so severely that a critical Safety Parameter Display System, a system used in the control room to monitor reactor safety indicators, crashed and was unavailable for nearly five hours [120]. Fortunately, the reactor was offline at the time for unrelated reasons, and backup analogue instruments were available for monitoring, so there was no immediate safety hazard. However, this incident was a loud wake-up call for the nuclear industry. The SQL Slammer worm reached the Davis Besse nuclear plant network via a T1 connection bridging external and corporate networks, which bypassed the site firewall configuration [123]. At the time of the incident, the exploited Microsoft SQL Server vulnerability had had an available patch for approximately six months, but it had not been applied in the affected environment [121]. The lessons were clear. Segmentation between corporate and control networks was insufficient, remote access paths were not fully documented, and patch management was lacking. The Nuclear Regulatory Commission and industry groups subsequently issued security advisories to ensure that other plants were not similarly exposed. The Slammer incident highlighted how even non-targeted malware, which was not designed to attack SCADA systems specifically, can disrupt industrial operations when proper protections are not in place. A small piece of malicious code spreading across the internet was able to inadvertently halt a safety monitoring system at a nuclear facility, underscoring the strong interdependence between information technology and operational technology security.

6.2.3. 2009—Night Dragon Energy Sector Espionage

The Night Dragon campaign, publicly documented in the early 2010s, represents a formative example of long-term cyber espionage operations targeting global energy, oil, gas, and petrochemical organisations [124]. Unlike opportunistic malware outbreaks, Night Dragon involved persistent access achieved through spear-phishing, exploitation of externally facing servers, and credential harvesting, enabling attackers to maintain a prolonged presence within corporate networks. Investigations revealed systematic exfiltration of sensitive operational documents, network diagrams, and proprietary exploration data, indicating strategic intelligence collection rather than immediate disruption. The relevance of Night Dragon to smart grid cybersecurity lies in its demonstration of long dwell times and reconnaissance-driven threat models [125]. By focusing on business systems and engineering documentation rather than direct process manipulation, the campaign highlights how attackers can acquire the contextual knowledge necessary for future sabotage or coercive leverage [126]. This case underscores the importance of detecting stealthy intrusion activity and protecting engineering information assets, as the absence of immediate operational impact does not equate to low strategic risk.

6.2.4. 2010—Stuxnet Cyber-Physical Sabotage

While not directly involving an electrical grid, the Stuxnet worm uncovered in 2010 is worth discussing because it profoundly shaped awareness of cybersecurity risks to critical infrastructure [94]. Stuxnet was an exceptionally sophisticated piece of malware, widely believed to have been developed by nation-state actors and commonly attributed to the United States and Israel, with the specific goal of targeting Iran’s uranium enrichment centrifuges. It infiltrated the Natanz nuclear facility network, likely through infected USB drives, and precisely targeted Siemens programmable logic controllers that controlled gas centrifuges. By subtly altering centrifuge rotational speeds while concealing these changes from operators, the malware induced mechanical stress that ultimately led to the destruction of a significant number of centrifuges [127]. Stuxnet was groundbreaking as the first publicly known example of malware explicitly designed to sabotage physical industrial processes. Its relevance to smart grid cybersecurity lies in its clear demonstration that malicious software can be engineered with extreme precision to manipulate industrial control systems and cause physical damage. This revelation resonated strongly within the power sector, as similar techniques could in principle be applied to turbine controllers, transformers, or circuit breakers governed by comparable control architectures. In this sense, Stuxnet transformed cyberthreats to energy infrastructure from an abstract concern into a demonstrated reality, motivating sustained research and investment in industrial control system security [128].

6.2.5. 2011—Dragonfly Energetic Bear Campaigns

The Dragonfly campaign, also known as Energetic Bear, constitutes one of the most consequential long-running cyber operations directed at Western energy infrastructure. Active from at least 2011 and resurfacing in later waves often referred to as Dragonfly 2.0, the campaign combined credential harvesting, watering-hole attacks, and the compromise of trusted third-party software vendors supplying industrial control and monitoring solutions to energy operators [129]. In several documented cases, attackers leveraged Trojanised industrial software installers to gain access to internal networks of power generation and distribution companies [130]. What distinguishes Dragonfly from earlier espionage campaigns is the repeated observation of access pathways extending toward operational environments. Reporting indicated that attackers obtained credentials and network visibility that could have enabled control system interaction, even if disruptive actions were not executed publicly [5]. This campaign is therefore critical for understanding the transition from intelligence collection to pre-positioning for potential operational impact. It directly supports the argument that supply chain security, identity management, and vendor trust models represent systemic vulnerabilities within modern energy systems.

6.2.6. 2012—Shamoon Destructive Malware Attacks

The Shamoon malware attacks against major Middle Eastern energy companies in 2012 represent one of the most severe examples of destructive cyber operations targeting the energy sector’s enterprise environments. The initial incident, which affected Saudi Aramco, resulted in the wiping of approximately 30,000 workstations through a malware payload designed to overwrite master boot records and corrupt system files beyond recovery [131]. While industrial control systems were not directly compromised, the scale of enterprise IT destruction severely disrupted business operations, logistics, internal communications, and maintenance coordination across the organisation. A closely related attack impacted RasGas, reinforcing the conclusion that the campaign targeted the energy sector systematically rather than a single operator [132]. From a smart grid and energy resilience perspective, Shamoon is significant because it demonstrates that large-scale operational risk can emerge without direct OT compromise. The attacks forced affected organisations into prolonged recovery phases involving mass hardware replacement, manual restoration of business processes, and emergency operational workarounds [133]. Subsequent Shamoon variants observed in later years further illustrate that destructive enterprise malware remains a persistent threat vector against energy companies, particularly in geopolitically sensitive regions [125]. This case complements ransomware-driven incidents by showing that ideologically or strategically motivated destructive attacks can impose comparable or greater disruption without financial extortion mechanisms.

6.2.7. 2015—Ukraine Power Grid Cyberattacks

On 23 December 2015, a coordinated cyberattack struck power distribution companies in western Ukraine, causing a widespread blackout affecting approximately 225,000 customers for several hours [134]. This event is historically significant as the first publicly confirmed cyberattack to take down a power grid. The attackers, later attributed to the Russian advanced persistent threat group known as Sandworm, conducted a long and methodical campaign. They began months earlier with spear phishing emails to penetrate the information technology networks of the utilities and to install malware, known as BlackEnergy 3, on corporate workstations [134]. From there, they likely gathered credentials and mapped the network, eventually gaining access to the SCADA control systems of multiple distribution control centres. On the day of the attack, the hackers remotely logged in using valid credentials to operator workstations via virtual private networks and took manual control. They opened dozens of circuit breakers across 30 substations almost simultaneously, effectively cutting power to end users [134]. Operators watched their cursor moving on screen as the attackers executed the outage, creating a surreal situation. In addition to opening breakers, the attackers disabled or destroyed critical infrastructure. They overwrote the firmware of remote terminal units, rendering them unresponsive, deployed KillDisk malware to wipe operator workstations and servers, which impeded recovery efforts, and launched a telephone denial of service attack against utility customer call centres to prevent customers from reporting outages [134]. The power was out for one to six hours in the affected areas, as field crews were required to manually switch breakers back on. This multi-faceted attack demonstrated a high level of planning and detailed knowledge of power grid operations. It was not a fully automated malware attack like Stuxnet. Instead, it combined conventional hacking through information technology systems with the direct manual operation of grid equipment by the attackers. The Ukraine incident provided several important lessons for the global power industry. Network segmentation and continuous monitoring are vital, as the boundary between information technology and operational technology was breached through abuse of virtual private network access. Credentials must be strongly protected and supplemented with two factor authentication, since the attackers were able to operate freely using stolen passwords. In addition, operators must have well prepared procedures for manual override. The ability of Ukrainian engineers to revert to manual control was a critical factor that limited the duration of the outages. The incident also highlighted the importance of incident response planning tailored specifically to grid attacks, including clear procedures for safely restoring systems when supervisory control and data acquisition environments have been compromised.

6.2.8. 2016—Ukraine Industroyer Attack

Almost exactly one year after the 2015 incident, in December 2016, Ukraine’s power grid was attacked again [115]. This time, the target was the transmission level grid near Kyiv, the capital. Malware known as Industroyer, also called CrashOverride, was employed. It was a modular toolkit capable of communicating using grid control protocols such as IEC 60870-5-104 [54] and IEC 61850 [135] in order to issue rogue commands. The attack briefly opened breakers at a transmission substation, causing an estimated 200 megawatt power outage in Kyiv, corresponding to roughly twenty percent of the city’s nighttime load [115]. Although smaller in scale than the 2015 incident and restored relatively quickly, with power outages lasting about one hour, this attack was particularly alarming to investigators. Industroyer appeared to function as a general framework for attacking power grids, potentially reusable across different systems with minimal adaptation. It also included a wiper component that rendered protection relays inoperable by corrupting their firmware. The 2016 incident suggested that the adversaries were experimenting with more automated methods for disrupting power grids, in contrast to the largely manual approach used in 2015. Fortunately, defensive capabilities and situational awareness had improved by that time. Ukraine’s computer emergency response team, together with international partners, analysed the malware in depth, and information sharing across the power sector, including through organisations such as the Electricity Information Sharing and Analysis Center, enabled utilities worldwide to search for and mitigate any signs of similar intrusions [136]. The Industroyer incident reaffirmed that the threat to power grids was persistent and adaptive. It reinforced the need for more advanced detection capabilities, since Industroyer was identified only after the incident rather than being detected in real time. It also accelerated efforts related to grid islanding and sectionalisation in order to limit the impact of malicious control commands.

6.2.9. 2017—Triton Trisis Safety System Compromise

In August 2017, a petrochemical facility in Saudi Arabia, believed to be owned by Tasnee, experienced a cyberattack that was unprecedented in its target. The malware, variously referred to as Triton, Trisis, or HatMan, infected a Triconex safety controller, which is a specialised safety instrumented system designed to autonomously shut down the plant under unsafe operating conditions [137]. The attackers, later attributed to a unit of Russia’s Federal Security Service, attempted to reprogram the safety programmable logic controller, presumably to remove safety constraints and enable a dangerous operation, possibly with the intent of causing an explosion. However, an error in the malware code caused the controller to enter a failsafe state, which fortunately resulted in a controlled shutdown of the plant rather than a catastrophic event [137]. Triton is particularly notable because it represents a cyberattack explicitly designed to endanger human life by disabling safety systems. In the context of electric power grids, an analogous scenario can be envisaged, namely malware that targets protective relays so that faults are not cleared correctly, potentially leading to equipment damage or fires. The Triton incident raised serious concerns across all industrial sectors, including the electricity sector, regarding the need to secure safety critical devices. These systems had often been considered inviolable, under the assumption that even if other controls failed, the safety system would provide a final layer of protection. Triton demonstrated that adversaries may instead target this last line of defence directly [137]. In response, organisations implemented tighter access controls and additional hardening measures for safety controllers, while some advocated physical separation of safety systems from any network connectivity, effectively returning to purely analogue protection concepts. The incident also underscored the importance of anomaly detection. Triton required elevated privileges to modify safety instrumented system logic, and monitoring for such abnormal behaviour offers a potential means to detect and block similar attacks in the future.

6.2.10. 2019—EKANS OT-Aware Ransomware

The emergence of EKANS, also known as Snake ransomware, marks a significant evolution in criminal malware targeting industrial environments. Unlike conventional ransomware that primarily encrypts data indiscriminately, EKANS explicitly terminates a wide range of processes associated with industrial control software, including supervisory control, historian services, and industrial communications platforms. This behaviour reduces operator visibility and control, creating immediate operational safety and reliability concerns even before encryption or extortion demands are considered [138]. Although public attribution of specific EKANS victims remains limited, the malware is widely regarded as emblematic of a broader trend toward OT-aware extortion tooling. Its inclusion in the incident landscape is therefore justified as a threat category exemplar rather than a single isolated event. For smart grids and digitally integrated energy systems, EKANS highlights how financially motivated actors increasingly exploit the fragility of operational dependencies, blurring the line between cybercrime and operational sabotage [139].

6.2.11. 2021—Colonial Pipeline Ransomware Incident

In May 2021, the United States witnessed how a cyberattack on energy infrastructure can have immediate societal effects. The Colonial Pipeline, which supplies roughly forty-five percent of the fuel consumed on the United States East Coast, including gasoline, diesel, and jet fuel, was hit by a ransomware attack [71]. The attackers, a criminal group known as DarkSide, infiltrated Colonial’s information technology network and encrypted data, demanding a ransom payment [140]. As a precautionary measure, Colonial Pipeline Company shut down its entire pipeline operations for several days, from 7 to 12 May 2021, in order to contain the spread of the attack [141]. This proactive shutdown led to fuel shortages and panic buying in several states, with gas prices spiking, providing a vivid demonstration of how cyber incidents can quickly ripple out to the public. Although the ransomware did not directly affect the operational technology systems controlling the pipeline, the company could not risk the attack spreading to those systems and also likely lost access to critical information technology functions, such as billing, that were necessary for continued operation. The Colonial Pipeline incident is significant because it involved a relatively routine ransomware attack of the type faced by many organisations, but its impact on critical energy infrastructure elevated it to a national security concern. In response, the United States government mobilised significant resources, with the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and even the President becoming involved to support restoration efforts and manage the broader consequences [141]. Colonial ultimately paid the ransom, approximately 4.4 million US dollars, some of which was later recovered by the Department of Justice and restored its systems. This case highlighted the strong interdependence between information technology and operational technology in critical infrastructure. Even when operational technology is not directly compromised, the loss of information technology systems can still force operations to halt due to safety concerns and disrupted business processes. The incident also prompted policy changes. The Transportation Security Administration, which oversees pipeline security in the United States, issued new security directives for pipeline operators, mandating measures such as improved network segmentation, mandatory incident reporting, and explicit attention to ransomware threats. More broadly, Colonial’s experience served as a wakeup call for other utilities and grid operators. A comparable attack on a power utility’s corporate network could similarly trigger a precautionary shutdown of grid control systems if separation between networks is insufficient. The incident reinforced the importance of robust contingency planning, specifically how to maintain critical operations during a cyber crisis and underscored the need to close the organisational gap between cybersecurity teams and operational staff.

6.2.12. 2022—Viasat Satellite Communications Disruption

Recent reports indicate that cyberattacks on energy infrastructure have been surging in frequency. According to S&P Global’s Energy Security Sentinel, the year 2022 saw a record high number of major cyber incidents in the energy and commodities sector worldwide [142]. At least thirteen major attacks occurred in 2022, which is the highest number recorded in a single year since tracking began in 2017. The oil subsector was the most frequently targeted, accounting for roughly one third of the incidents, followed by electrical power networks and then natural gas infrastructure [143]. Notable incidents included attacks on European oil facilities, attempts against United States grid utilities, where several utilities reported phishing and intrusion attempts linked to known advanced persistent threat groups with limited impact, and the spillover of cyberattacks from the Russia–Ukraine conflict affecting energy companies. For example, the Viasat satellite hack during the invasion of Ukraine disrupted satellite communications that controlled approximately 5800 wind turbines in Germany, temporarily resulting in the loss of remote control over these assets [144]. The Viasat case in February 2022, while primarily a communications attack, underlined how geopolitical conflicts can trigger cyber collateral damage to energy infrastructure located far beyond the immediate conflict zone. By late 2022, European electric utilities were on high alert for potential cyber retaliation amid the ongoing war and heightened energy supply tensions [144]. This trend in attacks has driven an increased focus on cyber resilience, emphasising the ability of the grid to recover rapidly from incidents and to maintain critical functions in a degraded operating mode. It has also broadened the understanding of what constitutes the energy sector from a cyber risk perspective. Attention now extends beyond power plants and grid operators to include oil and gas pipelines, fuel transport and shipping, renewable energy assets such as wind and solar farms, and even electric vehicle charging networks, all of which are increasingly recognised as part of a wider energy cyber landscape that adversaries may seek to exploit.

6.2.13. 2022—Industroyer2 Attempted Grid Disruption

In 2022, during the escalation of the conflict in Ukraine, a renewed attempt to disrupt electrical grid operations was identified through the deployment of Industroyer2 malware. Unlike the successful 2015 and 2016 incidents, this operation was detected and neutralised before causing a blackout [145]. The malware exhibited protocol-aware capabilities designed to interact directly with substation automation equipment, reflecting a clear evolutionary lineage from earlier Industroyer tooling while incorporating updated deployment and execution mechanisms. The Industroyer2 case is particularly important because it demonstrates both attacker persistence and defender adaptation. From a resilience perspective, it provides rare empirical evidence that improved monitoring, segmentation, and incident response procedures can prevent cyber-induced physical outages even when facing highly specialised OT malware. This case therefore strengthens the paper’s argument that cyber resilience is not solely about preventing intrusion but about limiting consequences through detection and response capabilities tailored to operational environments.

6.2.14. 2023—State Linked Prepositioning in Energy and Utility Networks (Volt Typhoon)

In 2023, security agencies in the United States and allied countries disclosed a coordinated cyber espionage and access persistence campaign, commonly referred to as Volt Typhoon, targeting critical infrastructure sectors including electricity, water, and gas utilities [146]. Unlike earlier energy sector incidents characterised by malware deployment or immediate operational disruption, this campaign focused on long-term covert access through credential theft, misuse of legitimate administrative tools, and lateral movement within enterprise environments. Public advisories emphasised that no confirmed outages occurred, but warned that the activity was assessed as pre-positioning intended to enable potential future disruption during periods of geopolitical tension. The incident is notable for highlighting the increasing strategic importance of detection, identity management, and network visibility in energy sector environments, as well as the difficulty of distinguishing benign administrative activity from malicious persistence within hybrid IT and OT architectures.

6.2.15. 2023—Ransomware Attack on Holding Slovenske Elektrarne

In late 2023, Slovenia’s largest electricity producer, Holding Slovenske Elektrarne, confirmed that it had been affected by a ransomware attack that disrupted corporate information technology systems [147]. The company reported that electricity generation and delivery were not impacted, and that operational technology systems remained functional throughout the incident. Public statements emphasised the rapid containment of the attack and the maintenance of power system availability, underscoring the effectiveness of network segmentation and incident response procedures. This case illustrates how ransomware has become a persistent threat to energy sector organisations, primarily affecting business continuity, data availability, and operational coordination rather than directly causing power outages. It also reinforces the growing distinction between IT compromise and OT resilience in modern power system operations.

6.2.16. 2024—Continued Cyber Operations Targeting Ukrainian Energy Infrastructure

During 2024, Ukrainian authorities and international partners reported continued cyber activity targeting energy sector organisations in parallel with ongoing kinetic attacks on power infrastructure [148]. While fewer technical details were publicly disclosed compared to earlier high-profile incidents, statements confirmed that cyber operations remained focused on disrupting grid operation, restoration processes, and coordination between control centres and field assets. These activities did not introduce new publicly identified malware families but demonstrated sustained adversarial interest in degrading the resilience and recovery capabilities of the electricity system. The persistence of cyber pressure on Ukrainian energy infrastructure highlights the role of cyber operations as an integrated component of broader conflict, and reinforces the unique status of Ukraine as the only environment in which repeated cyber–physical interactions with power systems have been observed over multiple years.

6.2.17. 2025—Iran Reports Repelling a Large-Scale Cyberattack Against National Infrastructure

In April 2025, Iranian authorities reported that a large-scale cyberattack targeting national infrastructure had been detected and repelled, with no confirmed disruption to essential services [149]. Public reporting indicated that energy systems were among the likely targets, although no technical details regarding the attack vector, affected systems, or attribution were disclosed. The incident was framed as a defensive success rather than an operational failure, and no independent forensic analysis has been made publicly available. Despite these limitations, the case is notable for illustrating the continued strategic targeting of national energy infrastructure and the increasing emphasis on detection and response capabilities. It also reflects a broader trend in which cyber incidents affecting the energy sector are acknowledged at a high level while detailed operational impacts remain undisclosed.

6.3. Cross Incident Analysis of Attack Vectors and Impacts

Taken together, these incidents illustrate a clear evolution in the nature of cyber threats facing the energy sector. While early cases demonstrated the feasibility of direct cyber–physical disruption, more recent incidents increasingly emphasise access persistence, ransomware-driven business disruption, and defensive detection rather than immediate outages. Since 2022, there have been fewer publicly confirmed cases of cyber-induced power interruptions, yet sustained adversarial interest in energy infrastructure remains evident. This shift highlights the growing importance of resilience, segmentation, monitoring, and recovery capabilities, and supports the view that cyber compromise must be treated as an assumed operating condition rather than an exceptional event in modern power system operation. These cases underscore that the absence of visible disruption does not imply the absence of material risk, particularly in digitally integrated energy systems where latent access, ransomware-induced organisational disruption, or repelled attacks can still carry significant strategic and operational implications. Table 3 maps these incidents consistently to a recurring set of cyberthreats and attack vectors, highlighting that both disruptive and non-disruptive campaigns exploit common structural weaknesses across smart grid environments.

6.4. Lessons Learned and Implications for Grid Resilience

The inclusion of destructive enterprise-focused attacks such as Shamoon, alongside OT-aware extortion malware exemplified by EKANS and the ransomware incident affecting Colonial Pipeline, further demonstrates that operational risk in the energy sector is not confined to industrial control environments. Modern energy systems depend on enterprise IT for scheduling, maintenance coordination, market participation, identity management, and engineering data handling. Disruption of these functions alone can be sufficient to degrade or halt energy delivery, even when core control systems remain uncompromised. This blurring of traditional IT and OT boundaries reinforces the need to treat enterprise environments as integral components of energy system resilience rather than as peripheral support infrastructure.
At the same time, recent incidents also provide evidence that defensive measures can meaningfully reduce impact when appropriately implemented. The thwarted Industroyer2 attempt highlights how improved monitoring, segmentation, and incident response capabilities can prevent cyber operations from translating into physical outages, even in the presence of highly specialised OT-aware malware. This observation supports a shift in emphasis from purely preventative security models toward resilience-oriented approaches that prioritise detection, containment, and recovery.
Overall, the incident history reviewed in this section illustrates an evolving threat landscape characterised by heterogeneous actors, diverse objectives, and multiple pathways to operational impact. Cyber risk to smart grids and energy systems emerges not as a sequence of isolated crises but as a continuous condition shaped by prolonged access, enterprise dependencies, and increasing digital complexity. This perspective provides the empirical foundation for the resilience-focused strategies discussed in the following section, where architectural, organisational, and governance measures are examined as essential complements to technical security controls.

7. Emerging Solutions and Future Directions for Grid Cybersecurity

Securing the smart grid is a continuously evolving challenge that requires not only addressing current threats but also anticipating future ones. Encouragingly, a wide array of emerging technologies and strategies are being explored and, in some cases, deployed to bolster the cybersecurity of energy systems. The solution classes reviewed in this section are explicitly motivated by the threat mechanisms and incident patterns analysed in Section 5 and Section 6, reflecting operational lessons learned from real-world cyber intrusions, enterprise disruptions, defensive detections, and recovery efforts. Together, these approaches aim to strengthen the confidentiality, integrity, and availability of smart grid systems while accommodating the stringent reliability, safety, and performance requirements that distinguish energy infrastructures from conventional information technology environments. In this context, the emphasis increasingly shifts from purely preventative security models toward resilience-oriented strategies that prioritise detection, containment, recovery, and safe operation under degraded conditions.

7.1. AI-Driven Monitoring and Anomaly Detection

The complexity of smart grid data and the speed at which events unfold have led to growing interest in applying artificial intelligence and machine learning techniques to cybersecurity [50]. Machine learning algorithms, including supervised, unsupervised, and reinforcement learning approaches, can be trained on normal patterns of grid operation and then applied to detect deviations that may indicate intrusions or malicious behaviour [92]. For example, a machine learning based intrusion detection system might monitor network traffic within a substation and flag unusual sequences of commands or abnormal data flows that deviate from historical norms [48]. Artificial intelligence techniques can also analyse equipment telemetry such as temperature and vibration data to identify signs of physical tampering or the subtle effects of malware, for instance, a generator operating slightly differently because its control logic has been altered [65]. One key advantage of artificial intelligence and machine learning lies in their ability to process and interpret enormous volumes of data from phasor measurement units, smart meters, and supervisory control and data acquisition logs far more rapidly than human operators [42]. This capability increases the likelihood of detecting stealthy attacks that might otherwise be hidden within normal operational noise [99]. In addition, artificial intelligence can support predictive threat modelling by anticipating potential attacker actions or identifying system configurations that are particularly vulnerable, thereby enabling pre-emptive defensive adjustments [79]. In operational terms, if a cybersecurity system based on artificial intelligence detects an abnormal spike in voltage readings that suggests data injection, it could automatically cross-verify the information with redundant sensors and even initiate containment actions, such as isolating a subnetwork, in near real time [90]. Of course, adversaries can also employ artificial intelligence, for example, to evade detection by learning intrusion detection system patterns, which makes this a continual cat-and-mouse dynamic [107]. Nevertheless, artificial intelligence-enabled defences are expected to become increasingly prevalent [49]. The integration of artificial intelligence into grid security must be undertaken with care. False positives or overly aggressive autonomous actions could themselves disrupt grid operations [48]. As a result, many current proposals position artificial intelligence as a decision support tool for human operators rather than as a fully autonomous control mechanism [118]. Early deployments already include machine learning based anomaly detectors within substation networks and pilot projects in which utilities use machine learning to continuously analyse device firmware integrity [9]. Over time, as confidence in these technologies increases, autonomous cyber defence agents may become a standard component of grid control systems, operating in the background to protect against attacks and automatically reconfiguring the grid in response to cyber induced disturbances, enabling self-healing not only for physical faults but also for cyber related faults [59]. Beyond real-time anomaly detection, these approaches also support systematic threat hunting by enabling the identification of low-intensity, long-dwell intrusions that may evade signature-based detection but nonetheless indicate persistent adversary presence within grid environments [125].

7.2. Zero-Trust Architectures and Identity-Centric Security

Traditional grid cybersecurity has historically followed a perimeter defence model, relying on strong outer protections such as firewalls and demilitarised zones between corporate networks and supervisory control and data acquisition environments to keep attackers out [118]. However, the paradigm is shifting toward a zero-trust approach, which assumes that threats may already exist inside the network and therefore requires every user and device to continuously authenticate and be authorised for each action [150]. In practical terms, this shift entails finer-grained network segmentation within substations and control centres, application layer access controls, and continuous monitoring of credentials and access patterns. For example, instead of allowing any device on a substation local area network to communicate with any intelligent electronic device, a zero-trust architecture would enforce that a protection relay accepts connections only from an authenticated substation controller [83]. Even that controller would operate under a least privilege principle, meaning it could not modify relay settings unless a specific, time-limited access authorisation is granted [103]. Micro segmentation is increasingly implemented so that even if malware compromises one part of the network, it cannot easily spread laterally to other components. This can be achieved through software-defined networking techniques that dynamically isolate traffic [151]. Another important aspect is the use of multi-factor authentication and robust identity management for operators and engineers [118]. Many utilities are moving toward requiring multi-factor authentication, including tokens, digital certificates, or biometric factors, for any remote access into operational technology networks. This makes it significantly more difficult for attackers to exploit stolen passwords alone. Continuous diagnostics and monitoring tools are also a core element of a zero-trust approach. These tools observe user behaviour and access patterns and can revoke access if anomalies are detected [152]. For example, if an engineer account suddenly attempts to download a full configuration database in the early hours of the morning without any prior history of such activity, the system may flag or terminate the session. The guiding principle is never trust and always verify. This represents a cultural shift in operational practice, but given the frequency of insider threats and credential-based incidents, it is an increasingly necessary one. Furthermore, secure supply chain practices and robust device identity management are essential to ensure that only trusted hardware and software are deployed and that devices can reliably prove their provenance [153]. Technologies such as hardware security modules and trusted platform modules are increasingly embedded in grid devices to support secure boot and cryptographic attestation, enabling a field device to demonstrate that it is running authorised code [154]. In parallel, effective supply chain governance is required to complement technical controls by ensuring the traceability, authenticity, and integrity of software and firmware throughout their lifecycle [153]. Measures such as software provenance verification, controlled update processes, and continuous assessment of vendor risk reduce the likelihood that trusted dependencies become vectors for large-scale compromise. Regulatory developments are also reinforcing this direction. For example, recent grid security directives in the United States require verification of the integrity and authenticity of software and firmware on critical devices [155]. This aligns closely with the zero-trust principle by removing implicit trust even from internal equipment and replacing it with continuous verification [150].

7.3. Blockchain and Distributed Trust Mechanisms

Blockchain, the technology underpinning cryptocurrencies, has been proposed as a tool to enhance integrity, authentication, and resilience in smart grids [156]. The core idea is to use the properties of blockchain, namely an immutable and append-only distributed ledger, to securely record transactions, device states, or control commands in a manner that is extremely difficult to tamper with [157]. In a smart grid context, one can envision blockchain-based ledgers that log every command issued to critical devices or every energy transaction between a consumer’s solar panel and the grid, with cryptographic guarantees that these records are authentic and have not been altered [158]. For example, when a control centre sends a dispatch instruction to a substation, that instruction could be hashed and recorded on a blockchain shared by all substations. If an attacker attempted to inject a fake instruction, the resulting inconsistency with the distributed ledger could be detected and the command rejected [159]. Blockchain can also support decentralised authentication. Devices could rely on blockchain entries to verify each other’s identities or to confirm that firmware versions are legitimate [160]. Another potential application lies in microgrids and distributed energy transactions, where smart contracts, which are self-executing agreements on a blockchain, could automate and secure the process of buying and selling energy between peers while ensuring data integrity and providing a transparent audit trail [161]. By removing single points of failure, since the ledger is replicated across multiple nodes, blockchain can enhance availability and trust, as no single compromised server can alter records or forge transactions [162]. That said, blockchains come with challenges. They can be slow in terms of transaction throughput and latency and can be energy-intensive, particularly proof-of-work blockchains, although permissioned or proof-of-stake approaches mitigate this issue. They also introduce additional system complexity. In critical real-time systems such as the power grid, any blockchain-based implementation must therefore be carefully tailored to meet strict performance and reliability requirements [161]. Ongoing research projects are exploring lightweight and private blockchain solutions suitable for substations and Internet of Things devices [163]. As a future direction, blockchain might underpin a more federated and secure grid control architecture, particularly as grids become more decentralised with prosumers and microgrids, essentially acting as the trust fabric for a highly distributed system [164].

7.4. Advanced Cryptography and Post Quantum Security

Cryptographic measures form the backbone of confidentiality and integrity protection. In the future, broader adoption of strong and lightweight cryptography tailored to grid devices is anticipated, along with preparations for the era of quantum computing, which could undermine many current cryptographic algorithms [63]. Lightweight encryption algorithms, such as AES 128 in efficient modes or dedicated schemes like Speck, are being implemented in resource-constrained devices, including smart meters and sensors, in order to provide confidentiality without overburdening device hardware [28]. Protocols such as TLS are also being adapted for supervisory control and data acquisition and industrial control system communications, for example, through OPC UA and the IEC 62351 standards for secure SCADA communications [135,165]. Moreover, authenticated encryption is increasingly emphasised, ensuring that messages are not only encrypted but also cryptographically signed to prevent tampering [166]. As noted earlier, a critical aspect is the protection of time synchronisation and command integrity. Cryptographic hashes and digital signatures can be applied to measurements and control commands so that any alteration during transmission is reliably detected [83]. For instance, phasor measurements can include a digital signature generated by the phasor measurement unit, allowing the control centre to verify the authenticity and integrity of the data. Another important area is secure firmware updates. Cryptographic signatures provided by vendors can ensure that only authenticated and trusted firmware is executed on grid devices, thereby preventing malware from masquerading as legitimate software updates [100]. Looking further ahead, the advent of quantum computing poses a significant long-term challenge, as it threatens to render many widely used encryption and digital signature schemes, such as RSA and elliptic curve cryptography, insecure, potentially within the operational lifetime of infrastructure being deployed today. As a result, the power grid community is paying increasing attention to post-quantum cryptography [167]. Standards bodies, including the United States National Institute of Standards and Technology, are already in the process of standardising quantum-resistant cryptographic algorithms [168]. Over time, grid operators will need to migrate critical security mechanisms, including virtual private networks and public key infrastructures, to quantum resistant solutions in order to ensure long term security and future proofing of grid communications and control systems [169]. This transition is nontrivial and will require careful planning, validation, and testing within the operational constraints of power systems. Conversely, quantum technologies themselves may also contribute to grid security. Quantum key distribution could, in principle, provide provably secure encryption keys for critical communication links, and some pilot projects have already explored its use in utility telecommunications networks. However, quantum key distribution remains expensive and limited in transmission distance [170]. In summary, the continued strengthening of cryptographic mechanisms, encompassing both conventional and quantum resistant approaches, represents a fundamental pillar of future smart grid cybersecurity. Encryption alone is not a complete solution, but as part of a defence in depth strategy, it ensures that even if network perimeters are compromised, attackers cannot easily decipher or manipulate control messages without being detected.

7.5. Digital Twins for Cyber Physical Resilience and Recovery

A promising approach to improving grid resilience is the use of digital twins, which are high-fidelity virtual replicas of the physical grid and its control systems [171]. A digital twin can simulate grid behaviour in real time or faster under a wide range of operating conditions and can be used for both planning and operational support [172]. In the context of cybersecurity, digital twins provide a safe environment for testing responses to cyberattacks and for developing what-if scenarios [173]. For example, operators could use a digital twin to conduct an exercise exploring how the system would respond if the breaker controls at a particular substation were compromised and forced to open randomly, allowing them to observe potential impacts and design mitigation strategies without interacting with the real grid. Importantly, these digital twin-based approaches are intended to augment human decision-making and preparedness rather than to replace operator authority, ensuring that critical control actions and recovery decisions remain under human supervision during cyber incidents. During an actual cyber incident, a digital twin could be invaluable. If parts of the grid are compromised or cannot be fully trusted, operators could rely on the digital twin, which may be fed by different and uncompromised data sources, to maintain situational awareness [174]. One proposed concept is to link the digital twin actively so that it receives data in parallel with the real control system. If data from the live system appears suspicious and suggests a possible integrity attack, the analytics applied to the twin could help identify discrepancies, assuming that at least some of the data sources feeding the twin remain secure [175]. Digital twins also enable safe testing of software patches or configuration changes. Before deploying a new network configuration or intrusion detection signature on the live grid, the change can be validated on the twin to ensure that it does not inadvertently disrupt operations [173]. Beyond serving as a testbed, digital twins can support the training of artificial intelligence models for cybersecurity by simulating large numbers of attack scenarios to improve detection capabilities [176]. They can also be used for operator training in managing cyber contingencies, functioning in a manner similar to flight simulators for grid control room personnel [177]. This includes practising operation under degraded conditions or in manual mode if supervisory control and data acquisition systems are compromised. In future visions, every major power utility could maintain a continuously running digital twin of its grid. This would enable a form of closed-loop cybersecurity, in which detected anomalies in the real grid trigger simulations within the twin to evaluate countermeasures, with the results informing decisions and actions in the operational system. This helps achieve resilient operation, in which the system can withstand and recover from attacks with minimal impact. Hence, future research should focus on how digital twins can be kept securely synchronised with the physical system and how the integrity of the twin itself can be ensured. If an attacker were able to compromise the inputs to the digital twin, it could mislead operators, so the twin must also be protected, potentially through isolation or deployment on a separate and secured network.

7.6. Cyber Resilient Grid Design and Operational Preparedness

A broader future direction is to build power grids that are fundamentally more resilient to cyber disruption. This involves architectural changes and operational protocols that can contain the impact of cyberattacks [11]. One important concept is the design of protection schemes that fail safely even under conditions of cyber uncertainty [65]. For example, local control mechanisms can take over if centralised control commands appear malicious or are unavailable [118]. Adaptive islanding is also being explored. If a utility detects that it is under a severe cyberattack, it may intentionally separate portions of the grid into self-sufficient microgrids in order to prevent cascading failures caused by erroneous or malicious commands [178]. There is also growing work on graceful degradation strategies. These aim to ensure that when data becomes unreliable or untrusted, the grid can revert to more conservative operating modes, such as operating at reduced capacity or with increased safety margins, until trust in the data is restored [11]. Inertial and backup control systems that remain offline during normal operation and are activated only during emergencies are also being investigated [179]. These systems function as a last resort analogue or minimally digital fallback if primary digital control systems are compromised. Cyber resilience also depends on robust backup, recovery, and restoration mechanisms that ensure the integrity and availability of both operational and enterprise systems following destructive cyber incidents [101]. Secure, regularly tested backups and well-defined restoration procedures are essential to limiting recovery time and preventing prolonged operational disruption when enterprise environments are compromised [180]. More generally, redundancy and diversity in control mechanisms increase resilience by reducing the likelihood that a single cyber event can disable the entire system [15]. For instance, using different vendors or distinct technologies for primary and backup supervisory control systems lowers the probability that both are vulnerable to the same exploit [118].

7.7. Policy, Standards, and Governance Considerations

From a policy and standards perspective, future efforts are expected to further tighten mandatory security requirements. In North America, the North American Electric Reliability Corporation Critical Infrastructure Protection standards have been updated continuously and now include requirements such as supply chain risk management and security controls for transient devices, including laptops [153]. A recognised gap has been that distribution systems and smaller utilities often fall outside the most stringent regulatory regimes, which have traditionally focused on the bulk power system [181]. Going forward, regulation or formal guidance is likely to expand to cover a larger portion of the grid, particularly as attackers have demonstrated interest in distribution-level targets, as seen in Ukraine. In Europe, the NIS2 (Network and Information Security Directive) is similarly driving utilities to adopt cybersecurity best practices and to report significant incidents [102]. Overall, the trend is toward more comprehensive and coordinated governance of smart grid cybersecurity. For instance, cross-sector collaboration is increasing. Electric grid operators are coordinating more closely with natural gas pipeline operators, since a cyber incident affecting gas infrastructure can directly impact gas-fired power plants, and vice versa [182]. Information sharing is accelerating through information sharing and analysis centres and international partnerships, enabling indicators of compromise to be distributed rapidly and defensive measures to be updated in a timely manner [183]. These challenges are particularly pronounced for distribution system operators and smaller utilities, which often operate under more heterogeneous regulatory regimes and face greater constraints in terms of cybersecurity resources, expertise, and investment capacity. The concept of collective defence is also gaining traction, whereby utilities actively support one another during cyber incidents, in a manner similar to the mutual aid arrangements long used for recovery from physical disasters [11].

7.8. Summary and Mapping to Historical Incidents

In summary, the future of smart grid cybersecurity is likely to be shaped by intelligent and adaptive defence mechanisms that combine emerging technologies such as artificial intelligence, blockchain, and advanced cryptography with a zero-trust philosophy and robust system design. The grid will not only aim to prevent intrusions but will also be capable of operating during and recovering after cyber incidents, as demonstrated by recent cases in which cyber-physical attacks were detected and neutralised before causing outages. Crucially, many of these approaches are designed not only to prevent intrusions but also to contain their effects, support safe fallback and manual operation, and enable timely recovery when cyber incidents disrupt normal grid control and visibility. As the energy system becomes increasingly complex through the integration of renewable energy, electric vehicles, and prosumer-driven markets, cybersecurity considerations are expected to be embedded into these innovations from the outset through security by design rather than added retrospectively. The challenge remains substantial, but current research and industry trends reflect a proactive stance that recognises cyberattacks as an inevitability and prioritises impact limitation and rapid recovery.
While the solution classes discussed above demonstrate significant potential, their practical maturity and deployment readiness vary considerably across utilities and system contexts. Techniques such as artificial intelligence-based monitoring are already being piloted and, in some cases, operationalised for anomaly detection, whereas approaches such as blockchain-based trust mechanisms and large-scale cyber-physical digital twins remain predominantly at experimental or early deployment stages. Across all solution classes, adoption is constrained not only by technical feasibility but also by integration complexity, operational risk tolerance, skills availability, and lifecycle costs associated with validation, maintenance, and governance. Consequently, these technologies should be understood as complementary components within a broader resilience strategy rather than as universally deployable solutions.
While numerous studies report performance indicators for individual detection, mitigation, or resilience mechanisms, such metrics remain highly context-dependent and are not yet directly comparable across deployments. Differences in grid scale, architectural design, operational constraints, threat models, and evaluation environments, ranging from simulation and testbeds to limited field pilots, significantly constrain cross-study benchmarking. As a result, this review does not attempt to synthesise quantitative performance measures but instead highlights qualitative patterns, architectural dependencies, and recurring operational lessons. The absence of standardised, comparable performance metrics across smart grid cybersecurity studies therefore represents an important research gap that warrants further investigation.
Table 4 synthesises how these emerging solution classes directly address vulnerabilities exposed by historical and recent cyber incidents, illustrating the evolution from reactive countermeasures toward resilience-oriented strategies grounded in both disruptive events and persistent threat conditions. If successfully implemented, these forward-looking measures will help ensure that the smart grid remains not only intelligent and efficient but also secure and resilient in the face of an evolving threat landscape. Collectively, these solution classes reflect a shift from purely preventative security models toward resilience-oriented strategies that are directly informed by the operational lessons of past cyber incidents in the energy sector.

8. Conclusions

The transformation of electric power systems into smart grids has fundamentally altered the cybersecurity landscape of the energy sector. As this review has shown, modern smart grids are no longer defined solely by physical infrastructure and local control systems, but by layered architectures that integrate field devices, communication networks, software platforms, data pipelines, algorithmic decision-making, and externally operated services. This architectural evolution has expanded the attack surface and introduced complex trust relationships that cannot be addressed through isolated or device-centric security measures alone.
Through a structured analysis of security challenges, cyberthreats, documented incidents up to 2025, and emerging defence strategies, this review has demonstrated that cyber risk in smart grids should be understood as a systemic and persistent condition rather than an exceptional failure mode. Historical incidents ranging from long-term espionage campaigns to cyber-physical disruptions and large-scale operational shutdowns illustrate that intrusion is not hypothetical but recurrent, and that impacts often arise through indirect dependencies and organisational interfaces rather than direct manipulation of control equipment. By explicitly connecting smart grid architectural characteristics with security challenges, observed threat mechanisms, documented cyber incidents, and emerging defensive strategies, this review demonstrates how cyber risk propagates across interconnected energy system components rather than arising from isolated failures.
In response, the review has argued for a shift toward resilience-oriented cybersecurity approaches that prioritise detection, containment, recovery, and safe operation under degraded conditions. Emerging solutions such as zero-trust architectures, advanced monitoring and anomaly detection, secure software supply chains, digital twins, and cyber-resilient grid design offer important building blocks for achieving this objective. However, their effectiveness depends on their integration into the overall system architecture, supported by appropriate governance, standards, and cross-sector coordination. In this context, resilience-oriented design emerges not as a supplementary objective but as a foundational requirement for ensuring that smart grids can continue to operate safely and reliably even when cyber defences are breached.
Ultimately, securing the smart grid is not a one-time engineering task but an ongoing socio-technical process that must evolve alongside the energy transition. As power systems become increasingly digital, decentralised, and interconnected, cybersecurity and resilience must be treated as foundational design principles that assume persistent adversarial presence rather than as supplementary controls applied only in response to major disruptions. By adopting a holistic and architecture-aware perspective, utilities, policymakers, and researchers can better anticipate emerging risks and develop energy systems that remain reliable and trustworthy in the face of an evolving cyberthreat landscape.

Author Contributions

Conceptualization, B.N.J.; methodology, Z.G.M.; validation, Z.G.M. and B.N.J.; formal analysis, B.N.J. and Z.G.M.; investigation, B.N.J. and Z.G.M.; resources, B.N.J.; data curation, Z.G.M.; writing—original draft preparation, B.N.J.; writing—review and editing, Z.G.M. and B.N.J.; visualization, B.N.J. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
AESAdvanced Encryption Standard
AMIAdvanced Metering Infrastructure
APIApplication Programming Interface
CIAConfidentiality, Integrity, and Availability
CPUCentral Processing Unit
DERDistributed Energy Resource
DDoSDistributed Denial of Service
DoSDenial of Service
EMSEnergy Management System
EVElectric Vehicle
FDIAFalse Data Injection Attack
GPSGlobal Positioning System
ICSIndustrial Control System
IECInternational Electrotechnical Commission
IoTInternet of Things
IPInternet Protocol
ITInformation Technology
MLMachine Learning
NERCNorth American Electric Reliability Corporation
NISNetwork and Information Security
NISTNational Institute of Standards and Technology
OTOperational Technology
PLCProgrammable Logic Controller
PMUPhasor Measurement Unit
RTURemote Terminal Unit
SCADASupervisory Control and Data Acquisition
SQLStructured Query Language
TLSTransport Layer Security
VPNVirtual Private Network

References

  1. Fang, X.; Misra, S.; Xue, G.; Yang, D. Smart Grid—The New and Improved Power Grid: A Survey. IEEE Commun. Surv. Tutor. 2012, 14, 944–980. [Google Scholar] [CrossRef]
  2. Krause, T.; Ernst, R.; Klaer, B.; Hacker, I.; Henze, M. Cybersecurity in Power Grids: Challenges and Opportunities. Sensors 2021, 21, 6225. [Google Scholar] [CrossRef]
  3. The Smart Grid Interoperability Panel–Smart Grid Cybersecurity Committee. Guidelines for Smart Grid Cybersecurity (NIST IR 7628 Rev. 1). Available online: https://csrc.nist.gov/pubs/ir/7628/r1/final (accessed on 3 December 2025).
  4. Sun, C.-C.; Hahn, A.; Liu, C.-C. Cyber security of a power grid: State-of-the-art. Int. J. Electr. Power Energy Syst. 2018, 99, 45–56. [Google Scholar] [CrossRef]
  5. Cybersecurity and Infrastructure Security Agency. Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors (TA18-074A). Available online: https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors (accessed on 12 December 2025).
  6. European Union Agency for Cybersecurity. ENISA Threat Landscape 2025; ENISA Reports; ENISA: Athens, Greece, 2025; Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 (accessed on 4 December 2025).
  7. Alomari, M.A.; Al-Andoli, M.N.; Ghaleb, M.; Thabit, R.; Alkawsi, G.; Alsayaydeh, J.A.J.; Gaid, A.S.A. Security of Smart Grid: Cybersecurity Issues, Potential Cyberattacks, Major Incidents, and Future Directions. Energies 2025, 18, 141. [Google Scholar] [CrossRef]
  8. Abbasi, A.R. Safeguarding the energy transition: A review of cybersecurity strategies for vulnerability management in smart grids. Energy Convers. Manag.-X 2026, 29, 101419. [Google Scholar] [CrossRef]
  9. Achaal, B.; Adda, M.; Berger, M.; Ibrahim, H.; Awde, A. Study of smart grid cyber-security, examining architectures, communication networks, cyber-attacks, countermeasure techniques, and challenges. Cybersecurity 2024, 7, 10. [Google Scholar] [CrossRef] [PubMed]
  10. Poulsen, K. Slammer Worm Crashed Ohio Nuke Plant Net. Available online: https://www.theregister.com/2003/08/20/slammer_worm_crashed_ohio_nuke/ (accessed on 3 December 2025).
  11. International Energy Agency. Enhancing Cyber Resilience in Electricity Systems; IEA: Paris, France, 2021; Available online: https://www.oecd.org/content/dam/oecd/en/publications/reports/2021/04/enhancing-cyber-resilience-in-electricity-systems_38dbad0f/e00ae407-en.pdf (accessed on 4 December 2025).
  12. Langer, L.; Skopik, F.; Smith, P.; Kammerstetter, M. From old to new: Assessing cybersecurity risks for an evolving smart grid. Comput. Secur. 2016, 62, 165–176. [Google Scholar] [CrossRef]
  13. Abdelkader, S.; Amissah, J.; Kinga, S.; Mugerwa, G.; Emmanuel, E.; Mansour, D.-E.A.; Bajaj, M.; Blazek, V.; Prokop, L. Securing modern power systems: Implementing comprehensive strategies to enhance resilience and reliability against cyber-attacks. Results Eng. 2024, 23, 102647. [Google Scholar] [CrossRef]
  14. Toftegaard, O.; Grotterud, G.; Hammerli, B. Operational Technology resilience in the 2023 draft delegated act on cybersecurity for the power sector-An EU policy process analysis. Comput. LAW Secur. Rev. 2024, 54, 106034. [Google Scholar] [CrossRef]
  15. Panteli, M.; Mancarella, P.; Trakas, D.N.; Kyriakides, E.; Hatziargyriou, N.D. Metrics and Quantification of Operational and Infrastructure Resilience in Power Systems. IEEE Trans. Power Syst. 2017, 32, 4732–4742. [Google Scholar] [CrossRef]
  16. Jiang, L.; Chen, X.; Li, Q. Evolution of smart grid cybersecurity: Toward a systematic framework for collaborative and sustainable development. Util. Policy 2025, 97, 102081. [Google Scholar] [CrossRef]
  17. Gopstein, A.; Nguyen, C.; O’Fallon, C.; Hastings, N.; Wollman, D.A. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0; National Institute of Standards Technology: Gaithersburg, MD, USA, 2021. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1108r4.pdf (accessed on 4 December 2025).
  18. Kabalci, E.; Kabalci, Y. Introduction to Smart Grid Architecture. In Smart Grids and Their Communication Systems; Kabalci, E., Kabalci, Y., Eds.; Springer: Singapore, 2019; pp. 3–45. [Google Scholar] [CrossRef]
  19. Prajwal Gupta, C.R.; Ramesh, A.; Satvik, D.; Nagasundari, S.; Honnavalli, P.B. Simulation of SCADA System for Advanced Metering Infrastructure in Smart Grid. In Proceedings of the 2020 International Conference on Smart Electronics and Communication (ICOSEC), Trichy, India, 10–12 September 2020; pp. 1071–1077. Available online: https://ieeexplore.ieee.org/document/9215432 (accessed on 2 December 2025).
  20. Wali, A.; Alshehry, F. A Survey of Security Challenges in Cloud-Based SCADA Systems. Computers 2024, 13, 97. [Google Scholar] [CrossRef]
  21. Rashed Mohassel, R.; Fung, A.; Mohammadi, F.; Raahemifar, K. A survey on Advanced Metering Infrastructure. Int. J. Electr. Power Energy Syst. 2014, 63, 473–484. [Google Scholar] [CrossRef]
  22. Siano, P. Demand response and smart grids—A survey. Renew. Sustain. Energy Rev. 2014, 30, 461–478. [Google Scholar] [CrossRef]
  23. Kumar, P.; Lin, Y.; Bai, G.; Paverd, A.; Dong, J.S.; Martin, A. Smart Grid Metering Networks: A Survey on Security, Privacy and Open Research Issues. IEEE Commun. Surv. Tutor. 2019, 21, 2886–2927. [Google Scholar] [CrossRef]
  24. McKenna, E.; Richardson, I.; Thomson, M. Smart meter data: Balancing consumer privacy concerns with legitimate applications. Energy Policy 2012, 41, 807–814. [Google Scholar] [CrossRef]
  25. Wainwright, T. Preserving Privacy: How Do You Protect Smart Meter Data? Available online: https://www.theredfoundation.org/post/preserving-privacy-how-do-you-protect-smart-meter-data (accessed on 3 December 2025).
  26. Alanazi, F.; Kim, J.; Cotilla-Sanchez, E. Load Oscillating Attacks of Smart Grids: Vulnerability Analysis. IEEE Access 2023, 11, 36538–36549. [Google Scholar] [CrossRef]
  27. Shokry, M.; Awad, A.I.; Abd-Ellah, M.K.; Khalaf, A.A.M. Systematic survey of advanced metering infrastructure security: Vulnerabilities, attacks, countermeasures, and future vision. Future Gener. Comput. Syst. 2022, 136, 358–377. [Google Scholar] [CrossRef]
  28. Garg, S.; Kaur, K.; Kaddoum, G.; Rodrigues, J.J.P.C.; Guizani, M. Secure and Lightweight Authentication Scheme for Smart Metering Infrastructure in Smart Grid. IEEE Trans. Ind. Inform. 2020, 16, 3548–3557. [Google Scholar] [CrossRef]
  29. Goel, S.; Hong, Y. Security Challenges in Smart Grid Implementation. In Smart Grid Security; Springer: London, UK, 2015; pp. 1–39. [Google Scholar] [CrossRef]
  30. Yi, P.; Zhu, T.; Zhang, Q.; Wu, Y.; Pan, L. Puppet attack: A denial of service attack in advanced metering infrastructure network. J. Netw. Comput. Appl. 2016, 59, 325–332. [Google Scholar] [CrossRef]
  31. Jokar, P.; Arianpoo, N.; Leung, V.C.M. Spoofing detection in IEEE 802.15.4 networks based on received signal strength. Ad Hoc Netw. 2013, 11, 2648–2660. [Google Scholar] [CrossRef]
  32. Fang, B.; Yin, X.; Tan, Y.; Li, C.; Gao, Y.; Cao, Y.; Li, J. The contributions of cloud technologies to smart grid. Renew. Sustain. Energy Rev. 2016, 59, 1326–1331. [Google Scholar] [CrossRef]
  33. Rathor, S.K.; Saxena, D. Energy management system for smart grid: An overview and key issues. Int. J. Energy Res. 2020, 44, 4067–4109. [Google Scholar] [CrossRef]
  34. Wang, K.; Wu, J.; Zheng, X.; Li, J.; Yang, W.; Vasilakos, A.V. Cloud-Edge Orchestrated Power Dispatching for Smart Grid With Distributed Energy Resources. IEEE Trans. Cloud Comput. 2023, 11, 1194–1203. [Google Scholar] [CrossRef]
  35. Malek, A.F.; Mokhlis, H.; Mansor, N.N.; Jamian, J.J.; Wang, L.; Muhammad, M.A. Power Distribution System Outage Management Using Improved Resilience Metrics for Smart Grid Applications. Energies 2023, 16, 3953. [Google Scholar] [CrossRef]
  36. Chung, H.M.; Maharjan, S.; Zhang, Y.; Eliassen, F.; Strunz, K. Optimal Energy Trading With Demand Responses in Cloud Computing Enabled Virtual Power Plant in Smart Grids. IEEE Trans. Cloud Comput. 2022, 10, 17–30. [Google Scholar] [CrossRef]
  37. IEEE Std 2030.5-2018; IEEE Standard for Smart Energy Profile Application Protocol; Revision of IEEE Std 2030.5-2013. IEEE: New York, NY, USA, 2018; pp. 1–361. [CrossRef]
  38. SunSpec Alliance. SunSpec Modbus Information Models. Available online: https://sunspec.org/modbus/ (accessed on 9 December 2025).
  39. Tsikteris, S.; Diamantopoulos Pantaleon, O.; Tsiropoulou, E.E. Cybersecurity Certification Requirements for Distributed Energy Resources: A Survey of SunSpec Alliance Standards. Energies 2024, 17, 5017. [Google Scholar] [CrossRef]
  40. Liu, Y.; Ning, P.; Reiter, M.K. False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. 2011, 14, 13. [Google Scholar] [CrossRef]
  41. Yan, Y.; Qian, Y.; Sharif, H.; Tipper, D. A Survey on Cyber Security for Smart Grid Communications. IEEE Commun. Surv. Tutor. 2012, 14, 998–1010. [Google Scholar] [CrossRef]
  42. Zhang, Y.; Huang, T.; Bompard, E.F. Big data analytics in smart grids: A review. Energy Inform. 2018, 1, 8. [Google Scholar] [CrossRef]
  43. Diamantoulakis, P.D.; Kapinas, V.M.; Karagiannidis, G.K. Big Data Analytics for Dynamic Energy Management in Smart Grids. Big Data Res. 2015, 2, 94–101. [Google Scholar] [CrossRef]
  44. Kawoosa, A.I.; Prashar, D. A Review of Cyber Securities in Smart Grid Technology. In Proceedings of the 2021 2nd International Conference on Computation, Automation and Knowledge Management (ICCAKM), Dubai, United Arab Emirates, 21–19 January 2021; pp. 151–156. Available online: https://ieeexplore.ieee.org/document/9357698/ (accessed on 6 December 2025).
  45. Yilmaz, S.; Dener, M. Security with Wireless Sensor Networks in Smart Grids: A Review. Symmetry 2024, 16, 1295. [Google Scholar] [CrossRef]
  46. Diovu, R.C.; Agee, J.T. Smart grid advanced metering infrastructure: Overview of cloud-based cyber security solutions. Int. J. Commun. Antenna Propag. 2018, 8, 302–314. [Google Scholar] [CrossRef]
  47. Douae, T.; Hassan, B. Sensitive Infrastructure Control Systems Cyber-Security: Literature Review. In International Conference on Advanced Intelligent Systems for Sustainable Development. AI2SD 2022; Lecture Notes in Networks and Systems; Springer: Cham, Switzerland, 2023; Volume 712, pp. 310–319. [Google Scholar]
  48. Skrodelis, H.; Kelle, R.; Romanovs, A. Cybersecurity in SCADA Systems with Advanced AI and ML Techniques. In Proceedings of the 2024 IEEE 65th International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS), Riga, Latvia, 3–4 October 2024. [Google Scholar] [CrossRef]
  49. Banad, Y.M.; Sharif, S.S.; Rezaei, Z. Artificial intelligence and machine learning for smart grids: From foundational paradigms to emerging technologies with digital twin and large language model-driven intelligence. Energy Convers. Manag. X 2025, 28, 101329. [Google Scholar] [CrossRef]
  50. Noura, H.N.; Yaacoub, J.P.A.; Salman, O.; Chehab, A. Advanced Machine Learning in Smart Grids: An overview. Internet Things Cyber-Phys. Syst. 2025, 5, 95–142. [Google Scholar] [CrossRef]
  51. Jørgensen, B.N.; Gunasekaran, S.S.; Ma, Z.G. Impact of EU Laws on AI Adoption in Smart Grids: A Review of Regulatory Barriers, Technological Challenges, and Stakeholder Benefits. Energies 2025, 18, 3002. [Google Scholar] [CrossRef]
  52. Han, Y.; Wang, Y.; Wu, L.; Feng, H.; Wu, X.; Li, R. Survey of privacy-preserving data aggregation schemes in smart grid. J. King Saud Univ. Comput. Inf. Sci. 2025, 37, 263. [Google Scholar] [CrossRef]
  53. IEEE Std 1815-2012; IEEE Standard for Electric Power Systems Communications—Distributed Network Protocol (DNP3). IEEE Power Energy Society: New York, NY, USA, 2018. Available online: https://standards.ieee.org/ieee/1815/5414/ (accessed on 28 December 2025).
  54. IEC 60870-5-104:2006; Telecontrol Equipment and Systems—Part 5-104: Transmission Protocols—Network Access for IEC 60870-5-101 Using Standard Transport Profiles. International Electrotechnical Commission: Geneva, Switzerland, 2006. Available online: https://webstore.iec.ch/publication/25035 (accessed on 28 December 2025).
  55. Modbus Organization. Modbus Application Protocol Specification V1.1b3; Modbus Organization: Hopkinton, MA, USA, 2012; Available online: https://web.archive.org/web/20201209184336/http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf (accessed on 28 December 2025).
  56. Ayele, E.D.; Gonzalez, J.F.; Teeuw, W.B. Enhancing Cybersecurity in Distributed Microgrids: A Review of Communication Protocols and Standards. Sensors 2024, 24, 854. [Google Scholar] [CrossRef]
  57. Jasim, A.A.; Alheeti, K.M.A. A Review Paper: Security for Supervisory Control and Data Acquisition SCADA Based on DNP3. In Proceedings of the 2023 16th International Conference on Developments in eSystems Engineering (DeSE), Istanbul, Turkiye, 18–20 December 2023; pp. 800–805. Available online: https://www.scopus.com/record/display.uri?eid=2-s2.0-85189358770&origin=inward (accessed on 3 December 2025).
  58. Kuzlu, M.; Pipattanasompom, M.; Rahman, S. A comprehensive review of smart grid related standards and protocols. In Proceedings of the 2017 5th International Istanbul Smart Grid and Cities Congress and Fair (ICSG), Istanbul, Turkey, 19–21 April 2017; pp. 12–16. Available online: https://ieeexplore.ieee.org/document/7947600/ (accessed on 3 December 2025).
  59. Ishfaq, H.; Kanwal, S.; Anwar, S.; Abdussalam, M.; Amin, W. Enhancing Smart Grid Security and Efficiency: AI, Energy Routing, and T&D Innovations (A Review). Energies 2025, 18, 4747. [Google Scholar] [CrossRef]
  60. Nambundo, J.M.; de Souza Martins Gomes, O.; de Souza, A.D.; Machado, R.C.S. Cybersecurity and Major Cyber Threats of Smart Meters: A Systematic Mapping Review. Energies 2025, 18, 1445. [Google Scholar] [CrossRef]
  61. Reichert, B.M.; Obelheiro, R.R. Software supply chain security: A systematic literature review. Int. J. Comput. Appl. 2024, 46, 853–867. [Google Scholar] [CrossRef]
  62. Ohm, M.; Plate, H.; Sykosch, A.; Meier, M. Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks; Springer: Cham, Switzerland, 2020; pp. 23–43. [Google Scholar]
  63. Shruti; Rani, S.; Shabaz, M.; Dutta, A.K.; Ahmed, E.A. Enhancing privacy and security in IoT-based smart grid system using encryption-based fog computing. Alex. Eng. J. 2024, 102, 66–74. [Google Scholar] [CrossRef]
  64. 2015 Ukraine Power Grid Hack. Available online: https://en.wikipedia.org/wiki/2015_Ukraine_power_grid_hack (accessed on 3 December 2025).
  65. Sridhar, S.; Hahn, A.; Govindarasu, M. Cyber-Physical System Security for the Electric Power Grid. Proc. IEEE 2012, 100, 210–224. [Google Scholar] [CrossRef]
  66. Triton (Malware). Available online: https://en.wikipedia.org/wiki/Triton_(malware) (accessed on 3 December 2025).
  67. Vidas, L.; Castro, R.; Pires, A. A Review of the Impact of Hydrogen Integration in Natural Gas Distribution Networks and Electric Smart Grids. Energies 2022, 15, 3160. [Google Scholar] [CrossRef]
  68. Ceseña, E.A.M.; Mancarella, P. Energy Systems Integration in Smart Districts: Robust Optimisation of Multi-Energy Flows in Integrated Electricity, Heat and Gas Networks. IEEE Trans. Smart Grid 2019, 10, 1122–1131. [Google Scholar] [CrossRef]
  69. Das, S.; Acharjee, P.; Bhattacharya, A. Charging Scheduling of Electric Vehicle Incorporating Grid-to-Vehicle and Vehicle-to-Grid Technology Considering in Smart Grid. IEEE Trans. Ind. Appl. 2021, 57, 1688–1702. [Google Scholar] [CrossRef]
  70. Ma, Z.; Clausen, A.; Lin, Y.; Jørgensen, B.N. An overview of digitalization for the building-to-grid ecosystem. Energy Inform. 2021, 4, 36. [Google Scholar] [CrossRef]
  71. Beerman, J.; Berent, D.; Falter, Z.; Bhunia, S. A Review of Colonial Pipeline Ransomware Attack. In Proceedings of the 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW), Bangalore, India, 1–4 May 2023; pp. 8–15. [Google Scholar]
  72. Ronanki, D.; Karneddi, H. Electric Vehicle Charging Infrastructure: Review, Cyber Security Considerations, Potential Impacts, Countermeasures, and Future Trends. IEEE J. Emerg. Sel. Top. Power Electron. 2024, 12, 242–256. [Google Scholar] [CrossRef]
  73. Niemiec, M.; Pappalardo, S.M.; Bozhilova, M.; Stoianov, N.; Dziech, A.; Stiller, B. Multi-sector Risk Management Framework for Analysis Cybersecurity Challenges and Opportunities. In Multimedia Communications, Services and Security; Springer: Cham, Switzerland, 2022; pp. 49–65. [Google Scholar]
  74. Abraham, D.; Houmb, S.H.; Erdodi, L. Cyber-Attacks on Energy Infrastructure—A Literature Overview and Perspectives on the Current Situation. Appl. Sci. 2025, 15, 9233. [Google Scholar] [CrossRef]
  75. Mwim, E.N.; Mtsweni, J. Systematic Review of Factors that Influence the Cybersecurity Culture. In Human Aspects of Information Security and Assurance; Springer: Cham, Switzerland, 2022; pp. 147–172. [Google Scholar]
  76. Sutton, A.; Tompson, L. Towards a cybersecurity culture-behaviour framework: A rapid evidence review. Comput. Secur. 2025, 148, 104110. [Google Scholar] [CrossRef]
  77. Ma, Z. Business ecosystem modeling- the hybrid of system modeling and ecological modeling: An application of the smart grid. Energy Inform. 2019, 2, 35. [Google Scholar] [CrossRef]
  78. Pandey, R.K.; Misra, M. Cyber security threats—Smart grid infrastructure. In Proceedings of the 2016 National Power Systems Conference (NPSC), Bhubaneswar, India, 19–21 December 2016; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/7858950/ (accessed on 5 December 2025).
  79. Hasan, M.K.; Habib, A.K.M.A.; Islam, S.; Safie, N.; Abdullah, S.N.H.S.; Pandey, B. DDoS: Distributed denial of service attack in communication standard vulnerabilities in smart grid applications and cyber security with recent developments. Energy Rep. 2023, 9, 1318–1326. [Google Scholar] [CrossRef]
  80. Pirayesh, H.; Zeng, H. Jamming Attacks and Anti-Jamming Strategies in Wireless Networks: A Comprehensive Survey. IEEE Commun. Surv. Tutor. 2022, 24, 767–809. [Google Scholar] [CrossRef]
  81. Islam, S.N.; Baig, Z.; Zeadally, S. Physical Layer Security for the Smart Grid: Vulnerabilities, Threats, and Countermeasures. IEEE Trans. Ind. Inform. 2019, 15, 6522–6530. [Google Scholar] [CrossRef]
  82. Ying, H.; Zhang, Y.; Han, L.; Cheng, Y.; Li, J.; Ji, X.; Xu, W. Detecting Buffer-Overflow Vulnerabilities in Smart Grid Devices via Automatic Static Analysis. In Proceedings of the 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chengdu, China, 15–17 March 2019; pp. 813–817. [Google Scholar]
  83. Ustun, T.S.; Farooq, S.M.; Hussain, S.M.S. A Novel Approach for Mitigation of Replay and Masquerade Attacks in Smartgrids Using IEC 61850 Standard. IEEE Access 2019, 7, 156044–156053. [Google Scholar] [CrossRef]
  84. Huseinović, A.; Mrdović, S.; Bicakci, K.; Uludag, S. A Survey of Denial-of-Service Attacks and Solutions in the Smart Grid. IEEE Access 2020, 8, 177447–177470. [Google Scholar] [CrossRef]
  85. Nyangaresi, V.O.; Alsamhi, S.H. Towards Secure Traffic Signaling in Smart Grids. In Proceedings of the 2021 3rd Global Power, Energy and Communication Conference (GPECOM), Antalya, Turkey, 5–8 October 2021; pp. 196–201. [Google Scholar]
  86. Inayat, U.; Zia, M.F.; Mahmood, S.; Berghout, T.; Benbouzid, M. Cybersecurity Enhancement of Smart Grid: Attacks, Methods, and Prospects. Electronics 2022, 11, 3854. [Google Scholar] [CrossRef]
  87. Bouslimani, M.; Tayeb, F.B.S.; Amirat, Y.; Benbouzid, M. Replay Attacks on Smart Grids: A Comprehensive Review on Countermeasures. In Proceedings of the IECON 2024—50th Annual Conference of the IEEE Industrial Electronics Society, Chicago, IL, USA, 3–6 November 2024; pp. 1–6. [Google Scholar]
  88. Gunduz, M.Z.; Das, R. Analysis of cyber-attacks on smart grid applications. In Proceedings of the 2018 International Conference on Artificial Intelligence and Data Processing (IDAP), Malatya, Turkey, 28–30 September 2018; pp. 1–5. [Google Scholar]
  89. Paul, B.; Sarker, A.; Abhi, S.H.; Das, S.K.; Ali, M.F.; Islam, M.M.; Islam, M.R.; Moyeen, S.I.; Rahman Badal, M.F.; Ahamed, M.H.; et al. Potential smart grid vulnerabilities to cyber attacks: Current threats and existing mitigation strategies. Heliyon 2024, 10, e37980. [Google Scholar] [CrossRef]
  90. Chang, Z.; Wu, J.; Liang, H.; Wang, Y.; Wang, Y.; Xiong, X. A Review of Power System False Data Attack Detection Technology Based on Big Data. Information 2024, 15, 439. [Google Scholar] [CrossRef]
  91. Olowu, T.O.; Dharmasena, S.; Hernandez, A.; Sarwat, A. Impact Analysis of Cyber Attacks on Smart Grid: A Review and Case Study. In New Research Directions in Solar Energy Technologies; Tyagi, H., Chakraborty, P.R., Powar, S., Agarwal, A.K., Eds.; Springer: Singapore, 2021; pp. 31–51. [Google Scholar] [CrossRef]
  92. Musleh, A.S.; Chen, G.; Dong, Z.Y. A Survey on the Detection Algorithms for False Data Injection Attacks in Smart Grids. IEEE Trans. Smart Grid 2020, 11, 2218–2234. [Google Scholar] [CrossRef]
  93. Usama, M.; Aman, M.N. Command Injection Attacks in Smart Grids: A Survey. IEEE Open J. Ind. Appl. 2024, 5, 75–85. [Google Scholar] [CrossRef]
  94. Collins, S.; McCombie, S. Stuxnet: The emergence of a new cyber weapon and its implications. J. Polic. Intell. Count. Terror. 2012, 7, 80–91. [Google Scholar] [CrossRef]
  95. Vighneswari, B.D.; Kothai Andal, C. Smart Meter Security—Fraud Detection in Power Theft. In Cloud Computing in Smart Energy Meter Management; Wiley: Hoboken, NJ, USA, 2025; pp. 239–262. [Google Scholar] [CrossRef]
  96. Zhang, Z.; Gong, S.; Dimitrovski, A.D.; Li, H. Time Synchronization Attack in Smart Grid: Impact and Analysis. IEEE Trans. Smart Grid 2013, 4, 87–98. [Google Scholar] [CrossRef]
  97. Jiang, X.; Zhang, J.; Harding, B.J.; Makela, J.J.; Domínguez-García, A.D. Spoofing GPS Receiver Clock Offset of Phasor Measurement Units. IEEE Trans. Power Syst. 2013, 28, 3253–3262. [Google Scholar] [CrossRef]
  98. Seo, J.; Lee, G. An Effective Wormhole Attack Defence Method for a Smart Meter Mesh Network in an Intelligent Power Grid. Int. J. Adv. Robot. Syst. 2012, 9, 49. [Google Scholar] [CrossRef]
  99. Li, D.; Gebraeel, N.; Paynabar, K.; Meliopoulos, A.P.S. An Online Approach to Covert Attack Detection and Identification in Power Systems. IEEE Trans. Power Syst. 2023, 38, 267–277. [Google Scholar] [CrossRef]
  100. Williams, L.; Benedetti, G.; Hamer, S.; Paramitha, R.; Rahman, I.; Tamanna, M.; Tystahl, G.; Zahan, N.; Morrison, P.; Acar, Y.; et al. Research Directions in Software Supply Chain Security. ACM Trans. Softw. Eng. Methodol. 2025, 34, 146. [Google Scholar] [CrossRef]
  101. Lella, I.; Tsekmezoglou, E.; Theocharidou, M.; Magonara, E.; Malatras, A.; Svetozarov Naydenov, R.; Ciobanu, C.; Ardagna, C.; Corbiaux, S.; Van Impe, K.; et al. ENISA Threat Landscape 2023; ENISA Reports; ENISA: Athens, Greece, 2023; Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023 (accessed on 3 December 2025).
  102. European Parliament; The Commission of the European Union. Directive (EU) 2022/2555 on Measures for a High Common Level of Cybersecurity Across the Union (NIS2 Directive). Available online: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng (accessed on 3 December 2025).
  103. Egozcue, E.; Herreras Rodríguez, D.; Alonso Ortiz, J.; Fidalgo Villar, V.; Tarrafeta, L. ENISA Smart Grid Security Recommendations; European Union Agency for Cybersecurity: Athens, Greece, 2020; Available online: https://www.enisa.europa.eu/publications/ENISA-smart-grid-security-recommendations (accessed on 3 December 2025).
  104. Alouffi, B.; Hasnain, M.; Alharbi, A.; Alosaimi, W.; Alyami, H.; Ayaz, M. A Systematic Literature Review on Cloud Computing Security: Threats and Mitigation Strategies. IEEE Access 2021, 9, 57792–57807. [Google Scholar] [CrossRef]
  105. Suetor, C.G.; Scrimieri, D.; Qureshi, A.; Awan, I.-U. An Overview of Distributed Firewalls and Controllers Intended for Mobile Cloud Computing. Appl. Sci. 2025, 15, 1931. [Google Scholar] [CrossRef]
  106. Takiddin, A.; Ismail, M.; Zafar, U.; Serpedin, E. Robust Electricity Theft Detection Against Data Poisoning Attacks in Smart Grids. IEEE Trans. Smart Grid 2021, 12, 2675–2684. [Google Scholar] [CrossRef]
  107. Sardana, S.; Gupta, S.; Donode, A.; Prasad, A.; Karthik, G.M. Defending Machine Learning and Deep Learning Models: Detecting and Preventing Data Poisoning Attacks. In Proceedings of the 2024 Global Conference on Communications and Information Technologies (GCCIT), Bangalore, India, 25–26 October 2024; pp. 1–6. [Google Scholar]
  108. Pappalardo, S.M.; Niemiec, M.; Bozhilova, M.; Stoianov, N.; Dziech, A.; Stiller, B. Multi-Sector Assessment Framework—A New Approach to Analyse Cybersecurity Challenges and Opportunities; Springer: Cham, Switzerland, 2020; pp. 1–15. [Google Scholar]
  109. Beyza, J.; Ruiz-Paredes, H.F.; Garcia-Paricio, E.; Yusta, J.M. Assessing the criticality of interdependent power and gas systems using complex networks and load flow techniques. Phys. A Stat. Mech. Appl. 2020, 540, 123169. [Google Scholar] [CrossRef]
  110. Bhusal, N.; Gautam, M.; Benidris, M. Cybersecurity of Electric Vehicle Smart Charging Management Systems. In Proceedings of the 2020 52nd North American Power Symposium (NAPS), Tempe, AZ, USA, 11–13 April 2021; pp. 1–6. Available online: https://www.webofscience.com/wos/woscc/full-record/WOS:000684240200104 (accessed on 5 December 2025).
  111. Llaria, A.; Dos Santos, J.; Terrasson, G.; Boussaada, Z.; Merlo, C.; Curea, O. Intelligent Buildings in Smart Grids: A Survey on Security and Privacy Issues Related to Energy Management. Energies 2021, 14, 2733. [Google Scholar] [CrossRef]
  112. Sayed, M.A.; Ghafouri, M.; Atallah, R.; Debbabi, M.; Assi, C. Grid Chaos: An uncertainty-conscious robust dynamic EV load-altering attack strategy on power grid stability. Appl. Energy 2024, 363, 122972. [Google Scholar] [CrossRef]
  113. Chen, D.; Sun, Q.Z.; Qiao, Y. Defending against cyber-attacks in building HVAC systems through energy performance evaluation using a physics-informed dynamic Bayesian network (PIDBN). Energy 2025, 322, 135369. [Google Scholar] [CrossRef]
  114. Maleki, S.; Pan, S.; Lakshminarayana, S.; Konstantinou, C. Survey of Load-Altering Attacks Against Power Grids: Attack Impact, Detection, and Mitigation. IEEE Open Access J. Power Energy 2025, 12, 220–234. [Google Scholar] [CrossRef]
  115. Presekal, A.; Rajkumar, V.S.; Ştefanov, A.; Pan, K.; Palensky, P. Cyberattacks on Power Systems. In Smart Cyber-Physical Power Systems; Wiley: Hoboken, NJ, USA, 2025; pp. 365–403. [Google Scholar] [CrossRef]
  116. Algin, R.; Tan, H.O.; Akkaya, K. Mitigating Selective Jamming Attacks in Smart Meter Data Collection using Moving Target Defense. In Proceedings of the 13th ACM Symposium on QoS and Security for Wireless and Mobile Networks, Miami, FL, USA, 21–25 November USA; pp. 1–8. [CrossRef]
  117. Maynard, P.; McLaughlin, K.; Haberler, B. Towards Understanding Man-In-The-Middle Attacks on IEC 60870-5-104 SCADA Networks. In Proceedings of the 2nd International Symposium on ICS & SCADA Cyber Security Research 2014, St Pölten, Austria, 11–12 September 2014; pp. 30–42. [Google Scholar] [CrossRef]
  118. Stouffer, K.; Pease, M.; Tang, C.; Zimmerman, T.; Pillitteri, V.; Lightman, S.; Hahn, A.; Saravia, S.; Sherule, A.; Thompson, M. NIST Special Publication 800-82 Revision 3: Guide to Operational Technology (OT) Security; National Institute of Standards Technology: Gaithersburg, MD, USA, 2022. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf (accessed on 5 December 2025).
  119. Reed, T.C. At the Abyss: An Insider’s History of the Cold War; Presidio Press/Ballantine Books: New York, NY, USA, 2004. [Google Scholar]
  120. Markey, E.J. Markey Letter and NRC Response on the Slammer Worm Infection at Davis-Besse Nuclear Plant; U. S. Nuclear Regulatory Commission: Rockville, MD, USA, 2003. Available online: https://www.nrc.gov/docs/ML0329/ML032970134.pdf (accessed on 5 December 2025).
  121. Moore, D.; Paxson, V.; Savage, S.; Shannon, C.; Staniford, S.; Weaver, N. Inside the Slammer Worm. IEEE Secur. Priv. 2003, 1, 33–39. Available online: https://skerry-tech.com/papers/2003-slammer.pdf (accessed on 4 December 2025). [CrossRef]
  122. Miller, B.; Rowe, D. A survey SCADA of and critical infrastructure incidents. In Proceedings of the 1st Annual conference on Research in information technology, Calgary, AB, Canada, 11–13 October 2012; pp. 51–56. [Google Scholar] [CrossRef]
  123. U. S. Nuclear Regulatory Commission. NRC Information Notice 2003-17: Slammer Worm Penetration of Davis-Besse Nuclear Power Station Networks; U. S. Nuclear Regulatory Commission: Rockville, MD, USA, 2003. Available online: https://www.nrc.gov/docs/ML0324/ML032410430.pdf (accessed on 4 December 2025).
  124. Cybersecurity Infrastructure Security Agency. CISA Industrial Control Systems Advisory ICSA-11-041-01A: McAfee Night Dragon Report (Update A); Cybersecurity Infrastructure Security Agency: Arlington, VA, USA, 2018. Available online: https://www.cisa.gov/news-events/ics-advisories/icsa-11-041-01a (accessed on 5 December 2025).
  125. Hemsley, K.E.; Fisher, R.E. History of Industrial Control System Cyber Incidents; Idaho National Laboratory (INL): Idaho Falls, ID, USA, 2018. Available online: https://www.osti.gov/servlets/purl/1505628 (accessed on 4 December 2025).
  126. Stergiopoulos, G.; Gritzalis, D.A.; Limnaios, E. Cyber-Attacks on the Oil & Gas Sector: A Survey on Incident Assessment and Attack Patterns. IEEE Access 2020, 8, 128440–128475. [Google Scholar] [CrossRef]
  127. Langner, R. Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Secur. Priv. 2011, 9, 49–51. [Google Scholar] [CrossRef]
  128. Karnouskos, S. Stuxnet Worm Impact on Industrial Cyber-Physical System Security. In Proceedings of the IECON 2011—37th Annual Conference of the IEEE Industrial Electronics Society, Melbourne, VIC, Australia, 7–10 November 2011. [Google Scholar] [CrossRef]
  129. Symantec. Dragonfly: Cyberespionage Attacks Against Energy Suppliers; Security Response: Tempe, AZ, USA, 2014; Available online: https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers (accessed on 5 December 2025).
  130. Cybersecurity Infrastructure Security Agency. CISA Industrial Control Systems Alert ICSA-14-281-01: Ongoing Sophisticated Malware Campaign Compromising ICS; Cybersecurity Infrastructure Security Agency: Arlington, VA, USA, 2014. Available online: https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-281-01 (accessed on 3 December 2025).
  131. Wangen, G. The Role of Malware in Reported Cyber Espionage: A Review of the Impact and Mechanism. Information 2015, 6, 183–211. [Google Scholar] [CrossRef]
  132. Council on Foreign Relations. Compromise of Saudi Aramco and RasGas. Available online: https://www.cfr.org/cyber-operations/2012/08/16/compromise-of-saudi-aramco-and-rasgas/ (accessed on 3 December 2025).
  133. PwC. Under the Lens: The Oil and Gas Sector. In PwC Cyber Threat Operations Report; PwC: London, UK, 2020; Available online: https://www.pwc.de/de/energiewirtschaft/under-the-lens-oil-and-gas-sector.pdf (accessed on 4 December 2025).
  134. Whitehead, D.E.; Owens, K.; Gammel, D.; Smith, J. Ukraine cyber-induced power outage: Analysis and practical mitigation strategies. In Proceedings of the 2017 70th Annual Conference for Protective Relay Engineers (CPRE), College Station, TX, USA, 3–6 April 2017; pp. 1–8. [Google Scholar] [CrossRef]
  135. IEC 62351-6:2020; Power Systems Management and Associated Information Exchange—Data and Communications Security—Part 6: Security for IEC 61850. IEC International Standards: Geneva, Switzerland, 2020. Available online: https://webstore.iec.ch/en/publication/63742 (accessed on 4 December 2025).
  136. Lee, R.M.; Assante, M.J.; Conway, T. Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case; E-ISAC: Washington, DC, USA, 2016; Available online: https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf (accessed on 5 December 2025).
  137. Mekdad, Y.; Bernieri, G.; Conti, M.; Fergougui, A.E. A threat model method for ICS malware: The TRISIS case. In Proceedings of the 18th ACM International Conference on Computing Frontiers, Virtual Event, 11–13 May 2021; pp. 221–228. [Google Scholar] [CrossRef]
  138. Park, J.H.; Singh, S.K.; Salim, M.M.; El Azzaoui, A.; Park, J.H. Ransomware-based Cyber Attacks: A Comprehensive Survey. J. Internet Technol. 2022, 23, 1557–1564. [Google Scholar] [CrossRef]
  139. Bhole, M.; Sauter, T.; Kastner, W. Enhancing Industrial Cybersecurity: Insights from Analyzing Threat Groups and Strategies in Operational Technology Environments. IEEE Open J. Ind. Electron. Soc. 2025, 6, 145–157. [Google Scholar] [CrossRef]
  140. Federal Bureau of Investigation. FBI Statement on Compromise of Colonial Pipeline Networks. Available online: https://www.fbi.gov/news/press-releases/fbi-statement-on-compromise-of-colonial-pipeline-networks (accessed on 5 December 2025).
  141. Bing, C.; Kelly, S. Colonial Pipeline halts all pipeline operations after cybersecurity attack. Reuters, 8 May 2021. Available online: https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/ (accessed on 3 December 2025).
  142. S&P Global. Energy Security Sentinel: Cyberattacks Surge in 2022 as Hackers Target Commodities. 2022. Available online: https://www.spglobal.com/energy/en/news-research/latest-news/electric-power/101022-energy-security-sentinel-cyberattacks-surge-in-2022-as-hackers-target-commodities (accessed on 5 December 2025).
  143. Thompson, K. Energy Dilemmas in the 2023 Energy Trilemma. 2023. Available online: https://itegriti.com/2023/cybersecurity/energy-dilemmas-in-2023-energy-trilemma/ (accessed on 3 December 2025).
  144. European Union Agency for Cybersecurity. ENISA Threat Landscape 2022; ENISA: Athens, Greece, 2022; Available online: https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Threat%20Landscape%202022.pdf (accessed on 4 December 2025).
  145. Eset Research. Industroyer2: Industroyer reloaded. We Live Security, 12 April 2022. Available online: https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ (accessed on 3 December 2025).
  146. Cybersecurity Infrastructure Security Agency. Cybersecurity Advisory AA23-144A: [Title of CISA Advisory AA23-144A]; CISA: Washington, DC, USA, 2023. Available online: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a (accessed on 4 December 2025).
  147. HSE Public Relations and Marketing Communications. HSE Successfully Resolves Situation Related To Hacking of HSE Information System. Available online: https://www.hse.si/en/hse-successfully-resolves-situation-related-to-hacking-of-hse-information-system/ (accessed on 14 December 2025).
  148. European Union Agency for Cybersecurity. ENISA Threat Landscape 2024; ENISA: Athens, Greece, 2024; Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024 (accessed on 4 December 2025).
  149. Reuters. Iran repelled large cyber attack on Sunday. Reuters, 28 April 2025. Available online: https://www.reuters.com/world/middle-east/iran-repelled-large-cyber-attack-sunday-2025-04-28/ (accessed on 12 December 2025).
  150. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. NIST Special Publication 800-207: Zero Trust Architecture; National Institute of Standards Technology: Gaithersburg, MD, USA, 2020. Available online: https://csrc.nist.gov/pubs/sp/800/207/final (accessed on 4 December 2025).
  151. Demirci, S.; Sagiroglu, S. Software-Defined Networking for Improving Security in Smart Grid Systems. In Proceedings of the 2018 7th International Conference on Renewable Energy Research and Applications (ICRERA), Paris, France, 14–17 October 2018; pp. 1021–1026. Available online: https://ieeexplore.ieee.org/document/8567005/ (accessed on 4 December 2025).
  152. Ugoaghalam, U.J.; Idika, C.N.; Enyejo, L.A. Zero Trust Architecture Leveraging AI-Driven Behavior Analytics for Industrial Control Systems in Energy Distribution Networks. Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol. 2023, 9, 685–709. [Google Scholar] [CrossRef]
  153. North American Electric Reliability Corporation. CIP-013-1 R1 & R2—Supply Chain Management NATF; North American Electric Reliability Corporation: Atlanta, GA, USA, 2020; Available online: https://www.nerc.com/globalassets/programs/compliance/compliance-guidance/implementation/cip-013-1-r1-r2--supply-chain-management-natf.pdf (accessed on 4 December 2025).
  154. Souppaya, M.; Scarfone, K. NIST Special Publication 800-193: Platform-Platform Firmware Resiliency Guidelines; National Institute of Standards Technology: Gaithersburg, MD, USA, 2020. Available online: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf (accessed on 4 December 2025).
  155. Federal Energy Regulatory Commission. Revised Critical Infrastructure Protection Reliability Standards. Federal Energy Regulatory Commission, 2016. Available online: https://www.federalregister.gov/documents/2016/07/29/2016-17842/revised-critical-infrastructure-protection-reliability-standards (accessed on 5 December 2025).
  156. Mollah, M.B.; Zhao, J.; Niyato, D.; Lam, K.Y.; Zhang, X.; Ghias, A.M.Y.M.; Koh, L.H.; Yang, L. Blockchain for Future Smart Grid: A Comprehensive Survey. IEEE Internet Things J. 2021, 8, 18–43. [Google Scholar] [CrossRef]
  157. Andoni, M.; Robu, V.; Flynn, D.; Abram, S.; Geach, D.; Jenkins, D.; McCallum, P.; Peacock, A. Blockchain technology in the energy sector: A systematic review of challenges and opportunities. Renew. Sustain. Energy Rev. 2019, 100, 143–174. [Google Scholar] [CrossRef]
  158. Mengelkamp, E.; Gärttner, J.; Rock, K.; Kessler, S.; Orsini, L.; Weinhardt, C. Designing microgrid energy markets: A case study: The Brooklyn Microgrid. Appl. Energy 2018, 210, 870–880. [Google Scholar] [CrossRef]
  159. Dorri, A.; Kanhere, S.S.; Jurdak, R.; Gauravaram, P. Blockchain for IoT security and privacy: The case study of a smart home. In Proceedings of the 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), Kona, HI, USA, 13–17 March 2017; pp. 618–623. [Google Scholar] [CrossRef]
  160. Son, M.; Kim, H. Blockchain-based secure firmware management system in IoT environment. In Proceedings of the 2019 21st International Conference on Advanced Communication Technology (ICACT), PyeongChang, Republic of Korea, 17–20 February 2019; pp. 142–146. [Google Scholar] [CrossRef]
  161. Fatima, S.; Arshad, M.J. A Comprehensive Review of Blockchain and Machine Learning Integration for Peer-to-Peer Energy Trading in Smart Grids. IEEE Access 2025, 13, 92756–92782. [Google Scholar] [CrossRef]
  162. Mylrea, M.; Gourisetti, S.N.G. Blockchain for smart grid resilience: Exchanging distributed energy at speed, scale and security. In Proceedings of the 2017 Resilience Week (RWS), Wilmington, DE, USA, 18–22 September 2017; pp. 18–23. [Google Scholar]
  163. Tibrewal, I.; Srivastava, M.; Tyagi, A.K. Blockchain Technology for Securing Cyber-Infrastructure and Internet of Things Networks. In Intelligent Interactive Multimedia Systems for e-Healthcare Applications; Springer: Singapore, 2021; p. 14. [Google Scholar] [CrossRef]
  164. Ahmada, J.; Rizwanb, M.; Alia, S.F.; Inayata, U.; Muqeet, H.A.; Imran, M.; Awotwe, T. Cybersecurity in smart microgrids using blockchain-federated learning and quantum-safe approaches: A comprehensive review. Appl. Energy 2025, 393. [Google Scholar] [CrossRef]
  165. Erba, A.; Müller, A.; Tippenhauer, N.O. Security Analysis of Vendor Implementations of the OPC UA Protocol for Industrial Control Systems. In Proceedings of the 4th Workshop on CPS & IoT Security and Privacy, Los Angeles, CA, USA, 7 November 2022; pp. 1–13. [Google Scholar] [CrossRef]
  166. Schlegel, R.; Obermeier, S.; Schneider, J. A security evaluation of IEC 62351. J. Inf. Secur. Appl. 2017, 34, 197–204. [Google Scholar] [CrossRef]
  167. National Institute of Standards and Technology. Post-Quantum Cryptography FIPS Approved. Available online: https://csrc.nist.gov/news/2024/postquantum-cryptography-fips-approved (accessed on 3 December 2025).
  168. National Institute of Standards and Technology. Post-Quantum Cryptography Standardization. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization (accessed on 7 December 2025).
  169. Bera, B.; Sikdar, B. Securing Post-Quantum Communication for Smart Grid Applications. In Proceedings of the 2024 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Oslo, Norway, 17–20 September 2024; pp. 555–561. [Google Scholar] [CrossRef]
  170. Travagnin, M.; Lewis, A.M. Quantum Key Distribution In-field Implementations: Technology Assessment of QKD Deployments; Publications Office of the European Union: Luxembourg, 2019; Available online: https://publications.jrc.ec.europa.eu/repository/bitstream/JRC118150/quantum_communication_state-of-the-art__review_4.0_final.pdf (accessed on 6 December 2025).
  171. Thwe, M.M.; Ştefanov, A.; Rajkumar, V.S.; Palensky, P. Digital Twins for Power Systems: Review of Current Practices, Requirements, Enabling Technologies, Data Federation, and Challenges. IEEE Access 2025, 13, 105517–105540. [Google Scholar] [CrossRef]
  172. Jørgensen, B.N.; Ma, Z.G. Digital Twin of the European Electricity Grid: A Review of Regulatory Barriers, Technological Challenges, and Economic Opportunities. Appl. Sci. 2025, 15, 6475. [Google Scholar] [CrossRef]
  173. Kandasamy, N.K.; Venugopalan, S.; Wong, T.K.; Leu, N.J. An electric power digital twin for cyber security testing, research and education. Comput. Electr. Eng. 2022, 101, 108061. [Google Scholar] [CrossRef]
  174. Coppolino, L.; Nardone, R.; Petruolo, A.; Romano, L. Building Cyber-Resilient Smart Grids with Digital Twins and Data Spaces. Appl. Sci. 2023, 13, 13060. [Google Scholar] [CrossRef]
  175. Sayghe, A. Digital Twin-Driven Intrusion Detection for Industrial SCADA: A Cyber-Physical Case Study. Sensors 2025, 25, 4963. [Google Scholar] [CrossRef] [PubMed]
  176. Varghese, S.A.; Ghadim, A.D.; Balador, A.; Alimadadi, Z.; Papadimitratos, P. Digital Twin-based Intrusion Detection for Industrial Control Systems. In Proceedings of the 2022 IEEE International Conference on Pervasive Computing and Communications Workshops and other Affiliated Events (PerCom Workshops), Pisa, Italy, 21–25 March 2022; pp. 611–617. [Google Scholar] [CrossRef]
  177. Sabot, F.; Ben Mariem, S.; Dekeyne, G.; Duchesne, L.; Bahmanyar, A.; Ernst, D.; Bretteville, O.; Vermeulen, T.; Herve, D.; Saludjian, L.; et al. Toward a Cyber-Physical Digital Twin for Operator Training: Real-Time Co-Simulation of the French Grid; Liege Universite Library: Liege, Belgium, 2025. [Google Scholar]
  178. Abdelmalak, M.; Gautam, M.; Thapa, J.; Hotchkiss, E.; Benidris, M. Defensive Islanding to Enhance the Resilience of Distribution Systems against Cyber-induced Failures. In Proceedings of the 2022 IEEE Industry Applications Society Annual Meeting (IAS), Detroit, MI, USA, 9–14 October 2022; pp. 1–8. [Google Scholar] [CrossRef]
  179. Cárdenas, A.A.; Amin, S.; Sinopoli, B.; Giani, A.; Perrig, A.; Sastry, S. Challenges for Securing Cyber Physical Systems. 2009. Available online: https://www.semanticscholar.org/paper/Challenges-for-Securing-Cyber-Physical-Systems-C%C3%A1rdenas-Amin/d51497e5827cc00d9d00c26e27a769d42284cfba (accessed on 6 December 2025).
  180. Souppaya, M.; Scarfone, K. NIST Special Publication 800-184: Guide for Cybersecurity Event Recovery; National Institute of Standards Technology: Gaithersburg, MD, USA, 2016. Available online: https://csrc.nist.gov/pubs/sp/800/184/final (accessed on 6 December 2025).
  181. North American Electric Reliability Corporation. CIP-002-5.1a: Cyber Security—BES Cyber System Categorization; NERC Reliability Standards; North American Electric Reliability Corporation: Atlanta, GA, USA, 2020; Available online: https://www.nerc.com/standards/reliability-standards/cip/cip-002-5.1a (accessed on 6 December 2025).
  182. Electricity Power Supply Association. Bridging the Gap: How Better Gas-Electric Coordination Is Strengthening Grid Reliability. Available online: https://epsa.org/bridging-the-gap-how-better-gas-electric-coordination-is-strengthening-grid-reliability/ (accessed on 12 December 2025).
  183. North American Electric Reliability Corporation. E-ISAC Electricity Information Sharing and Analysis Center. Available online: https://www.nerc.com/programs/e-isac (accessed on 12 December 2025).
Applsci 16 00981 g001
Figure 1. PRISMA ScR flow diagram.
Figure 1. PRISMA ScR flow diagram.
Applsci 16 00981 g001
Applsci 16 00981 g002
Figure 2. High-level architecture of a modern smart grid, showing the main functional domains, control layers, and communication interfaces relevant to cybersecurity analysis.
Figure 2. High-level architecture of a modern smart grid, showing the main functional domains, control layers, and communication interfaces relevant to cybersecurity analysis.
Applsci 16 00981 g002
Table 1. Mapping of smart grid security challenges to architectural components and interfaces.
Table 1. Mapping of smart grid security challenges to architectural components and interfaces.
Security ChallengeArchitectural Component or Layer (Section 3)Key Interfaces or DependenciesSecurity Exposure Created
Extensive attack surface and interconnectivityAMI, field devices, communication networksWireless mesh, IP networks, gatewaysMultiple entry points and lateral movement
Legacy devices and protocolsSCADA, RTUs, protection relaysLegacy protocols, embedded firmwareLack of authentication and encryption
Real-time operational constraintsControl centres, protection systemsTime-critical control loopsLimited applicability of conventional security controls
Cyber-physical safety dependenceSCADA, protection and safety systemsControl-command interfacesDirect physical impact from cyber manipulation
Human and insider factorsControl centres, engineering workstationsCredential-based accessPrivileged misuse and social engineering
Privacy and data sensitivityAMI, data management systemsMeter-to-backend data flowsExposure of personal and operational data
Cloud and platform dependenceCloud-hosted EMS, DER platformsAPIs, identity federationLoss of control through third-party compromise
Software supply chain relianceField devices, vendor toolsFirmware updates, configuration softwareTrusted update abuse
AI-driven and algorithmic controlAnalytics platforms, EMSData pipelines, model inputsManipulation of automated decisions
Sector couplingDERs, EV charging, building systemsCross-domain data exchangeIndirect attack propagation
Regulatory and governance constraintsMarket systems, data platformsCompliance and reporting interfacesReduced monitoring and delayed response
Table 2. Mapping of smart grid security challenges to cyberthreats and attack vectors.
Table 2. Mapping of smart grid security challenges to cyberthreats and attack vectors.
Security Challenge
(Section 4)		Underlying Vulnerability or ConstraintRepresentative Cyberthreats and Attack VectorsPrimary Security Impact
Extensive attack surface and interconnectivityLarge number of heterogeneous and networked devicesNetwork intrusion, spoofing, denial-of-service, lateral movementAvailability, integrity
Legacy devices and insecure protocolsLack of encryption, authentication, and patchabilityCommand injection, replay attacks, protocol abuseIntegrity, availability
Real-time operational constraintsLimited tolerance for latency and system shutdownStealthy manipulation, persistence-focused intrusionsIntegrity
Cyber-physical safety dependenceDirect coupling between cyber control and physical processesMalicious control actions, safety system compromiseIntegrity, availability
Human factors and insider accessPrivileged access and susceptibility to social engineeringCredential theft, insider misuse, phishing-enabled intrusionsConfidentiality, integrity
Privacy and data protection requirementsHigh-resolution consumption and operational dataData exfiltration, traffic analysis, inference attacksConfidentiality
Cloud and third-party platform dependenceExternalised infrastructure and shared servicesPlatform compromise, API abuse, service outageAvailability, confidentiality
Software supply chain relianceTrusted updates and vendor software dependenciesTrojanised firmware, malicious updates, backdoored toolsIntegrity, availability
AI-driven and algorithmic controlDependence on data quality and opaque decision logicData poisoning, adversarial inputs, model manipulationIntegrity
Sector coupling and cross-infrastructure integrationInterdependencies with non-electrical systemsIndirect load manipulation, cross-domain propagationAvailability, integrity
Regulatory and governance constraintsLimited monitoring and delayed responseAttack amplification through compliance gapsAvailability, integrity
Table 3. Mapping of documented cyber incidents affecting energy infrastructure between 1982 and 2025 to cyberthreats and attack vectors.
Table 3. Mapping of documented cyber incidents affecting energy infrastructure between 1982 and 2025 to cyberthreats and attack vectors.
Cyber Incident (Year)Targeted System or AssetPrimary Cyberthreats and Attack Vectors (Section 5)Security Impact
Siberian gas pipeline (1982)Industrial control softwareSoftware supply chain compromise, malicious logic insertionPhysical damage to pipeline infrastructure following abnormal operation
Davis–Besse nuclear plant (2003)Safety monitoring systemsNetwork worm propagation, denial-of-serviceLoss of safety monitoring for several hours
Night Dragon campaign (2009)Energy sector enterprise networksCredential theft, long-term espionageTheft of sensitive information and increased exposure of energy sector organisations without confirmed immediate operational disruption
Stuxnet (2010)Industrial PLCsMalware-driven control logic manipulationPhysical damage to nuclear enrichment equipment
Dragonfly campaigns (2011–2014)Energy utilities and vendorsSupply chain compromise, credential harvestingCompromise of energy sector networks enabling intelligence collection and potential access to operational environments; no publicly confirmed power outage
Shamoon (2012)Energy enterprise IT systemsDestructive malwareDestruction of data and prolonged business disruption
Ukraine power grid (2015)Distribution SCADA systemsCredential abuse, remote command executionCoordinated power outages affecting hundreds of thousands
Ukraine Industroyer (2016)Transmission substation automationProtocol-aware malwareTemporary loss of electricity supply
Triton (2017)Safety instrumented systemsSafety controller manipulationPotential safety hazard and forced plant shutdown
EKANS ransomware (2019)Industrial control-supporting systemsOT-aware ransomwareDisruption of industrial operations and increased risk to availability in operational technology environments
Colonial Pipeline (2021)Enterprise IT systemsRansomware, IT–OT dependency exploitationTemporary shutdown of fuel distribution
Viasat satellite disruption (2022)Satellite communication linksPlatform and service compromiseLoss of communications affecting grid operations
Industroyer2 (2022)Substation automationProtocol-aware malwareAttempted power outages mitigated by defensive actions
Volt Typhoon campaign (2023)Energy and utility enterprise environmentsCredential abuse, living off the land techniques, access persistenceNo confirmed disruption of energy supply and increased risk of latent compromise
Holding Slovenske Elektrarne ransomware (2023)Energy enterprise IT systemsRansomwareDisruption of corporate operations without impact on electricity generation
Continued cyber operations against Ukrainian energy infrastructure (2024)Energy sector operational coordination and supporting control environmentsSustained intrusion activity targeting operational coordination and restoration processesOngoing operational stress and increased recovery complexity
Reported cyberattack against Iranian national infrastructure (2025)National critical infrastructure with energy systems impliedUndisclosed attack techniques reported by national authoritiesNo confirmed service disruption and the attack reportedly detected and repelled
Table 4. Mapping of historical cyber incidents to emerging cybersecurity solutions for smart grids.
Table 4. Mapping of historical cyber incidents to emerging cybersecurity solutions for smart grids.
Cyber Incident (Year)Primary Vulnerability ExposedRelevant Emerging Solution ClassesResilience Objective
Siberian gas pipeline (1982)Trusted software without verificationSecure firmware signing, supply chain governanceIntegrity assurance
Davis–Besse nuclear plant (2003)Insufficient segmentation and patchingNetwork segmentation, zero-trust architecturesAvailability preservation
Night Dragon campaign (2009)Undetected long-term intrusionContinuous monitoring, AI-based anomaly detectionEarly detection
Stuxnet (2010)Manipulation of control logicDigital twins, integrity verification, secure PLC updatesSafe operation
Dragonfly campaigns (2011–2014)Vendor trust exploitationSupply chain controls, identity-based accessAccess containment
Shamoon (2012)Enterprise IT fragilityCyber-resilient design, backup and recovery planningOperational continuity
Ukraine power grid (2015)Credential abuse and OT exposureMulti-factor authentication, segmentation, manual fallbackControlled recovery
Ukraine Industroyer (2016)Protocol-aware malwareProtocol validation, digital twins, intrusion detectionImpact limitation
Triton (2017)Safety system compromiseIndependent safety system hardening, anomaly detectionSafety assurance
EKANS ransomware (2019)OT-aware extortionZero trust, resilient architectureDamage containment
Colonial Pipeline (2021)IT–OT dependencySegmentation, governance coordinationOperational continuity
Viasat satellite disruption (2022)Platform dependencyRedundant communications, resilience engineeringService continuity
Industroyer2 (2022)Advanced OT malwareImproved monitoring, coordinated responseAttack prevention
Volt Typhoon campaign (2023)Undetected long-term access and credential abuseZero trust architectures, continuous monitoring, identity-centric securityEarly detection
Holding Slovenske Elektrarne ransomware (2023)Enterprise IT–OT dependency and business process fragilityNetwork segmentation, cyber-resilient design, backup and recovery planningOperational continuity
Continued cyber operations against Ukrainian energy sector (2024)Sustained cyber pressure during conflict conditionsDigital twins, situational awareness, resilient operational proceduresSustained operation
Reported repelled cyberattack against Iranian infrastructure (2025)Strategic targeting with limited public visibilityAdvanced monitoring, coordinated response, resilience-oriented defenceImpact limitation
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Jørgensen, B.N.; Ma, Z.G. Cybersecurity and Resilience of Smart Grids: A Review of Threat Landscape, Incidents, and Emerging Solutions. Appl. Sci. 2026, 16, 981. https://doi.org/10.3390/app16020981

AMA Style

Jørgensen BN, Ma ZG. Cybersecurity and Resilience of Smart Grids: A Review of Threat Landscape, Incidents, and Emerging Solutions. Applied Sciences. 2026; 16(2):981. https://doi.org/10.3390/app16020981

Chicago/Turabian Style

Jørgensen, Bo Nørregaard, and Zheng Grace Ma. 2026. "Cybersecurity and Resilience of Smart Grids: A Review of Threat Landscape, Incidents, and Emerging Solutions" Applied Sciences 16, no. 2: 981. https://doi.org/10.3390/app16020981

APA Style

Jørgensen, B. N., & Ma, Z. G. (2026). Cybersecurity and Resilience of Smart Grids: A Review of Threat Landscape, Incidents, and Emerging Solutions. Applied Sciences, 16(2), 981. https://doi.org/10.3390/app16020981

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop