Cybersecurity in Smart Grids: A Domain-Centric Review

Sahithi Angara; Laxima Niure Kandel; Raju Dhakal

doi:10.3390/systems13121119

,

and

Department of Electrical Engineering and Computer Science, College of Engineering, Embry-Riddle Aeronautical University, Daytona Beach, FL 32114, USA

^*

Author to whom correspondence should be addressed.

Systems2025, 13(12), 1119;https://doi.org/10.3390/systems13121119

This article belongs to the Section Systems Engineering

Version Notes

Order Reprints

Abstract

The modern power grid is considered a Smart Grid (SG) when it relies extensively on technologies that integrate traditional power infrastructure with Information and Communication Technologies (ICTs). The dependence on Internet of Things (IoT)-based communication systems to operate physical power devices transforms the grid into a complex system of systems (SoS), introducing cybersecurity vulnerabilities across various SG layers. Several surveys have addressed SG cybersecurity, but none have correlated recent developments with the NIST seven-domain framework, a comprehensive model covering all major SG domains and crucial for domain-level trend analysis. To bridge this gap, we systematically review and classify studies by impacted NIST domain, threat type, and methodology (including tools/platforms used). We note that the scope of applicability of this study is 60 studies (2011–2024) selected exclusively from IEEE Xplore. Unlike prior reviews, this work maps contributions to the NIST domain architecture, examines temporal trends in research, and synthesizes cybersecurity defenses and their limitations. The analysis reveals that research is unevenly distributed: the Operations domain accounts for ~35% of all studies, followed by Generation ~25% and Distribution ~14%, while domains like Transmission (~9%) and Service Provider (5%) are comparatively under-studied. We find a heavy reliance on simulation-based tools (~46% of studies) such as MATLAB/Simulink, and False Data Injection (FDI) attacks are predominantly studied, comprising approximately 36% of analyzed attacks. The broader objective of this work is to guide researchers and SG stakeholders (e.g., utilities, policy-makers) toward understanding and coordinating strategies for improving system-level cyber-resilience, which is crucial for future SGs, while avoiding any overstatement of findings beyond the reviewed evidence.

Keywords:

smart grid (SG) cybersecurity; National Institute of Standards and Technology (NIST); SG architecture; SG cyberattacks; domain-level analysis

1. Introduction

Smart Grids (SGs) are critical infrastructures of modern society, with a significant presence in various layers, ranging from large-scale industries to individual urban consumers operating Electric Vehicles (EVs). The SG, as defined by the National Institute of Standards and Technology (NIST) through its Framework and Roadmap for Smart Grid Interoperability Standards and the NIST Smart Grid Program, is a modernized electric power system that integrates advanced digital technologies, bi-directional communication, and Distributed Energy Resources (DERs) to enhance efficiency, reliability, and sustainability [1]. The major elements comprising the SG include: Advanced Metering Infrastructure (AMI), DERs such as renewable energy technologies and energy storage technologies, communication networks, EV integration technologies, microgrids, and cybersecurity technologies, among others [1,2].

In the U.S. alone, the demand for electricity is expected to rise by 35–50% by 2040, with AI-driven data centers expected to drive approximately half of the growth in electricity demand between 2024 and 2030, with manufacturing industries, electrical heating, and EVs among the other major power demand sectors [3,4]. The growing number of non-utility stakeholders and interconnected devices within the power grid signifies a need for utilities to rely on engineering strategies and cybersecurity risk management and mitigation techniques to enhance security. SGs fundamentally differ from traditional power grids by incorporating two-way communication and advanced control systems, and the integration of modern technology with the traditional system further complicates vulnerability assessments and makes ensuring security more challenging. Compared with traditional IT, SG security also prioritizes availability and integrity under strict latency and safety constraints, making domain-aware analysis essential. Building on this context, we focus the remainder of the paper on domain-level studies rather than an extended historical narrative.

The unique requirements for protecting the power grid against cyberattacks mean that standard IT security methodologies are often unsuitable. This is largely due to fundamental distinctions between the two realms, evident in their security objectives (for instance, the grid’s emphasis on availability and integrity over confidentiality compared to IT systems), architectural designs (like the divergence between public and private networks and their disparate operating systems), and the necessary quality of service (especially regarding tolerances for delay and failure) [5]. The impact of cyberattacks on the SG can be numerous and significant, involving many stakeholders (consumers, utilities, economy), operational disruptions, economic and privacy costs, and infrastructure damage, among many others [6]. Hence, SG cybersecurity methods have been studied by many researchers using existing standards, frameworks, and previous advancements in knowledge and tools to consistently advance technological development in SG cyberattack detection and mitigation strategies in step with the evolving grid demands.

Investigating SG cybersecurity is a continuing research effort, and this review paper aims to categorize existing studies based on the primary methodology (simulation-based, theoretical, testbed), SG layer(s) of concern, and tools used. The objective is to guide future researchers and SG stakeholders, both technical and non-technical (e.g., managers and policy-makers), by highlighting system-level trends in SG cybersecurity and helping to identify and prioritize threats within their domain of concern. We adopt the NIST seven-domain framework because it offers a comprehensive, operationally grounded structure for analyzing SG cybersecurity by aligning threats and defenses to distinct functional areas of the grid, such as Generation, Transmission, and Operations. Its domain-specific categorization allows a clearer mapping of vulnerabilities, attack surfaces, and countermeasures, facilitating targeted analysis and cross-domain comparisons. This structure also aligns well with U.S. regulatory guidance (e.g., NERC CIP, NIST CSF), enhancing its relevance for both academic research and industry application.

Previous surveys provide valuable overviews of SG attacks and defenses, but they typically do not (i) map findings across the full NIST seven-domain model, (ii) present temporal trends showing how emphasis shifts across domains over time, or (iii) offer a domain-specific critique of defense limitations. This may leave stakeholders without a consolidated, domain-level picture of where research is concentrated, where it is limited, and how mature the proposed defenses are.

This review aims to address these gaps through three complementary research advances:

A NIST seven-domain mapping of recent SG cybersecurity research with a joint trend analysis of domain × method (simulation/theoretical/testbed) and domain × attack type;
A temporal trend analysis (Section 4.1) that highlights how attention has shifted among domains and methods;
A limitations-focused synthesis of defenses that summarizes practical constraints and needs by domain (Section 4.2). Our corpus (60 IEEE Xplore papers) is analyzed with consistent labeling and figure annotations to make counts and percentages explicit for reproducibility.

The remainder of this paper is structured as follows: Section 2 presents background concepts related to SG architecture, describes SG cybersecurity vulnerabilities and common types of cyberattacks, and reviews previous surveys and studies on SG cybersecurity. Section 3 outlines the methodology adopted in this review. Section 4 presents the categorization results and analysis. Section 5 considers the implications of the findings from Section 4, presents limitations, and suggests a scope for future work. Finally, Section 6 concludes the paper, with key takeaways from this system-level systematic review.

2. Background

This section presents an overview of SG architecture, encompassing its key components, systems, and infrastructures, and SG cybersecurity. Additionally, a brief motivation for studying SG cybersecurity is presented, followed by a summary of five major types of cyberattacks on SGs, including False Data Injection (FDI) attacks, Denial of Service (DoS) attacks, replay attacks, Man-in-the-Middle (MITM) attacks, and Malware and Malicious Code Injection.

2.1. SG Architecture

This section presents an overview of SG architecture, encompassing its key components, systems, and infrastructures. Several definitions and models for SG architecture can be found, each with unique characteristics; however, a commonly used SG model is proposed by NIST. Figure 1 shows an updated NIST SG conceptual model consisting of seven major domains: Customers, Generation, including DERs, Transmission, Distribution, Service Providers, Operations, and Markets. These domains are highly interconnected, constantly exchanging data and information, making SG interoperability frameworks crucial, especially those concerning the cybersecurity of these communication pathways and data exchanges [1]. This necessitates robust security protocols and standardized communication interfaces to ensure secure and reliable grid operation. Therefore, while an SG comprises several complex areas, this paper concentrates specifically on the cybersecurity aspect. This focus is critical, given the increasing vulnerability of interconnected systems to sophisticated cyber threats.

Figure 1. Updated NIST SG conceptual model [1].

Customers are typically the end-users of electricity, though they may also act as managers, storers, and generators of energy. An example of a critical component in this domain is smart meters (SMs), which enable clients to manage and monitor their energy use and generation. SMs provide smart measurement and two-way communication for remote interaction and control [1,7,8].

The Generation domain primarily consists of all systems that produce electricity. A key characteristic of modern SGs is the increasing penetration of Distributed Energy Resources (DERs) into traditional power systems. DERs are smaller-scale power generation and storage technologies typically closer to the consumer domain than traditional power generation systems, such as fossil fuel, nuclear, and large-scale hydropower plants. Common examples of DERs include household solar energy, wind turbines, battery storage systems, and combined heat and power (CHP) units. The increased adoption of DERs introduces unique challenges to the entire power grid across SG domains, particularly in terms of grid resilience, stability, and cybersecurity. Due to their intermittent, distributed, and bi-directional nature, key concerns related to the cybersecurity of DERs exist due to several compounding issues: an expanded attack surface due to dispersed geographic distribution; vulnerable points created at the intersection of DER Management System (DERMS) communication protocols and less secure legacy systems (e.g., older substations and feeder systems infrastructure); potential for rapid, cascading grid failures from intermittency and real-time control-based integrity challenges; and data privacy concerns, among others [1,9,10].

Service Providers include companies that offer services to other SG domains, typically the customers and utility operators. Services offered typically include energy management, demand response, and data analytics software [1,11,12]. The Transmission domain consists of all systems responsible for carrying high voltages over long distances through transmission lines and substations. Supervisory Control and Data Acquisition (SCADA) systems, Phasor Measurement Units (PMUs), Substation Automation Systems (SASs), and Intelligent Electronic Devices (IEDs) are examples of critical components in this domain, involved in an SG’s stable, reliable, and efficient operation [1,13,14].

The Distribution domain is responsible for providing electricity to and from the end-users and, as such, includes infrastructure and systems close to the customers. Key infrastructure in the Distribution domain includes SCADA systems, Advanced Metering Infrastructure (AMI), Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), EV charging, Customer Energy Management Systems (EMS), and demand response (DR) controllers [1,10,15]. Markets enable electricity trading and pricing, facilitating efficient resource allocation and driving the electricity market and economy. This domain relies heavily on secure communication and data integrity to ensure market operations are fair and transparent [1]. The Operations domain is a crucial domain responsible for the real-time monitoring and management of the SG, ensuring its stability and reliability, primarily through SCADA and EMSs [1,16].

As noted earlier, in addition to the seven domains, the communication network infrastructure is another critical element that enables data exchange and interoperability between them. SGs operate on three different types of networks: Home Area Networks (HANs), Neighborhood Area Networks (NANs), and Wide Area Networks (WANs). From an SG system architecture perspective, HANs operate within individual households and connect smart appliances, smart meters, thermostats, etc. NANs collect and combine data from multiple HANs in a local area and include components such as smart transformers and data concentrators. NANs typically employ RF mesh networks or Power Line Communication (PLC) technologies to facilitate data transfer between households and utilities. WANs provide long-range communication between distribution substations, utility control centers, and field devices. They are responsible for centralized control and grid-wide coordination, relying on cellular, fiber optic, WiMax, and microwave technologies to support high data rates, high speeds, and long-distance communication [7]. Although the communication network is not treated as a standalone domain in our classification later in the Methods section, many included studies interact with it; accordingly, the role of the communication network is implicitly captured within the NIST domains and is recognized as central to SG cybersecurity.

2.2. SG Cybersecurity

This section presents an overview of SG cybersecurity, with a brief background and motivation for studying SG cybersecurity, followed by five major types of cyberattacks on SGs that are summarized, including False Data Injection (FDI) attacks, Denial of Service (DoS) attacks, replay attacks, Man-in-the-Middle (MITM) attacks, and Malware and Malicious Code Injection. The integrated nature of the SG, across the seven NIST-defined domains from generation to customers, necessarily creates a complex cybersecurity environment. From large-scale Industrial Control Systems (ICSs) and SCADA systems to consumer devices like smart meters, all present potential targets for cyberattacks [1]. Every layer has vulnerabilities, from substation controllers and communication networks that transfer operational data to data management systems that handle customer data.

Therefore, for the modern power grid, robust SG security should be a built-in requirement rather than an add-on for all SG domains and components. The consequences and intensity of successful cyberattacks on the SG can vary widely, ranging from a temporary loss of connection to a Home Energy Management System to large-scale power grid outages that damage municipalities and compromise essential infrastructure. The importance of studying SG cybersecurity can be demonstrated through a few notable examples and by evaluating metrics, such as outage duration, number of affected populations, economic losses, and other non-technical losses. Incidents like Triton [17], RedEcho [18], Industroyer (1 and 2) [19], BlackEnergy [20], and Hydro-Québec [21] showed the potential for real-world widespread damage to grid infrastructure and daily operations. Table 1 summarizes the cyberattack, its targets, and impacts. The need for robust cyberattack detection, mitigation, and response strategies will continue to be an ongoing effort. To that end, this paper proposes that a tiered security approach that addresses vulnerabilities at every level is essential, and that a system-level understanding of SG cybersecurity is a crucial foundational step of that endeavor.

Table 1. Summary of some notable cyberattacks on SGs, their targets, and impacts.

2.2.1. False Data Injection (FDI) Attacks

FDI attacks involve maliciously injecting deliberately crafted false data into measurements from meters (like smart meters, RTUs, PMUs) or communication systems within the SG. These attacks are often designed to be stealthy, i.e., to bypass traditional Bad Data Detection (BDD) mechanisms used by system operators. Attackers may need a partial or full knowledge of the grid’s topology and parameters to construct effective FDI attacks, although data-driven or “blind” attacks requiring less information are also emerging. FDI attacks can target various grid components and functions, including state estimation (SE), Energy Management Systems (EMSs), Supervisory Control and Data Acquisition (SCADA) systems, Automatic Generation Control (AGC), contingency analysis, market operations, and communication systems. The primary impact of FDIs is compromised data integrity, leading to inaccurate system monitoring and control. This can cause incorrect state estimations, leading operators to make wrong decisions. Specific consequences include economic losses through market manipulation (e.g., affecting electricity prices or dispatch), energy theft by falsifying consumption data, and grid instability due to incorrect control actions (e.g., manipulating AGC or triggering wrong protection schemes), potentially causing cascading failures or large-scale blackouts. FDI can also affect data availability and customer privacy [22,23,24,25,26,27].

2.2.2. Denial of Service (DoS) Attacks

DoS attacks aim to make an SG system, device, or communication network unavailable to its intended users. This can be achieved by overwhelming communication channels with excessive traffic (flooding), disrupting wireless communications (jamming), exhausting the resources of target devices, or blocking critical control commands or data measurements. Targets can include communication interfaces, network protocols, specific devices like smart meters or inverters, or control systems. DoS attacks primarily impact the availability of data and services. This prevents operators from monitoring or controlling parts of the grid, blocks legitimate users from accessing services, and can disrupt essential functions like state estimation or control commands. Blocking control signals or measurement data can lead to grid instability, frequency or voltage deviations, and load shedding, among others [28,29,30,31].

2.2.3. Replay Attacks

Replay attacks involve capturing correct data in transmission (e.g., control commands, measurements) and re-sending the data. An attacker intercepts the transmission and inserts the recorded data sequence, often after modifying it. The fact that an adversary may not always require specialized knowledge of the system to launch the attack makes replay attacks particularly dangerous. Replay attacks primarily target data communication streams and compromise data integrity and timeliness by misleading monitoring and control systems with outdated or incorrect data. This, in turn, can lead to incorrect operational decisions or the bypassing of security checks if the replayed data appears legitimate. The success can depend on the communication protocol; for example, TCP/IP sequence numbers might detect simple replays, while UDP might be more vulnerable. These attacks can impact confidentiality, integrity, and availability [12,31,32,33,34].

2.2.4. Man-in-the-Middle (MITM) Attacks

In an MITM attack, an adversary secretly intercepts and potentially alters the communication between two parties who believe they are directly communicating with each other. The attacker inserts themselves into the communication path, for example, between a field device and a control center or between two network components. MITM attacks can directly threaten data confidentiality (e.g., by eavesdropping on communications) and integrity (e.g., by modifying data in transit). This allows attackers to steal sensitive information, inject false data or commands, impersonate legitimate devices, or disrupt normal operations [31,35,36,37].

2.2.5. Malware and Malicious Code Injection

This category of attack involves introducing malicious software, such as viruses, worms, Trojan horses, ransomware, or spyware, into SG systems or devices. A specific variant involves installing malicious firmware on devices. Malware can be introduced through various channels, including exploiting software vulnerabilities, phishing attacks, compromised updates, or infected hardware. Targets include SCADA systems, control centers, Intelligent Electronic Devices (IEDs), smart meters, and communication gateways. Notable examples of real-world impacts due to malware attacks on ICSs include BlackEnergy3, Industroyer (1 and 2), and TRITON, as summarized in Table 1. As previously noted, malware attacks can have devastating impacts, ranging from compromised data and privacy invasion to disrupted grid operations and a threat to life. Malicious firmware can render devices inoperable or make them behave in unintended, harmful ways. These attacks can grant malicious actors remote control over critical systems, allowing them to manipulate processes, install backdoors for future access, spread to other connected systems, or cause physical damage to equipment [17,19,20,38,39,40,41,42].

2.2.6. Comparison of Attack Types and Defense Challenges

Key Differences: The SG cyberattack types mentioned above differ fundamentally in their target vectors and operational impact. FDI attacks target data integrity by covertly manipulating sensor measurements or control signals to corrupt state estimation, which often evades detection by traditional bad data detectors, and hence is often indistinguishable from valid measurements [43,44]. In contrast, DoS attacks pose a direct threat to system availability through network flooding or channel jamming, resulting in immediate observable disruptions that are hard to completely prevent in real time [7]. MITM attacks compromise communication integrity and authenticity through the interception and alteration of data exchanged between devices, whereas replay attacks compromise integrity by capturing and resending previously legitimate messages. Both of these types of attacks exploit the usual lack of proper authentication in legacy protocols [16]. The broadest type of threats are Malware and MCI attacks, potentially affecting any layer of a system, from firmware and software to communications [39]. Overall, FDI requires advanced machine learning and state estimation techniques to be detected, DoS necessitates robust network redundancies, and MITM/replay attacks require strong cryptographic authentication, while Malware/MCI requires secure lifecycle management. Each, therefore, represents a different defense problem with no unified, universal detection and/or mitigation strategy.

Defense Difficulties: The difficulty in defending against each attack type directly relates to its fundamental characteristics. FDI attacks can be engineered to evade traditional bad data detectors, and, even with partial system knowledge, attackers can inject attacks that satisfy normal constraints. These crucial challenges increasingly necessitate advanced observer-based or machine learning approaches; however, they come with the drawback of introducing computational and detection latency costs [9,10]. DoS attacks directly target system availability and can be launched in many forms (e.g., resource exhaustion, network flooding, jamming), making them relatively easier to detect than FDI attacks but difficult to prevent in real-time. If multiple DoS attacks are launched (referred to as Distributed Denial of Service (DDoS)), it becomes infeasible to prevent all forms simultaneously, and conservative worst-case designs that account for all DoS variants often degrade normal system performance [29,30,45].

MITM and replay attacks exploit the lack of authentication and encryption in many legacy industrial protocols, such as Modbus, IEC 61850-MMS, and DNP3 [46,47]. Although implementing cryptographic protection schemes is relatively straightforward in theory, they can introduce latency, key-management complexity, and incompatibility with devices designed before such protections existed. Malware and MCI bypass network-level defenses entirely by exploiting software vulnerabilities, firmware misconfigurations, or supply-chain compromises [40]. Across all attack types, the fundamental challenge is that 100% prevention is unachievable, requiring defense efforts to shift toward rapid detection and resilient mitigation rather than complete prevention.

Summary of Limitations in Current Defense Mechanisms: While current defense strategies have evolved with increasingly complex mechanisms, each still carries significant practical limitations. For example, encryption and cryptographic authentication protocols can effectively thwart MITM attacks, but they introduce computational overhead and latency and key management burdens that are often infeasible to deploy uniformly across legacy grid infrastructure; additionally, encrypted communications do not prevent FDI attacks launched by insiders or attackers with access to keys [48,49]. Machine learning-based intrusion detection systems (IDSs) and anomaly detection improve FDI and DoS detection rates, with some approaches achieving 99% accuracy, but they can come with a cost of high false-alarm rates, a lack of interpretability in decision-making, and poor generalization to novel attack types absent from training data, and are susceptible to adversarial perturbations that can degrade model performance by orders of magnitude [9,10,13,50,51].

Testbed-based validation and simulation environments, while essential at the proof-of-concept (PoC) stage, show an early feasibility demonstration under controlled conditions. These methods often use simplified models, idealized communication timing, and limited datasets, and therefore do not represent the complexity, heterogeneity, and transient dynamics of real-world power systems; therefore, defenses validated in simulations may not meet expectations when operationally deployed [16,33,42,52].

Finally, the literature confirms that no combination of cyber and physical prevention technologies can ensure 100% security against all possible adversaries; instead, practical systems must accept residual risk and balance security investments against operational performance and layered detection and mitigation approaches rather than absolute protection. This review aims to contribute to future efforts in layered SG cybersecurity strategies by systematically mapping domain-specific attack/defense evidence, highlighting under-studied areas, and offering a reproducible mapping.

2.3. Existing Reviews on Domain-Level SG Cybersecurity

A brief overview of prior reviews from the last 1–7 years is presented in this section. Five studies were chosen based on their similarity to concepts covered in our work, i.e., studies that included one or more of the following: broad, system-level discussions of SG domains and cybersecurity concerns; a summary of analysis tools/platforms; and domain-attack/tool/methodology mapping. The authors in [31] cover attack taxonomies and defenses across Generation, Transmission, and Distribution, and map the attack surface across grid segments, linking IoT exposure to threats like FDIA, DoS, and MITM, while surveying cryptographic, ML/AI, and blockchain-based defenses. Gunduz et al., in [53], cover security-oriented testbeds for IoT-based SGs by comparing hardware-in-the-loop, simulation, real-time, and hybrid setups, and what each contributes towards cybersecurity studies.

A practical device-level guidance for DERs and present methods for putting cybersecurity into practice with device-, communication-, and application-layer functions for DERs, based on collaboration from several key stakeholders, including utilities and vendors, is presented by the authors in [54]. In [55], the authors provide a rigorous evaluation of modeling/simulation perspectives for Cyber-Physical Power Systems (CPPSs) and organize modeling into categories (interconnection, interaction, interdependence), offering a useful map for selecting analysis methods and tools. Finally, Achaal et al., in [7], provide a comprehensive overview of SG architecture and cybersecurity across all NIST domains, and additionally cover cyberattacks on communication networks.

The motivation behind Achaal et al.’s work [7] aligns closest with that of our work; however, there are key differences in the broader objectives and findings. The primary goals in [7] were to cover all aspects of SG cybersecurity (identification, response, and recovery, in addition to protection and detection mechanisms) and guide organizations in following a complete security routine based on scientific countermeasures at every step (explicitly mapping studies to the recommendations of NIST’s cybersecurity functions—Identify, Protect, Detect, Respond, and Recover) for a select few studies, whereas the primary objective of this study, as mentioned earlier, is to identify and present broad, system-level trends in SG cybersecurity research rooted in the mapping of NIST domains affected by three areas (attack type, platforms/tools used, and methodology). Therefore, while studies such as [31,55] emphasize technical rigor, the focus of our work is placed instead on presenting and analyzing trends across all SG domains in relation to the practical implementation areas.

A summary of prior reviews’ primary focus and major contributions, with respect to domain-level mapping, is provided in Table 2. Their limitations, in terms of coverage across NIST domains and domain × methodology/attack type/tool and platform mapping, are presented in Table 3.

Table 2. Coverage of prior reviews: presence of NIST domain-level mapping and domain-by-methodology/attack type/tool and platform mappings.

Table 3. Summary of existing reviews’ areas of focus and key contributions.

A few gaps are identified that this work aims to address. Most reviews heavily emphasize and stay within the Generation/Transmission/Distribution view and make fewer mentions of other critical NIST domains such as Customers, Markets, and Service Provider domains; few align findings specifically to the complete NIST seven-domain model; and none analyze system-level trends across all three areas simultaneously (mapping domain to attack type, tools/platforms, and primary methodology). Another key limitation identified is the technical focus barriers—the reviews maintain a highly technical focus that may limit accessibility for non-technical stakeholders, e.g., policy-makers and managers, who may seek a fundamental understanding of SG cybersecurity and guidance on recognizing where future efforts are needed, without requiring specialized expertise.

Therefore, as synthesized in Table 2 and Table 3, prior reviews share three limitations that can be summarized as follows: (i) they emphasize Generation/Transmission/Distribution, while giving limited attention to Customers, Service Providers, and Markets; (ii) they seldomly align findings to the full NIST seven-domain model; and (iii) they provide little on temporal trends or domain-specific attacks/limitations of defenses. This review addresses the above by

i.: Categorizing studies clearly to the primary NIST domain(s) impacted;
ii.: Mapping the study’s domain with the primary method employed, tools/platforms used, and key cyberattacks covered;
iii.: Highlighting domains that are underrepresented and areas where there is an imbalance in methodology (i.e., between empirical support/simulation and theoretical frameworks and models).

The objective is to create an accessible map to help researchers and stakeholders, both technical and non-technical, and guide future research efforts in the industry by (i) helping identify and prioritize threats within their domain of concern and (ii) choosing relevant methods and tools for analysis.

3. Methodology of This Review

To provide a reproducible and system-level view of SG cybersecurity research, a structured multi-stage methodology was adopted. There were two goals: first, to capture the evolution and current state of cybersecurity across all NIST-defined SG domains; and second, to reveal methodological and thematic gaps that can inform future frameworks for researchers, utilities, and policy-makers alike. We adopted selected PRISMA-style reporting items (search strings, screening steps, inclusion counts, and a flow-style summary) to improve transparency; however, we do not claim full PRISMA compliance or present a meta-analysis, but rather a scoping review.

3.1. Literature Selection

To ensure consistency of the outlet and standards, the papers were restricted to the IEEE Xplore database. First, a broad search query (“cyberattack” OR “cybersecurity”) AND “smart grid”) was selected, and, to reflect both foundational work and emerging trends, the initial search results were divided into four intervals (2015–2017, 2018–2020, 2021–2023, 2024–2025). For the first thirty papers, an equal importance was placed on citation count and relevance; approximately half of the chosen papers were selected for each of the filters, supplemented by a small random sample to reduce selection bias. For the final thirty papers, the temporal and citation-based relevance strategy was combined with gap-driven sampling, targeting underrepresented domain vs. approach and domain vs. attack combinations, supplemented once again with a small random sample.

Corpus size and years: The final set comprised 60 papers. Although 2015–2024 was emphasized in the planning stage, five pre-2015 foundational papers (2011–2014) that met all other criteria were retained to provide historical context. Overall, the corpus covers 2011–2024, with a greater weight placed on recent papers (peak in 2020–2021 and sustained contributions through 2024). IEEE Xplore was used as the main search resource for two primary reasons: (i) it is a principal digital library for power systems, control/SCADA, and SG cybersecurity research; and (ii) it offers consistent indexing and metadata quality across journals and conferences, enabling reproducible screening and extraction. Additionally, it was used to preserve methodological uniformity and minimize bias introduced by heterogeneous cataloging standards. Future extensions should broaden coverage to complementary databases. This is explicitly noted in Section 5 (Limitations, Future Work, and Implications) of this paper. We used domain and threat keywords (e.g., “NIST domain,” “FDI,” “DoS,” “smart grid,” “SCADA”) and kept English papers in power/energy or communications. From this, we selected 60 core studies that fit our criteria (SG context, mappable to a NIST domain, clear method/attack), and these drive all quantitative results.

In total, we cite 97 references: the 60 core papers plus standards/frameworks and background sources and prior reviews for context. This was considered sufficient for a scoping review, but not exhaustive; bias may remain toward IEEE venues, English-language work, and publicly available studies. We note these limits when interpreting results. A broader search could yield additional insights; however, our primary aim was to identify high-level trends across domains, attack types, and methodologies, and not to provide an exhaustive inventory. The selected corpus was also sufficient to support our objective of establishing a reproducible, domain-level mapping of cybersecurity threats using the NIST framework, which, to our knowledge, had not been explicitly performed in prior reviews. Future systematic scoping reviews may build on this structure with wider coverage and inclusion criteria.

3.2. Metadata Extraction and Classification

Each paper was analyzed in MS Excel using custom VBA scripts. The following were recorded:

Title and publication year;
Primary threat(s), classified as False Data Injection (FDI), Denial of Service (DoS), Man-in-the-Middle (MITM), replay attack, Malware and Malicious Code Injection (MCI), insider threat, or general (broad anomaly detection, cryptographic frameworks, etc.);
AI/ML methods: Yes or No classification;
Primary approach: Simulation-based (e.g., model-based, data-driven, co-simulation, or testbed), Theoretical (e.g., attack frameworks, resilience strategies, risk models, policy), or Experimental/Testbed (e.g., hardware-in-the-loop, field trial);
Tool(s)/test platforms: New tools and platforms were recorded as they were encountered during the review process, e.g., MATLAB/Simulink, NS-3, OPAL-RT, and PSCAD/EMTDC, among others;
NIST domain(s) affected: Customers, Generation/DERs, Transmission, Distribution, Service Providers, Operations, or Markets.

3.3. Domain Classification Criteria

The NIST SG Interoperability Framework [1] was adopted to assign each paper to one or more SG layers. To aid in classifying papers into respective domains during the review process, first, a list of key components and technologies typically targeted in each domain was noted based on [1] and existing reviews. Then, through an interactive process, previous keyword matching was combined with manual review to ensure accurate assignment. Examples of noted concepts and keywords for each domain are provided below.

Customers: Studies of end-user devices and interactions (e.g., smart meters, Home Energy Management Systems, demand response) emphasizing privacy, consumer behavior, or data protection;
Generation (including DERs): Centralized and distributed sources (e.g., solar, wind, microgrids, VPPs), inverter security, and DER coordination;
Transmission: High-voltage infrastructure (e.g., SCADA/PMU security, wide-area monitoring, relay protection, substations);
Distribution: Medium/low-voltage networks (e.g., RTUs, smart transformers, AMI/AMR security, outage management);
Service Providers: Third-party platforms (e.g., cloud services, billing, data analytics, aggregators), focusing on vendor risk and API/SLA security;
Operations: Control centers and OT (e.g., SCADA/EMS resilience, state estimation, contingency analysis, situational awareness);
Markets: Economic layers (e.g., wholesale/retail pricing, bidding platforms, blockchain/DLT for transactions, market manipulation risk).

3.4. Primary Approach Classification Criteria

The existing literature was classified based on three primary methods employed:

Simulation-based: This includes studies that employ simulation tools, whether modeling attacks in platforms like MATLAB/Simulink or NS-3, running co-simulation environments, or using digital-twin frameworks, to evaluate cybersecurity scenarios.
Theoretical: This includes works that develop and analyze attack frameworks, propose resilience strategies, construct risk-assessment models, or examine policy and standards without direct tool validation.
Experimental/Testbed: Hardware-in-the-loop (HIL) implementations and real-world field trials that physically validate cybersecurity measures under operational conditions.

3.5. Data Analysis and Considerations

Pivot tables, charts, and conditional formatting in MS Excel (VBA scripting) were used to analyze collected data. Papers addressing multiple threats or layers that were deemed to be of equal importance were tagged accordingly under each relevant category. Each paper was assigned to the category corresponding to its principal approach (Simulation-based, Theoretical, or Experimental/Testbed), even if it also contained elements of another approach as a foundation. This multi-label categorization meant attack type and domain counts for analysis could exceed unique paper counts, and this is explicitly noted.

It is important to note that no protocol registration was performed, no formal risk-of-bias tool was applied for exclusion, and no meta-analysis was planned due to heterogeneity in designs, outcomes, and metrics. We present a systematic mapping/scoping synthesis rather than a quantitative meta-analysis.

4. Categorization, Results, and Discussion

This section presents the results of the categorization and analysis of the selected papers. The findings are organized to highlight research distribution, methodological patterns, and gaps in the current SG cybersecurity literature on a domain level.

4.1. Domain-Level Temporal Trends

Figure 2 shows the annual count of studies classified by NIST domain (stacked bars), with cumulative totals overlaid as lines. Line endpoints indicate the overall volume by domain. We found that the annual counts for research in SG cybersecurity are modest before 2018 and then rise steadily, peaking in 2021 (n = 40 studies, where n denotes the number of studies), and remaining higher than pre-2018 levels in 2024 (n = 16) (year totals: 2011 = 3, 2014 = 10, 2015 = 6, 2016 = 4, 2017 = 8, 2018 = 11, 2019 = 8, 2020 = 24, 2021 = 40, 2022 = 15, 2023 = 8, 2024 = 16). The stacked columns show that the post-2018 increase is driven largely by Operations and Generation, with the strongest activity in 2020–2021. Within the peak year 2021, Operations (12) and Generation (11) lead, while Distribution (8) and Customers (7) also increase relative to earlier years. Transmission remains consistently sparse (≤3 per year since 2021), and Service Providers are low throughout (≤3 per year). Overall, Operations had the greatest cumulative coverage (n = 53; 35%), followed by Generation (n = 38; 25%) and Distribution (n = 22; 14%). By contrast, Transmission (n = 14; 9%) and Service Providers (n = 8; 5%) were markedly underrepresented, with Customers (n = 18; 12%) ranking third from the bottom. It is interesting to note that none of the studies were classified as part of the Markets domain. This could reflect (i) a misclassification of a few borderline studies whose focus on bidding, settlement, or dispatch economics was integrated within Operations or Service Provider domains, or (ii) an unbalanced search strategy. Additional reasons may include the following: (iii) Markets-focused cybersecurity work may appear in energy economics, finance, or policy outlets that use non-NIST terminologies; (iv) threat prioritization toward safety-critical operations over market economic impacts may bias researchers and funders toward Operations/Distribution; (v) ambiguity at the Operations and Markets boundary leads our classification to default to Operations. Collectively, those are some factors that likely suppressed Markets domain coverage in our study.

Figure 2. Study instances (n) by domain (stacked) with cumulative totals (lines). Line endpoints indicate the overall volume by domain. Note: Here and in subsequent figures, n denotes the number of study instances. Totals reflect multi-labeling; a study may map to multiple domains.

Another domain that is notably underrepresented is Transmission; given that the adjacent domains, Generation and Distribution, rank as the second and third most studied overall, this under-coverage is marked. Several possible reasons may explain this pattern. First, regulatory constraints (e.g., NERC CIP v5, FERC) can limit the availability of Transmission-grade datasets and detailed architectures for academic use, reducing incentives for Transmission studies compared to the more open source nature of Operations or Distribution settings. Second, cost barriers for research infrastructure for Transmission-level testbeds may be higher than for distribution or lab-scale platforms, making experimental validation more challenging. Third, in general, Transmission systems are more isolated and have fewer distributed, vulnerable endpoints compared to, e.g., Operations and Distribution networks, which face threats from smart meters, DERs, IoT device connections, etc., which necessarily means they have a larger attack surface and more vulnerabilities, which may naturally result in cybersecurity research within these domains. Finally, notable real-world cyber incidents (Table 1) have primarily targeted Generation, Operations, and Distribution, highlighting the large-scale impacts on SGs and likely motivating a greater research attention in those domains relative to Transmission, which has a less direct, visible impact on end-users.

Finally, classification and venue effects may have played a role, e.g., substation or protection-oriented work is often framed as Operations in the literature, as mentioned above, and some Transmission studies may be outside our search scope or use non-NIST terminology, making retrieval and mapping more difficult. However, interpretative caution is observed. The observed scarcity does not necessarily imply that Transmission attacks are less important; rather, the threat surface is different, and the possible reasons must be considered in future work when attempting to map the domain accurately. These patterns suggest a need for targeted collaborations (e.g., anonymized datasets and Transmission-oriented benchmarks) to enable reproducible research and to clarify where Transmission risks are genuinely lower versus merely less observable in the literature. Customer (12%) and Service Provider (5%) domains are the other domains that are notably less represented. We revisit the implications of these Markets and Transmission gaps in Section 4.6.

4.2. Methodology Distribution Within Domains

Figure 3 shows the distribution of SG domains and the primary method employed. Across all instances (n = 153), Simulation-based (43.1%) studies dominated, followed by Experimental/Testbed (32.0%) and Theoretical/frameworks (24.8%). By domain, Distribution (n = 22) is dominated by Simulation (73%), while Operations (n = 53) is more balanced (40% Simulation, 40% Experimental, 21% Theoretical). Generation (n = 38) also leads in Simulation (50%), with substantive values in Experimental (24%) and Theoretical (26%) methods. The Customers (n = 18) domain is slightly skewed towards Experimental (56%; Simulation 11%), and the Service Provider domain (n = 8) shows a split of 25–50–25%. Transmission (n = 14) shows a near three-way split (36% Experimental, 29% Simulation, 36% Theoretical), indicating heterogeneous approaches despite the lower volume overall. These mixes contextualize where empirical validation versus modeling predominates within each NIST domain. The implications of these findings are presented in Section 4.6, followed by the limitations in Section 5.

Figure 3. Method composition within each NIST domain (100% stacked). Bar tops indicate the total number of study instances (n), and segment labels show method percentages. Note: totals reflect multi-labeling; a study may map to multiple domains/methods.

4.3. Cyberattacks on SGs—An Overview

This section discusses a few substantive works covering cyberattack detection, mitigation, and other strategies. Figure 4 shows the distribution of all cyberattack types encountered in the categorization and review process. FDI (36%), DoS (20%), and Malware and MCI (15%) were the leading attack types encountered overall—a pattern consistent with the trends observed in the existing literature over the past decade, with the increasing integration of ICTs into the SG. Together, MITM, replay, insider threats, and general attacks make up 29% of the remaining attacks reviewed.

Figure 4. Attack type distribution by total study instances (n = 153). Bars show the percentage and count for each attack category. Note: totals reflect multi-labeling; a study may cover multiple attack types.

Figure 5 shows AI/ML usage by domain. Across all instances, 30% (≈46/153) apply AI/ML. Shares vary by domain: Customers 50% (≈9/18), Generation 37% (≈14/38), Operations 32% (≈17/53), Distribution 23% (≈5/22), Transmission 7% (≈1/14), and Service Providers 0%. Operations contributes the most AI/ML studies (≈17) and can be attributed to its larger overall volume, while Customers shows the highest within-domain share (50%). These patterns suggest an uneven adoption that may reflect differences in data availability, problem framing, and the maturity of toolchains across domains; we do not infer effectiveness or priority from frequency alone.

Figure 5. AI/ML usage by the NIST domain. Bars show the share of study instances using AI/ML (%) within each domain; bar tops indicate total study instances (n). “Yes” = study employs AI/ML for detection, classification, prediction, or control. Note: totals reflect multi-labeling; a study may map to multiple domains.

Four broad categories of detection, mitigation, and other strategic approaches for FDI attacks were identified: analytical and ML-based studies; (ii) model-based/statistical studies; (iii) control and resilience; and (iv) sensing and placement. Karimipour et al., in [50], propose an anomaly detection method to extract the patterns of changes in FDI attacks. Symbolic Dynamic Filtering (SDF) is employed to construct a computationally efficient feature extraction scheme that identifies causal interactions between the SG’s subsystems through Dynamic Bayesian Networks (DBNs). The performance of the proposed algorithm was evaluated on different IEEE test systems and under various operation conditions for several measures (TPR, FPR, and ACC), and the results demonstrated a high attack detection accuracy. Li and Pan in [43] introduce a novel multi-stage dynamic attack and defense game model that accounts for the possibility of multiple attacks and enables the derivation of optimal defense strategies by solving the Nash equilibrium point. Simulations were performed on the IEEE 14 bus system, and it was found that the effectiveness of the scheme is significantly enhanced when the defender considers the overall gain within a dynamic multi-stage game, providing a promising game-based defense solution against FDI attacks on SGs.

A square-root unscented Kalman filter (SR-UKF)-based forecasting-aided SE (FASE) for generating the state estimation of distribution network results is presented by the authors in [10] as a solution for FDI detection, and the feasibility of the proposed general imperfect FDI attacks and the effectiveness of the proposed FDI detection strategy are both validated through comprehensive numerical simulations, including in the presence of random outliers and FDIs, and a computational efficiency assessment that shows the proposed strategy is compatible in terms of real-time application in practical unbalanced distribution networks. The proposed FDI detection strategy by the authors in [10] is applied to meter units in the local physical layer, which provide multiple attack targets and approaches, in contrast to layers where it is costly to execute FDI attacks due to sophisticated security infrastructures, such as within the Decision (SCADA, control center, man–machine interfaces, etc.) and Cyber (Router, Internet, IPS, WANs, etc.) layers.

In [56], Xia et al. present a data-driven signal estimator developed based on a deep neural network (DNN) as a method to address tolerance against FDI, DoS, and latency attacks. To validate the effectiveness of the proposed methods, extensive studies are conducted, including numerical case studies for online (MATLAB/Simulink) and real-time performance (Opal-RT), which demonstrate that the proposed learning scheme can improve state estimation accuracy. A Bayesian deep learning-based approach is developed for FDI detection by the authors in [9]. Imbalanced data in real power systems are addressed, and key contributions are made in successful discrimination between secure and compromised measurement data under a significant data imbalance and the presence of measurement noise. The feasibility and effectiveness of the proposed system are validated by simulations, and extensive performance metrics are explored, showing a high accuracy in FDI detection and applicability to distribution systems with renewable energy source (DER) integration.

A cross-layer control strategy is proposed for microgrid resilience against FDI and DoS attacks by the authors in [45], with a primary goal of ensuring that desired microgrid operating conditions (DER proportional active power sharing and frequency restoration) can be maintained under stealthy cyberattacks. The strategy is validated in a 12-bus microgrid system using extensive time-domain PSCAD/EMTDC simulations and has promising implications for solutions against stealthy cyberattacks in islanded microgrids, especially with the increasing integration of ICTs in SGs. A comprehensive study on distribution-level phasor measurement units (D-PMUs), or micro-PMUs, was conducted by Kamal et al. in [47], focused on a novel method for the detection and identification of compromised units in the presence of an FDI attack. The proposed method is evaluated through case studies and tests performed on the IEEE 33-bus power distribution system. Limitations in this study were acknowledged and discussed in the context of being inherently inevitable and of less importance to the overall impact, providing a helpful study as the application of micro-PMUs and consideration of their cyber-vulnerabilities continue to be researched.

FDI attack detection on Advanced Metering Infrastructures (AMIs) and a mitigation strategy are explored by the authors in [57]. A network-based (NARX) time-series algorithm is proposed, and the effectiveness of the algorithm is evaluated through simulations using a proposed Functional Mock-Up Interface (FMI) compatible co-simulation platform, which allows multi-domain simulator (EMTP, MATLAB/Simulink, and NS-3) interaction and the robust analysis of cybersecurity. Notwithstanding the study’s limitation in explicit effectiveness metrics, the findings of this study can be useful to other applications in addition to cybersecurity studies, e.g., DERs and EVs, and the optimization of power grid control and performance. Multi-layer DoS attacks are addressed in [29], with a focus on the frequency synchronization problem in microgrids, with a capability of impacting communication, measurement, and control actuation channels. The proposed DoS-resilient self-triggered control method is evaluated through simulations in MATLAB/Simulink, and the primary limitation of an optimization problem for the defender, in the cases when the attacker has limited resources, is explicitly noted.

In [28], an easy-to-implement and efficient algorithm to estimate the dynamic states of a power system’s components inside a DoS attack zone is proposed. However, the findings in this study are subject to two methodological limitations that do not completely align with the concluding statement above, including physical attacks masked by the DoS attacks and the determination of parameters impacting correlation coefficients not derived from the topology of the grid and system properties. This limitation means that study findings need to be interpreted cautiously. As a possible future work, the authors mention extending their technique for estimating the states of the grid under topology change and considering attacks under optimum PMU. In a comprehensive study of the Modbus system architecture as it applies to DER integration, Ravikumar et al. propose a robust distributed intrusion detection system (D-IDS) architecture and algorithms for detecting anomalies on the DER Modbus communication in [49]. The study’s strengths lie in its model and physics-based approach to develop a Modbus-specific IDS ruleset capable of improving the detection accuracy of DoS as well as FDI attacks. The scheme is evaluated on a hardware-in-the-loop (HIL) DER testbed, with results that showed high detection accuracy rates (>99.95%).

The authors in [16] present a microgrid security monitoring platform based on IEC 62351-7:2017 Network and System Management (NSM), using a hybrid rule-based and machine learning anomaly detection approach. Different schemes are proposed, deployed, and evaluated for performance metrics on a real-time co-simulation testbed, primarily for MITM and replay attacks. This study additionally identifies crucial gaps in the proposed schemes and explicitly notes that the findings of this study serve as a foundational work with potential for future, more comprehensive monitoring platforms that integrate NSM along with mechanisms such as passive network traffic inspection and device log analysis. An interesting mutually authenticated key establishment protocol between the service provider and the smart meter devices is proposed in [12], and the study makes several contributions; one of its key strengths lies in its robust security analysis of the protocol: formal analysis (Gong, Needham, and Yahalom (GNY) logic), verification in the ProVerif environment, and informal analysis (impersonation, MITM, and replay attacks), desynchronization attack, known key security, and perfect forward secrecy, among others). Additionally, the study conducts a comprehensive comparative analysis against existing schemes in terms of security functionality and computational, communicational, and storage costs.

In [35], the authors discuss the vulnerabilities that exist in a common SG communication protocol, the IEC61850. A testbed environment is created, and several attack scenarios (including MITM and FDI attacks) are evaluated to show the functionality and robustness of the proposed platform. This study can serve as a useful tool for conducting future research in the investigation of different cyberattack scenarios. In a different study focused on Malware and MCI attacks, the authors in [40] aim to highlight the importance of cybersecurity considerations in vehicle-to-grid (V2G) communications in power transportation systems. This is achieved by demonstrating how a Malware and MCI optimal attack strategy derived from logical connectivity and a malware spread probability can accelerate malware spread by 10–33% in target EV charging stations (EVCSs). Identifying security vulnerabilities around networked SG components’ firmware updates, with potential severe impacts on grid operations due to malware-injected devices, a cloud-based, device-specific malware file detection system for SG devices is proposed by the authors in [52].

A quantum-convolutional neural network (QCNN) with deep transfer learning (DTL) is designed and implemented in a cloud platform to detect malware files targeting various SG devices. The proposed algorithm is evaluated on a cloud platform that utilizes an IBM Quantum processor, and it was found that the proposed malware file detection method significantly improves the malware file detection rates compared to the conventional CNN-based method. Network and endpoint IDS for Industrial Control Systems (ICS), hardware-counter anomaly analytics, least privilege/role-based access control (RBAC), privileged access management (PAM), firmware integrity validation, and rigorous patch and configuration management (code signing) are other commonly proposed security measures against Malware and MCI attacks [8,38,39,40,41,42,52,58].

Liu and Wang, in [59], address insider threats in the context of load redistribution (LR) attacks against power systems, through a proposed game model that considers the information leakage of the system operator’s defense strategy by the insider to the external attacker. Extensive case studies based on the IEEE 39-bus and IEEE 118-bus test systems were conducted to validate the proposed model. The results of the case studies show that insider information leakage will increase the payoff of the attacker in LR attacks. The damage to the grid can be considerable even if the information leakage probability is small. Other studies address insider threats through control approaches (Critical Interface Locks (CILs) and file signature checking) and deception/authentication methods (honeypots and two-way authentication protocols) [14,48,59,60,61,62]. Table 4 below summarizes other attack types and common detection, mitigation, and other strategic approaches covered across all studies in this work.

Table 4. Summary of attack types and key detection, mitigation, and strategic approaches proposed.

The list of defensive strategies mentioned in Table 4 ranges from analytics/ML anomaly detection tools to game-theoretic approaches, control-theoretic resilience designs, and so on. However, each attack type’s proposed defenses have a set of limitations associated with them. For FDI-based attacks, a few key limitations include (i) a vulnerability to model inaccuracy; (ii) computational complexity and data dependence; (iii) limitations in detecting sophisticated FDI attacks; (iv) a limited scope and practicality for AC systems; and (v) a lack of discrimination between attacks and anomalies. As mentioned, model-based defensive strategies, including designs involving a Kalman filter or a state observer, are extremely sensitive to mathematical models of the power system they are operating in due to uncertainties, nonlinearities, or disturbances. Data-intensive and machine learning-based approaches are computationally intensive and hence pose significant limitations for real-time detection, especially when applied to large-scale systems. Another major limitation across proposed FDI strategies is the fact that traditional approaches to Bad Data Detection, including chi-square tests or LNR tests, are incapable of detecting sophisticated FDIs that aim to remain undetected by creating zero-measurement residuals [43,50,68].

The lack of discrimination between malicious FDI attacks, as well as other anomalies related to operational malfunctions or disturbances, also causes a high number of FDI false positives. Finally, FDI defense strategies are typically validated either on reduced DC systems rather than AC systems or even smaller test systems, thus restricting their actual applicability to large, unbalanced distribution systems. Moreover, the hardware approaches, including Phasor Measurement Units (PMUs), are prone to either high capital expenditure or face new vulnerabilities, like GPS spoofing, among others. Some recurring limitations of defense strategies for DoS attacks in SGs include (i) a dependence on incorrect or incomplete models; (ii) defense strategies highly restrictive or specialized; (iii) performance trade-offs and operational costs; and (iv) a lack of focus on response and recovery. In general, many defensive strategies are inherently vulnerable due to their assumptions. Model-based defenses require accurate parameters and may lack strong generalization capabilities when the system conditions are varied. Additionally, model-based defenses may have delayed detection capabilities when facing stealthy attacks. Data-driven methods are correlation-based, relying on data patterns that are present before the attack, which are rendered meaningless by a long attack duration or an occluded physical event during the attack attempt [8,9,10,13,15,32,43,44,46,47,48,49,50,51,56,57,63,64,65,66,67,68,69,70,71,72].

Another major repeating limitation in DoS studies is that strategies are often developed for far too simple or specialized attack vectors. The defenses are often founded on constrained models of DoS, often employing average dwell time metrics, and are incapable of resisting general or prolonged attacks. Several approaches consider either a type of attack, such as FDI or DoS, or a layer, like communication links alone, making them prone to coordinated attacks targeting layers involving sensing, communication, and actuation channels. Some strategies are purely reactive, involving detection and compensation, as opposed to being prevention strategies, whereby initial system degradation is allowed before mitigation strategies are activated. A lack of focus on response and recovery is also observed, with the primary focus leaning toward protection and detection mechanisms, and the lack of response and recovery approaches.

The limitations of defense strategies against Malware and MCI attacks include (i) an over-reliance on simplistic threat models; (ii) inadequate detection algorithms or performance; and (iii) a lack of appropriate system-level or strategy-based thinking [8,38,39,40,41,42,52,58]. A recurring limitation is the use of threat models that do not completely reflect real-world complexity. Several studies model malware as immediately launching attacks, rather than utilizing a stealthy “incubation period” designed to maximize network propagation before destructive attacks are conducted, whereas other studies focus solely on communication networks, largely ignoring the physical spread of malware that occurs as infected data move between locations. Detection approaches themselves face substantial hurdles. First, supervised classifiers require malicious labels, making them impractical to identify new or zero-day attacks effectively. Second, anomaly detection approaches trained solely on benign examples are prone to shallow network designs that are inadequate for modeling complex timed patterns—existing or new in data streams. Finally, traditional scanning approaches are resource-intensive and show a slower training convergence and lower detection efficacy relative to newer approaches, including the utilization of RQNNs. Another limitation is that the attack considerations may still be growing, as a successful attack may require extended manual recovery procedures and an uncertain degree of worm spread. This indicates a gap between resilience and response strategies [8,38,39,40,41,42,52,58].

Some of the main drawbacks related to the strategies proposed by MITM defenses identified are (i) inherent vulnerabilities in communication protocols and standards; (ii) ineffective monitoring and difficulty detecting data manipulation; and (iii) the incomplete validation of defense strategies [12,35,36,37]. Several of the protocols that are commonly practiced or implemented were developed with security considerations unaddressed, including encryption and other vital functions. The examples mentioned as vulnerable to interception and tampering are MMS, GOOSE, SV, and others, including the MODBUS communication standard. Another major limitation of MITM defense approaches is their lack of ability to trace an attack, even if the attack is actively taking place and causing physical damage. An attacker can successfully intercept and modify packets to isolate a physical asset, like an Electric Vehicle charging station, while simultaneously sending spoofed data to the monitoring units, making the attack invisible to system operators. Even when encryption is used, defenses may be insufficient if an attacker can analyze intercepted traffic to change and inject valid-looking malicious messages. This is particularly relevant against Advanced Persistent Threats (APTs) that can manipulate control signals directly within the operations network. Though security norms, including IEC 62351, are developed to protect emerging vulnerabilities, their implementation is obstructed by their negative impacts, including performance overhead, memory requirements, and applicability to legacy devices [12,35,36,37,46,64,70,74].

The limitations of defense strategies for replay attacks include (i) a lack of generalizability and response to novel threats; (ii) difficulties in implementation under resource-limited scenarios; and (iii) a lack of specificity and localization capabilities [12,16,32,33,34,64,75]. Some strategies may be designed to identify anomalies rather than attacks, as seen with monitoring systems capable of detecting anomalies, including delay, but not detecting and mitigating the attack itself. Additionally, defense schemes can incur substantial computational or energy costs, making them unsuitable for IoT devices, as seen in SGs. Additionally, centralized schemes face scalability concerns, which could hinder their performance in a large-scale microgrid network. Additionally, a repeating drawback is a lack of detection detail or specificity, as information-based approaches have a hard time discriminating between a cyberattack and a physical malfunction, as they often have very similar wave patterns. Even if an attack has been recognized, if the system collects aggregated information from a given point, it may not isolate a given device that has been maliciously exploited [32,33,34,64,75].

Finally, insider threats have unique limitations compared to the other attack types, the key challenges being (i) the ineffectiveness of traditional security models, and (ii) practical and system-specific implementation hurdles [14,48,59,60,61,62]. Conventional security approaches can be inadequate when dealing with inside threats. The signature-based detection scheme is incapable of detecting unknown attack patterns, and anomaly-based schemes have a high computational cost in addition to a possibly high rate of false alarms. Firewalls and traditional authentication procedures are inadequate against trusted insiders, acting either irrationally or negligently. A crucial drawback exclusively applicable to the insider threat is information leakage, whereby an insider shares the defensive strategy with an attacking actor, making this a threat to the security position, as the attacker can maximize damage, and a defensive strategy that does not consider this as a possibility will be limited. Finally, there are physical feasibility barriers to implementation in critical infrastructure. Power grids, as a critical infrastructure, consist of legacy components that are hard to patch, and a proposed solution may either be computationally intensive or involve an unreasonable trade-off between availability and guaranteed security.

Taken together, most studies share three broad limitations: (i) a heavy tilt toward detection over mitigation; (ii) static, single-layer defense models that overlook the dynamic, multi-step nature of cyberattacks; and (iii) persistent difficulty distinguishing attacks from normal faults [11,73,76,77,78,79].

4.4. Tools and Platforms in Simulation-Based Studies

Among simulation-focused studies, MATLAB/Simulink was identified as the dominating platform (~45%) [80], followed by the real-time/HIL platform, OPAL-RT (~16%) [81], and the power system steady-state tool OpenDSS (~16%) [82]. This indicates a strong preference for general-purpose modeling platforms with comparatively fewer papers, using packet-level network simulators like ns-3 [83] (~5%), EMT/transient programs such as PSCAD/EMTDC [84], EMTP [85] (~8%), co-simulation frameworks like Mosaik (~3%), and formal verification tools like ProVerif(~3%). Figure 6 below shows the complete distribution of tools and platforms [86,87,88,89].

Figure 6. Distribution of tools/platforms in simulation/experimental studies.

4.5. Domain-Wise Distribution of Attack Types

Figure 7 shows the distribution of attack types by domain (total instances, n = 153). Across all attack instances (n = 153), FDI (n = 55) is concentrated in Generation (≈35%) and Operations (≈27%), with Distribution (≈22%) next. DoS (n = 30) is dominated by Operations (≈43%), followed by Generation (≈23%) and Transmission (≈13%). Malware/MCI (n = 23) is split primarily between Customers (≈35%) and Operations (≈35%), with Generation contributing ≈17% and the remaining domains contributing marginal shares. MITM (n = 14) is dominated by Operations (≈57%), then Generation (≈29%). Replay (n = 12) is shared by Generation (≈33%) and Operations (≈33%), with smaller Customer/Service Provider contributions. Insider (n = 10) appears mainly in Operations (≈40%) and Transmission (≈30%). General cybersecurity topics (n = 9) are dispersed, with Distribution and Service Providers each ≈33%. This attack-first view shows that FDI and DoS dominate coverage across the top three domains, whereas replay and insider threats are covered far less. The implications of these patterns are further discussed in Section 4.6.

Figure 7. Domain composition within each attack type (clustered columns; values = % of attack totals). Cluster tops indicate total instances per attack type (n). Note: totals reflect multi-labeling; a study may map to multiple domains.

4.6. Discussions

Taken together, the results from Section 4.1, Section 4.2, Section 4.3, Section 4.4 and Section 4.5 motivate the following key discussion points:

Temporal Trends Across SG Domains (2011–2024): Over the past decade, research activity in SG cybersecurity shows a distinct temporal pattern. The domain-mapped evidence indicates only sporadic output in the early 2010s, followed by a sharp increase after 2018 that reached a peak around 2020–2021. This surge coincided with a heightened awareness of grid cyber vulnerabilities and possibly a response to prominent incidents mentioned in Section 2.2, and a regulatory focus during that period. The peak year 2021 saw significantly more publications than any prior year, with particularly strong contributions in the Operations and Generation domains, each comprising a large share of studies in that year (~30% and ~28%, respectively), while Distribution and Customer domain studies also rose above earlier baselines. By contrast, Transmission-focused studies remained consistently sparse year-to-year, and no studies in our corpus explicitly addressed the Markets domain. A slight decline in annual counts after 2021 is observable, but later years (e.g., 2024) still show a higher activity than the pre-2018 period. Overall, these temporal trends reflect that SG cybersecurity became a research priority in the late 2010s, concentrating on operationally critical domains, whereas certain areas (like Customers, Transmission, and Markets) have not experienced a similar increase in attention despite their growing importance.

Methodology Mix and Validation Approaches: The reviewed literature reveals a clear preference for simulation-based studies (~43% overall) as the primary research method. Most works rely on software simulations (e.g., MATLAB/Simulink or power system co-simulators) to model cyberattacks and defenses. Two key reasons likely explain their dominance: (i) these methods provide a practicality and safety of testing scenarios without risking real infrastructure; (ii) simulations offer speed, reproducibility, and the ability to generate extensive labeled data. Experimental testbed studies constitute the next largest share, demonstrating a meaningful effort to validate findings on actual hardware or hardware-in-the-loop (HIL) platforms despite the higher cost and complexity.

Purely theoretical studies form the smallest portion, often proposing frameworks or algorithms without direct implementation. Notably, methodological preferences vary by domain: Distribution-focused research is heavily focused on simulations (owing to well-developed grid models and test feeders), whereas Customer domain studies more often use physical or emulated testbed setups that benefit from accessible devices like smart meters and home energy systems. Operations and Generation domains show a balance, mixing simulations with substantial testbed and some analytical work, while Transmission studies, though few, are roughly split among the methods.

The heavy reliance on simulations displays the challenge of obtaining real grid access and the risk of limited realism, but it also points to a gap between proposed solutions and field validation. However, encouragingly, recent research efforts are addressing this through key strategies, including (i) hardware-in-the-loop (HIL) testbeds that combine real controllers or DER hardware with real-time simulators to capture physical dynamics while maintaining secure systems [70]; (ii) open source co-simulation frameworks that couple power system, communication, and control simulators, then migrate the same models to HIL for final verification [57,76]; (iii) hybrid data collection and evaluation approaches that combine simulated data with limited field measurements (e.g., from PMU data streams) to improve realism; and [48] (iv) policy and standards support, through which utilities and standards bodies (e.g., IEC 62351, Modbus security extensions) are encouraged to provide testbed specifications to physically validate a regulatory requirement [30].

Prevalent Cyberattack Types and Domain Focus: FDI attacks emerge as the most-studied attack type in our review, accounting for roughly one-third of all attack instances (~36%). This domination is likely due to FDI’s severe implications for SG state estimation and control (integrity attacks on sensor/measurement data that can directly threaten stability), making it a focus for researchers seeking to safeguard core operations. DoS attacks form the second most common category, reflecting widespread concern for communication disruptions and availability threats in an increasingly networked grid. Malware and Malicious Code Injection (MCI) ranks third, likely influenced by high-profile malware incidents in Industrial Control Systems presented in Section 2.2 (e.g., grid-targeting malware).

In contrast, other attack types, replay attacks, MITM, and insider threats are comparatively underrepresented in the literature. One reason could be that these attacks involve more complex or scenario-specific conditions (e.g., insider attacks require modeling human factors or privileged access abuse) and have seen fewer documented grid incidents, which could explain the lower research attention. The dominance of FDI and DoS in publications in general suggests that the community has prioritized attacks with immediate, measurable impacts on grid operations, possibly because they are more straightforward to simulate or detect using available tools and platforms. However, this focus may create a potential blind spot, and the imbalance suggests a need for broader coverage of diverse attack strategies across all domains so that defenses are not concentrated only on the most obvious threats.

Domain-Specific Research Gaps: The domain-wise analysis reveals that certain domains of the SG have received little attention, notably the Transmission and Markets domains. Transmission-focused cybersecurity research is disproportionately low relative to the critical role of the Transmission system. As presented in Section 4.1, several factors may contribute to this gap: strict regulatory and confidentiality constraints (e.g., NERC CIP requirements); the high cost of experimental infrastructure for high-voltage systems; and the isolated nature of Transmission networks, with fewer access points. This, in turn, can reduce the attack surface compared to the highly distributed endpoints in Operations, Distribution, or Customer systems.

Furthermore, many high-profile cyber incidents and funding initiatives have centered on Distribution operations or Generation systems (which directly impact end-users), leaving Transmission issues less visible and less prioritized by researchers. The Markets domain is essentially absent from our review; no studies were explicitly mapped to it. However, this should not be interpreted as evidence that electricity markets are free of cyber threats or lack dedicated research efforts. Rather, within our reviewed corpus of 60 IEEE Xplore studies and our NIST-based classification, market-related cybersecurity work may have been classified under Operations or Service Provider, or may be predominantly studied in energy economics, finance, or policy venues that use non-NIST terminology. In this sense, the n = 0 finding may indicate a disparity between market-focused cybersecurity research and NIST domain-oriented SG studies, and suggests that future work may benefit from more explicitly integrating and mapping market security contributions into the NIST framework.

Similarly, the Service Provider domain and even the Customer domain are underrepresented relative to their importance, especially when compared to the heavily studied Operations and Generation domains. A few reasons for this underrepresentation could be (i) the high cost and complexity associated with studying the vast number of diverse, third-party devices in these domains [90,91]; (ii) the significant data privacy and access challenges related to consumer energy data [7,25]; and (iii) the lack of direct utility oversight and security expertise among consumers and third-party service providers, which may complicate research and standardization. These disparities create potential blind spots in the overall security of SGs, and attackers could exploit weaknesses in a neglected domain (for instance, targeting wholesale market systems or transmission control infrastructure) if those areas remain understudied and underprotected. More generally, some underrepresentation may also reflect limitations in our search scope and classification choices, and should therefore be interpreted as a gap in this mapping rather than as proof of reduced cyber risk. Nonetheless, the apparent gaps emphasize the need for broader research coverage and defensive efforts, and future studies should extend beyond the currently favored domains to encompass the Customer-facing, Service Provider, Transmission, and Market segments that remain underexamined yet potentially highly vulnerable in practice.

Coordinated Defense: Limitations and Practical Challenges: A second major implication of our findings is the need for coordinated, cross-domain defense, which remains difficult to operationalize in real-world settings. Power system safety and reliability constraints mean that many conventional IT incident response tactics are infeasible; immediately isolating or shutting down a power system component can be impractical except as a last resort. This challenge is compounded by stakeholder fragmentation: utilities, independent power producers, equipment vendors, DER operators, and service providers each govern different parts of the grid without a unified security authority, hindering swift and coordinated responses to attacks that may span multiple domains.

Moreover, there is no universal solution; pursuing maximum security solutions in one domain can impose costs or performance limitations in another, so operators must balance trade-offs and often accept some residual risk. The lack of common testbeds and benchmark datasets further impedes the evaluation and comparison of defense strategies, and rapidly evolving grid architectures (e.g., high DER penetration and decentralized control schemes) can potentially outpace existing security guidelines, reducing the applicability of past best practices. The authors in [7,53] present related cybersecurity-oriented testbeds for IoT-based SGs; however, a more robust and updated set of testbeds, their applicability to an NIST cybersecurity function and NIST SG domain, testing platforms, and cyberattack testing capabilities would significantly advance the field of domain-level SG cybersecurity research and provide a repeatable, system-of-systems mapping.

To address these multifaceted issues, a layered and risk-based defense aligned with operational constraints is recommended [55,92]. Defense-in-depth measures (robust network segmentation, strong authentication and authorization, encryption of critical communications, and ML-assisted intrusion detection/prevention systems) should be engineered so as not to hinder normal grid functions or violate real-time performance requirements [25,93,94]. Finally, investments in SG cybersecurity research should be justified through cost/benefit analysis tied to reliability and safety metrics, to ensure that security enhancements support the grid’s core operational objectives. Taken together, some level of remaining cyber risk is inevitable. Effective SG cybersecurity is increasingly becoming as much a governance and coordination challenge as it is a technical one, and any comprehensive defense strategy must be tailored to each domain’s unique operational constraints while encouraging collaboration across the entire SG ecosystem.

5. Limitations, Future Work, and Implications

5.1. Limitations

The following limitations were identified for this study:

Limited data sources: It relied on a single database (IEEE Xplore), which may omit relevant studies from other databases.
Language bias: Only English-language publications were considered.
Small corpus size: The review covered a set of 60 studies, which may not capture the full breadth of the domains.
Sampling bias: The recency-weighted, gap-driven sampling strategy (favoring recent, highly cited works) could have introduced temporal and venue biases.
Scope of review: Finally, this study presents a systematic scoping review and mapping of the literature rather than a quantitative meta-analysis. The aim was to address the broad question, “What types of cyberattacks and defensive methods, including platforms and tools, have been studied across NIST-defined SG domains?” To that end, the landscape of SG cybersecurity is mapped through a descriptive analysis of patterns and trends. We explicitly note that no meta-analysis is performed and that statistical pooling or meta-analytic models are not applied. We did not register a review protocol, apply a formal risk-of-bias tool, or pool effect sizes across studies, primarily because of the heterogeneity in designs, outcomes, and metrics when attempting to map SG cybersecurity at the system level. As a result, our findings should be interpreted as a structured map of where evidence exists (by NIST domain, attack type, and methodology), not as comparative effectiveness estimates of specific defenses. Future work that targets a narrower subset of domains or attack types could support a full meta-analytic synthesis.

5.2. Future Work Directions

To address the above-mentioned limitations of our work and advance the field of NIST domain-level SG cybersecurity research, future work could explore various directions:

i.: Increased coverage: Expanding the search to additional databases (e.g., Web of Science, Scopus, ACM Digital Library) and including gray literature to reduce source bias; employing a more robust domain gap-driven search strategy (i.e., dynamically detect underrepresented SG domains during the review process and adjust search queries accordingly) to mitigate bias in coverage.
ii.: Socio-technical approaches for DER integration: Adopting a system-of-systems thinking for challenges like high DER penetration can help in anticipating and shaping emergent behaviors in the grid, rather than merely reacting to incidents. For example, treating the SG as a system of systems can enable the use of model-based systems engineering (MBSE) and safety/security analyses (hazard analysis, interface, and dependency mapping, etc.) to capture socio-technical interactions across devices, aggregators, utilities, and markets.
iii.: Comprehensive domain component-level mapping: Perform a more domain-specific cybersecurity analysis across the SG, i.e., categorizing attacks by specific SG technologies and components (e.g., AMI, PMUs, SCADA, Distributed Energy Resource Management Systems (DERMSs), inverters, Electric Vehicle supply equipment (EVSE), microgrid controllers, etc.). The authors in [7] similarly, compile cyberattack types, targets, techniques, datasets/simulation tools, and primary NIST functions addressed. However, an NIST domain-level analysis is not performed; hence, future work could address both aspects—the NIST-defined five core concurrent cybersecurity functions (Identify, Protect, Detect, Respond, and Recover), as well as NIST domain classification—to provide a more comprehensive domain component-specific mapping.
iv.: AI/ML methods: Analyze the impacts of increasingly adopted AI/ML methods on SG security (e.g., intrusion detection, anomaly analysis, and adaptive defense). This would allow us to evaluate their effectiveness and potential risks, informing future researchers and keeping the review in context with the latest trends.
v.: Datasets and testbeds: An updated review of the latest standardized datasets, testbeds, and benchmarks in this field can also aid research, policy-makers, and standardization efforts. The authors in [7,53] present related cybersecurity-oriented testbeds for IoT-based SGs; however, a more robust and updated set of testbeds, their applicability to a NIST cybersecurity function and NIST SG domain, testing platforms, and cyberattack testing capabilities would significantly support domain-level studies and enable repeatable system-of-systems experiments.
vi.: Practitioner-oriented reference (attack-countermeasure matrix): Develop a domain-attack–countermeasure matrix tailored for SG operators and other non-technical stakeholders. This matrix could map each SG domain to likely cyberattack types and the tested countermeasures. This could translate the complex nature of technical studies into an accessible format, helping utility personnel quickly identify vulnerabilities and appropriate defenses in their respective domains.
vii.: Structured gap analysis: Finally, future studies could map the field’s key limitations and contributions onto defined categories to better identify research gaps. For example, studies could be categorized based on primary limitations (e.g., data availability, model scalability, lack of real-world validation, etc.), as well as classified for unique contributions in an area (e.g., novel detection algorithms, improved system architectures, new datasets, etc.). Such a meta-analysis would highlight common challenges and under-addressed topics, guiding researchers toward the most pressing concerns.

5.3. Implications for Standards and Policy

Domain-level insights from this review, in addition to the future work directions detailed above, can inform strategic updates to both the NERC Critical Infrastructure Protection (CIP) standards and the NIST Cybersecurity Framework (CSF). A starting point for practical implementation for utilities could be to map their own system assets and functions to the NIST domains in Figure 2, Figure 3 and Figure 7, and then identify which parts of their operations fall into the “under-studied” categories highlighted here (e.g., Transmission, Customers, Service Providers). For each such domain, Table 2, Table 3 and Table 4 and the attack–defense synthesis can be used as a checklist to:

i.: Confirm which attack types have been empirically explored in the literature, and consequently conduct immediate domain-risk assessments for the underrepresented domains, recognizing that research gaps do not necessarily indicate a lower risk.
ii.: Identify where evidence is predominantly simulation-based, which would allow, in turn, the identification of areas that can adopt emerging alternatives, as presented in Section 4.6.
iii.: Highlight specific domains or attack–method combinations with little or no coverage, e.g., Transmission domain (where domain-specific threat intelligence planning is increasingly being developed) and Customer domain (where FDI and DoS attacks remain under-studied despite high operational exposure).

These recommendations align with and can help target ongoing initiatives such as NIST’s Smart Grid and ICS cybersecurity testbeds, NERC’s Cyber Security for Distributed Energy Resources white paper, and EPRI’s DER/VPP cybersecurity assessments under FERC Order 2222, as well as foundational guidance like NIST SP 800-150 on cyber threat information sharing [95,96,97]. Our domain-level gap analysis can therefore be used to prioritize which domains, attack classes, and coordination mechanisms these existing frameworks and testbeds should emphasize next, while future work can build on this mapping to design focused, domain-specific validation campaigns and standards updates.

6. Conclusions

In this review, a systematic categorization of studies on SG cybersecurity using a framework based on methodology type, domain of impact, attack category, and tool usage was conducted. By applying the NIST seven-domain model, a domain-centric trend analysis that highlights research concentrations, tool preferences, and methodological gaps across the literature is presented. MATLAB and Simulink were found to be the dominant tools of choice for simulation-based studies, with NS-3 and OPAL-RT as other leading choices. Limited SG cybersecurity research in the Service Providers and Transmission domains was observed as a consistent trend over the years. The Markets domain, which had no classifications, was interpreted as an evidence gap in our sample rather than a definitive gap in the literature; other possible reasons were explicitly noted. FDI, Malware and MCI, and DoS are the leading categories of cyberattacks studied, with Malware and MCI research observed almost exclusively within the Operations and Customers domains. However, Customer domain-focused FDI and DoS studies were relatively underrepresented, despite being highly vulnerable in real-world systems. This is observed as a possible vulnerability when it comes to research efforts in studying and improving system-level SG resiliency. Particularly, with the increasing adoption of ICTs in customer-side systems that often interact directly with the Generation and Distribution domains, increased research efforts may be warranted in the Customer domain. These findings can be summarized in terms of several implications for future research priorities, as stated in Section 5 above.

Author Contributions

Conceptualization, S.A. and L.N.K.; methodology, S.A. and L.N.K.; data collection, visualization, analysis, and original draft, S.A.; validation and result analysis, S.A.; supervision and resource management, L.N.K. and R.D.; writing, review, and editing, S.A. and R.D. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The data presented in this study are available on request from the corresponding author.

Acknowledgments

During the preparation of this manuscript/study, the author(s) used ChatGPT (ver. GPT-5) and Perplexity (ver. Sonar) to assist with refining search queries and improving clarity in wording. All content was reviewed and edited by the authors, who take full responsibility for the final manuscript.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:

SG	Smart Grid
ICT	Information Communication Technology
ICS	Industrial Control System
CPPS	Cyber-Physical Power System
FDI	False Data Injection
DoS	Denial of Service
MITM	Man-in-the-Middle
MCI	Malicious Code Injection

References

Gopstein, A.; Nguyen, C.; O’Fallon, C.; Hastings, N.; Wollman, D.A. NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0. NIST. 2021. Available online: https://www.nist.gov/publications/nist-framework-and-roadmap-smart-grid-interoperability-standards-release-40 (accessed on 13 April 2025).
Smart Grid Group. NIST. 2012. Available online: https://www.nist.gov/ctl/smart-connected-systems-division/smart-grid-group (accessed on 13 April 2025).
International Energy Agency (IEA). Energy and AI—Analysis. 2025. Available online: https://www.iea.org/reports/energy-and-ai (accessed on 13 April 2025).
American Clean Power (ACP). New Report Finds Urgent Need to Expand Energy Supply to Meet Rapidly Growing Future Demand. 2025. Available online: https://cleanpower.org/news/us-national-power-demand-study (accessed on 13 April 2025).
Liu, J.; Xiao, Y.; Li, S.; Liang, W.; Chen, C.L.P. Cyber Security and Privacy Issues in Smart Grids. IEEE Commun. Surv. Tutor. 2012, 14, 981–997. [Google Scholar] [CrossRef]
Abraham, D.; Toftegaard, Ø.; Binu Ben Jose, D.R.; Gebremedhin, A.; Yildirim Yayilgan, S. Consequence simulation of cyber attacks on key smart grid business cases. Front. Energy Res. 2024, 12, 1395954. [Google Scholar] [CrossRef]
Achaal, B.; Adda, M.; Berger, M.; Ibrahim, H.; Awde, A. Study of smart grid cyber-security, examining architectures, communication networks, cyber-attacks, countermeasure techniques, and challenges. Cybersecurity 2024, 7, 10. [Google Scholar] [CrossRef]
Cultice, T.; Ionel, D.; Thapliyal, H. Smart home sensor anomaly detection using convolutional autoencoder neural network. In Proceedings of the 2020 IEEE International Symposium on Smart Electronic Systems (iSES) (Formerly iNiS), Chennai, India, 14–16 December 2020; pp. 67–70. Available online: https://ieeexplore.ieee.org/document/9426175 (accessed on 26 April 2025).
Xie, J.; Rahman, A.; Sun, W. Bayesian GAN-Based False Data Injection Attack Detection in Active Distribution Grids with DERs. IEEE Trans. Smart Grid 2024, 15, 3223–3234. [Google Scholar] [CrossRef]
Wei, S.; Xu, J.; Wu, Z.; Hu, Q.; Yu, X. A False Data Injection Attack Detection Strategy for Unbalanced Distribution Networks State Estimation. IEEE Trans. Smart Grid 2023, 14, 3992–4006. [Google Scholar] [CrossRef]
Fernando, N.S.; Acken, J.M.; Bass, R.B. Developing a distributed trust model for distributed energy resources. In Proceedings of the 2021 IEEE Conference on Technologies for Sustainability (SusTech), Irvine, CA, USA, 22–24 April 2021; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/9467436 (accessed on 20 July 2025).
Sureshkumar, V.; Anandhi, S.; Amin, R.; Selvarajan, N.; Madhumathi, R. Design of Robust Mutual Authentication and Key Establishment Security Protocol for Cloud-Enabled Smart Grid Communication. IEEE Syst. J. 2021, 15, 3565–3572. [Google Scholar] [CrossRef]
Chen, X.; Hu, S.; Li, Y.; Yue, D.; Dou, C.; Ding, L. Co-Estimation of State and FDI Attacks and Attack Compensation Control for Multi-Area Load Frequency Control Systems Under FDI and DoS Attacks. IEEE Trans. Smart Grid 2022, 13, 2357–2368. [Google Scholar] [CrossRef]
Zhan, L.; Dehghanian, P.; Mehrani, S. Minimizing the risk of attacks in electric power systems via effective grid reinforcement of counter-threat technologies. In Proceedings of the 2023 IEEE PES GTD International Conference and Exposition (GTD), Istanbul, Turkiye, 22–25 May 2023; pp. 273–277. Available online: https://ieeexplore.ieee.org/document/10261483 (accessed on 27 April 2025).
Maharjan, M.; Poudel, S.; Mix, S.R.; McDermott, T.E. Cybersecurity Assessment in DER-rich Distribution Operations: Criticality Levels and Impact Analysis. In Proceedings of the 2024 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT), Washington, DC, USA, 19–22 February 2024; pp. 1–5. Available online: https://ieeexplore.ieee.org/document/10454167 (accessed on 26 April 2025).
Karanfil, M.; Rebbah, D.E.; Debbabi, M.; Kassouf, M.; Ghafouri, M.; Youssef, E.-N.S.; Hanna, A. Detection of Microgrid Cyberattacks Using Network and System Management. IEEE Trans. Smart Grid 2023, 14, 2390–2405. [Google Scholar] [CrossRef]
Google Cloud. TRITON Malware: Attackers Deploy New ICS Attack Framework. Google Cloud Blog. Available online: https://cloud.google.com/blog/topics/threat-intelligence/attackers-deploy-new-ics-attack-framework-triton (accessed on 20 April 2025).
Recorded Future. China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Available online: https://www.recordedfuture.com/research/redecho-targeting-indian-power-sector (accessed on 20 April 2025).
IronNet. Cyber Attacks on the Power Grid. Available online: https://www.ironnet.com/blog/cyber-attacks-on-the-power-grid (accessed on 20 April 2025).
Cyber-Attack Against Ukrainian Critical Infrastructure. CISA. 2021. Available online: https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01 (accessed on 20 April 2025).
Ferah, M.; Joncas, H.; Marquis, M. Cyberattaque: Le Site Web d’Hydro-Québec Paralysé. La Presse. 2023. Available online: https://www.lapresse.ca/actualites/2023-04-13/cyberattaque/le-site-web-d-hydro-quebec-paralyse.php (accessed on 9 October 2025).
Reda, H.T.; Anwar, A.; Mahmood, A. Comprehensive survey and taxonomies of false data injection attacks in smart grids: Attack models, targets, and impacts. Renew. Sustain. Energy Rev. 2022, 163, 112423. [Google Scholar] [CrossRef]
Abdelkader, S.; Amissah, J.; Kinga, S.; Mugerwa, G.; Emmanuel, E.; Mansour, D.-E.A.; Bajaj, M.; Blazek, V.; Prokop, L. Securing modern power systems: Implementing comprehensive strategies to enhance resilience and reliability against cyber-attacks. Results Eng. 2024, 23, 102647. [Google Scholar] [CrossRef]
Rawat, D.B.; Bajracharya, C. Cyber security for smart grid systems: Status, challenges and perspectives. In Proceedings of the SoutheastCon 2015, Fort Lauderdale, FL, USA, 9–12 April 2015; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/7132891 (accessed on 16 April 2025).
Tuyen, N.D.; Quan, N.S.; Linh, V.B.; Van Tuyen, V.; Fujita, G. A Comprehensive Review of Cybersecurity in Inverter-Based Smart Power System Amid the Boom of Renewable Energy. IEEE Access 2022, 10, 35846–35875. [Google Scholar] [CrossRef]
Liang, G.; Zhao, J.; Luo, F.; Weller, S.R.; Dong, Z.Y. A Review of False Data Injection Attacks Against Modern Power Systems. IEEE Trans. Smart Grid 2017, 8, 1630–1638. [Google Scholar] [CrossRef]
Tan, R.; Nguyen, H.H.; Foo, E.Y.; Yau, D.K.; Kalbarczyk, Z.; Iyer, R.K.; Gooi, H.B. Modeling and Mitigating Impact of False Data Injection Attacks on Automatic Generation Control. IEEE Trans. Inf. Forensics Secur. 2017, 12, 1609–1624. [Google Scholar] [CrossRef]
Tatipatri, N.; Arun, S.L. A Comprehensive Review on Cyber-Attacks in Power Systems: Impact Analysis, Detection, and Cyber Security. IEEE Access 2024, 12, 18147–18167. [Google Scholar] [CrossRef]
Hasnat, M.A.; Rahnamay-Naeini, M. A data-driven dynamic state estimation for smart grids under DoS attack using state correlations. In Proceedings of the 2019 North American Power Symposium (NAPS), Wichita, KS, USA, 13–15 October 2019; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/9000307 (accessed on 8 April 2025).
Ge, P.; Chen, B.; Teng, F. Cyber-Resilient Self-Triggered Distributed Control of Networked Microgrids Against Multi-Layer DoS Attacks. IEEE Trans. Smart Grid 2023, 14, 3114–3124. [Google Scholar] [CrossRef]
Zhang, Y.; Wang, L.; Sun, W.; Green, R.C., II; Alam, M. Distributed Intrusion Detection System in a Multi-Layer Network Architecture of Smart Grids. IEEE Trans. Smart Grid 2011, 2, 796–808. [Google Scholar] [CrossRef]
Gholami, S.; Saha, S.; Aldeen, M. A cyber attack resilient control for distributed energy resources. In Proceedings of the 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Turin, Italy, 26–29 September 2017; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/8260213 (accessed on 8 April 2025).
Guo, L.; Zhang, J.; Ye, J.; Coshatt, S.J.; Song, W. Data-Driven Cyber-Attack Detection for PV Farms via Time-Frequency Domain Features. IEEE Trans. Smart Grid 2022, 13, 1582–1597. [Google Scholar] [CrossRef]
Ibrahem, M.I.; Mahmoud, M.M.E.A.; Alsolami, F.; Alasmary, W.; AL-Ghamdi, A.S.A.-M.; Shen, X. Electricity-Theft Detection for Change-and-Transmit Advanced Metering Infrastructure. IEEE Internet Things J. 2022, 9, 25565–25580. [Google Scholar] [CrossRef]
Hemmati, M.; Palahalli, M.H.; Storti Gajani, G.; Gruosso, G. Impact and vulnerability analysis of IEC 61850 in smart grids using multiple HIL real-time testbeds. IEEE Access 2022, 10, 103275–103285. [Google Scholar] [CrossRef]
Pedroza, G.; Le Gall, P.; Gaston, C.; Bersey, F. Timed-model-based method for security analysis and testing of smart grid systems. In Proceedings of the 2016 IEEE 19th International Symposium on Real-Time Distributed Computing (ISORC), York, UK, 17–20 May 2016; pp. 35–42. Available online: https://ieeexplore.ieee.org/document/7515609 (accessed on 10 April 2025).
Zhang, Y.; Wang, L.; Xiang, Y.; Ten, C.-W. Power System Reliability Evaluation with SCADA Cybersecurity Considerations. IEEE Trans. Smart Grid 2015, 6, 1707–1721. [Google Scholar] [CrossRef]
Azab, M.; Eltoweissy, M. CyPhyMASC: Evolutionary monitoring, analysis, sharing and control platform for SmartGrid defense. In Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration (IEEE IRI 2014), Redwood City, CA, USA, 13–15 August 2014; pp. 639–645. Available online: https://ieeexplore.ieee.org/document/7051950 (accessed on 21 July 2025).
Xu, S.; Xia, Y.; Shen, H.-L. Analysis of malware-induced cyber attacks in cyber-physical power systems. IEEE Trans. Circuits Syst. II Express Briefs 2020, 67, 3482–3486. [Google Scholar] [CrossRef]
Poudel, S.; Abouyoussef, M.; Baugh, J.E.; Ismail, M. Attack Design for Maximum Malware Spread Through EVs Commute and Charge in Power-Transportation Systems. IEEE Syst. J. 2024, 18, 1809–1820. [Google Scholar] [CrossRef]
Liu, D.; Zhang, X.; Tse, C.K. Effect of Malware Spreading on Propagation of Cascading Failure in Cyber-Coupled Power Systems. In Proceedings of the 2018 IEEE International Symposium on Circuits and Systems (ISCAS), Florence, Italy, 27–30 May 2018; pp. 1–4. Available online: https://ieeexplore.ieee.org/document/8351591 (accessed on 27 April 2025).
Alvee, S.R.B.; Ahn, B.; Ahmad, S.; Kim, K.-T.; Kim, T.; Zeng, J. Device-centric firmware malware detection for smart inverters using deep transfer learning. In Proceedings of the 2022 IEEE Design Methodologies Conference (DMC), Bath, UK, 1–2 September 2022; pp. 1–5. Available online: https://ieeexplore.ieee.org/document/9906538 (accessed on 27 April 2025).
Li, H.; Pan, H. A defense strategy against false data injection attack in smart grid based on multi-stage game. In Proceedings of the 2024 9th International Conference on Power and Renewable Energy (ICPRE), Guangzhou, China, 20–23 September 2024; pp. 685–691. Available online: https://ieeexplore.ieee.org/document/10768530 (accessed on 12 April 2025).
Selim, A.; Zhao, J.; Ding, F.; Miao, F.; Park, S.-Y. Adaptive Deep Reinforcement Learning Algorithm for Distribution System Cyber Attack Defense with High Penetration of DERs. IEEE Trans. Smart Grid 2024, 15, 4077–4089. [Google Scholar] [CrossRef]
Zhou, Q.; Shahidehpour, M.; Alabdulwahab, A.; Abusorrah, A.; Che, L.; Liu, X. Cross-Layer Distributed Control Strategy for Cyber Resilient Microgrids. IEEE Trans. Smart Grid 2021, 12, 3705–3717. [Google Scholar] [CrossRef]
Kang, B.; Maynard, P.; McLaughlin, K.; Sezer, S.; Andrén, F.; Seitl, C.; Kupzog, F.; Strasser, T. Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations. In Proceedings of the 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), Luxembourg, 8–11 September 2015; pp. 1–8. Available online: https://ieeexplore.ieee.org/document/7301457 (accessed on 8 April 2025).
Kamal, M.; Farajollahi, M.; Nazaripouya, H.; Mohsenian-Rad, H. Cyberattacks Against Event-Based Analysis in Micro-PMUs: Attack Models and Counter Measures. IEEE Trans. Smart Grid 2021, 12, 1577–1588. [Google Scholar] [CrossRef]
Chavez, A.; Lai, C.; Jacobs, N.; Hossain-McKenzie, S.; Jones, C.B.; Johnson, J.; Summers, A. Hybrid intrusion detection system design for distributed energy resource systems. In Proceedings of the 2019 IEEE CyberPELS (CyberPELS), Knoxville, TN, USA, 29 April–1 May 2019; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/8925064 (accessed on 26 April 2025).
Ravikumar, G.; Singh, A.; Babu, J.R.; Moataz, A.; Govindarasu, M. D-IDS for Cyber-Physical DER Modbus System—Architecture, Modeling, Testbed-Based Evaluation. In Proceedings of the 2020 Resilience Week (RWS), Salt Lake City, UT, USA, 19–23 October 2020; pp. 153–159. Available online: https://ieeexplore.ieee.org/document/9241259 (accessed on 8 April 2025).
Karimipour, H.; Dehghantanha, A.; Parizi, R.M.; Choo, K.-K.R.; Leung, H. A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids. IEEE Access 2019, 7, 80778–80788. [Google Scholar] [CrossRef]
Cui, M.; Wang, J.; Chen, B. Flexible Machine Learning-Based Cyberattack Detection Using Spatiotemporal Patterns for Distribution Systems. IEEE Trans. Smart Grid 2020, 11, 1805–1808. [Google Scholar] [CrossRef]
Akash, A.R.; Ahn, B.; Jenkins, A.; Khot, A.; Silva, L.; Tavares-Vengas, H.; Kim, T. Quantum convolutional neural network-based online malware file detection for smart grid devices. In Proceedings of the 2023 IEEE Design Methodologies Conference (DMC), Miami, FL, USA, 24–26 September 2023; pp. 1–5. Available online: https://ieeexplore.ieee.org/document/10412597 (accessed on 27 April 2025).
Gunduz, M.Z.; Das, R. A comparison of cyber-security oriented testbeds for IoT-based smart grids. In Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), Antalya, Turkey, 22–25 March 2018; pp. 1–6. Available online: https://ieeexplore.ieee.org/document/8355329 (accessed on 8 April 2025).
de Carvalho, R.S.; Saleem, D. Recommended Functionalities for Improving Cybersecurity of Distributed Energy Resources. In Proceedings of the 2019 Resilience Week (RWS), San Antonio, TX, USA, 4–7 November 2019; Volume 1, pp. 226–231. Available online: https://ieeexplore.ieee.org/document/8972000 (accessed on 8 April 2025).
Yohanandhan, R.V.; Elavarasan, R.M.; Manoharan, P.; Mihet-Popa, L. Cyber-Physical Power System (CPPS): A Review on Modeling, Simulation, and Analysis with Cyber Security Applications. IEEE Access 2020, 8, 151019–151064. [Google Scholar] [CrossRef]
Xia, Y.; Xu, Y.; Mondal, S.; Gupta, A.K. A Transfer Learning-Based Method for Cyber-Attack Tolerance in Distributed Control of Microgrids. IEEE Trans. Smart Grid 2024, 15, 1258–1270. [Google Scholar] [CrossRef]
Jafarigiv, D.; Sheshyekani, K.; Kassouf, M.; Seyedi, Y.; Karimi, H.; Mahseredjian, J. Countering FDI Attacks on DERs Coordinated Control System Using FMI-Compatible Cosimulation. IEEE Trans. Smart Grid 2021, 12, 1640–1650. [Google Scholar] [CrossRef]
Takiddin, A.; Ismail, M.; Zafar, U.; Serpedin, E. Deep Autoencoder-Based Anomaly Detection of Electricity Theft Cyberattacks in Smart Grids. IEEE Syst. J. 2022, 16, 4106–4117. [Google Scholar] [CrossRef]
Liu, Z.; Wang, L. Defense Strategy Against Load Redistribution Attacks on Power Systems Considering Insider Threats. IEEE Trans. Smart Grid 2021, 12, 1529–1540. [Google Scholar] [CrossRef]
Formby, D.; Jung, S.S.; Walters, S.; Beyah, R. A physical overlay framework for insider threat mitigation of power system devices. In Proceedings of the 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm), Venice, Italy, 3–6 November 2014; pp. 970–975. Available online: https://ieeexplore.ieee.org/document/7007774 (accessed on 27 April 2025).
Bao, H.; Lu, R.; Li, B.; Deng, R. BLITHE: Behavior Rule-Based Insider Threat Detection for Smart Grid. IEEE Internet Things J. 2016, 3, 190–205. [Google Scholar] [CrossRef]
Chen, Q.; Zhou, M.; Cai, Z.; Su, S. Compliance Checking Based Detection of Insider Threat in Industrial Control System of Power Utilities. In Proceedings of the 2022 7th Asia Conference on Power and Electrical Engineering (ACPEE), Hangzhou, China, 15–17 April 2022; pp. 1142–1147. Available online: https://ieeexplore.ieee.org/document/9784085 (accessed on 27 April 2025).
Zhou, Q.; Shahidehpour, M.; Alabdulwahab, A.; Abusorrah, A. A Cyber-Attack Resilient Distributed Control Strategy in Islanded Microgrids. IEEE Trans. Smart Grid 2020, 11, 3690–3701. [Google Scholar] [CrossRef]
Rekik, M.; Chtourou, Z.; Gransart, C.; Atieh, A. A Cyber-Physical Threat Analysis for Microgrids. In Proceedings of the 2018 15th International Multi-Conference on Systems, Signals & Devices (SSD), Yasmine Hammamet, Tunisia, 19–22 March 2018; pp. 731–737. Available online: https://ieeexplore.ieee.org/document/8570411 (accessed on 22 April 2025).
Srikantha, P.; Kundur, D. A DER Attack-Mitigation Differential Game for Smart Grid Security Analysis. IEEE Trans. Smart Grid 2016, 7, 1476–1485. [Google Scholar] [CrossRef]
Ten, C.-W.; Hong, J.; Liu, C.-C. Anomaly Detection for Cybersecurity of the Substations. IEEE Trans. Smart Grid 2011, 2, 865–873. [Google Scholar] [CrossRef]
Chen, Z.; Zhu, J.; Li, S.; Luo, T. Detection of false data injection attack in automatic generation control system with wind energy based on fuzzy support vector machine. In Proceedings of the IECON 2020 The 46th Annual Conference of the IEEE Industrial Electronics Society, Singapore, 18–21 October 2020; pp. 3523–3528. Available online: https://ieeexplore.ieee.org/document/9255020 (accessed on 21 July 2025).
Zhuang, P.; Liang, H. False Data Injection Attacks Against State-of-Charge Estimation of Battery Energy Storage Systems in Smart Distribution Networks. IEEE Trans. Smart Grid 2021, 12, 2566–2577. [Google Scholar] [CrossRef]
Mohamed, A.S.; Arani, M.F.M.; Jahromi, A.A.; Kundur, D. False Data Injection Attacks Against Synchronization Systems in Microgrids. IEEE Trans. Smart Grid 2021, 12, 4471–4483. [Google Scholar] [CrossRef]
Ravikumar, G.; Hyder, B.; Govindarasu, M. Hardware-in-the-Loop CPS Security Architecture for DER Monitoring and Control Applications. In Proceedings of the 2020 IEEE Texas Power and Energy Conference (TPEC), College Station, TX, USA, 6–7 February 2020; pp. 1–5. Available online: https://ieeexplore.ieee.org/document/9042578 (accessed on 8 April 2025).
Liu, X.; Shahidehpour, M.; Cao, Y.; Wu, L.; Wei, W.; Liu, X. Microgrid Risk Analysis Considering the Impact of Cyber Attacks on Solar PV and ESS Control Systems. IEEE Trans. Smart Grid 2017, 8, 1330–1339. [Google Scholar] [CrossRef]
Jhala, K.; Pradhan, P.; Natarajan, B. Perturbation-Based Diagnosis of False Data Injection Attack Using Distributed Energy Resources. IEEE Trans. Smart Grid 2021, 12, 1589–1601. [Google Scholar] [CrossRef]
Hong, J.; Liu, C.-C. Intelligent Electronic Devices with Collaborative Intrusion Detection Systems. IEEE Trans. Smart Grid 2019, 10, 271–281. [Google Scholar] [CrossRef]
Park, K.; Ahn, B.; Kim, J.; Won, D.; Noh, Y.; Choi, J.; Kim, T. An Advanced Persistent Threat (APT)-Style Cyberattack Testbed for Distributed Energy Resources (DER). In Proceedings of the 2021 IEEE Design Methodologies Conference (DMC), Bath, UK, 14–15 July 2021; pp. 1–5. Available online: https://ieeexplore.ieee.org/document/9529953 (accessed on 27 April 2025).
Abir, S.M.A.A.; Anwar, A.; Choi, J.; Kayes, A.S.M. IoT-Enabled Smart Energy Grid: Applications and Challenges. IEEE Access 2021, 9, 50961–50981. [Google Scholar] [CrossRef]
de Souza, E.; Ardakanian, O.; Nikolaidis, I. A Co-simulation Platform for Evaluating Cyber Security and Control Applications in the Smart Grid. In Proceedings of the ICC 2020—2020 IEEE International Conference on Communications (ICC), Dublin, Ireland, 7–11 June 2020; pp. 1–7. Available online: https://ieeexplore.ieee.org/document/9149212 (accessed on 8 April 2025).
Guan, Z.; Li, J.; Wu, L.; Zhang, Y.; Wu, J.; Du, X. Achieving Efficient and Secure Data Acquisition for Cloud-Supported Internet of Things in Smart Grid. IEEE Internet Things J. 2017, 4, 1934–1944. [Google Scholar] [CrossRef]
Ackley, D.; Yang, H. Exploration of Smart Grid Device Cybersecurity Vulnerability Using Shodan. In Proceedings of the 2020 IEEE Power & Energy Society General Meeting (PESGM), Montreal, QC, Canada, 2–6 August 2020; pp. 1–5. Available online: https://ieeexplore.ieee.org/document/9281544 (accessed on 10 April 2025).
Wen, M.; Chen, S.; Lu, R.; Li, B.; Chen, S. Security and Efficiency Enhanced Revocable Access Control for Fog-Based Smart Grid System. IEEE Access 2019, 7, 137968–137981. [Google Scholar] [CrossRef]
MathWorks. Power and Control Systems. Available online: https://www.mathworks.com/solutions/energy-production/utilities-energy/power-system-studies.html (accessed on 2 October 2025).
OPAL-RT Technologies. OPAL-RT Website. Available online: https://www.opal-rt.com/ (accessed on 2 October 2025).
OpenDSS. Available online: https://www.epri.com/pages/sa/opendss (accessed on 1 October 2025).
ns-3 Project. ns-3. Available online: https://www.nsnam.org/ (accessed on 1 October 2025).
PSCAD. PSCAD Website. Available online: https://www.pscad.com/ (accessed on 1 October 2025).
EMTP. EMTP—Products. Available online: https://www.emtp.com/products/emtp (accessed on 2 October 2025).
ePHASORSIM. OPAL-RT TECHNOLOGIES, Inc. Available online: https://www.opal-rt.com/software-toolboxes/ephasorsim/ (accessed on 2 October 2025).
Blanchet, B.; Smyth, B.; Cheval, V.; Sylvestre, M. ProVerif 2.05: Automatic Cryptographic Protocol Verifier—User Manual and Tutorial. Available online: https://bblanche.gitlabpages.inria.fr/proverif// (accessed on 2 October 2025).
PowerWorld Corporation. The Visual Approach to Electric Power Systems. Available online: https://www.powerworld.com/ (accessed on 2 October 2025).
Steinbrink, C.; Blank-Babazadeh, M.; El-Ama, A.; Holly, S.; Lüers, B.; Nebel-Wenner, M.; Ramírez Acosta, R.P.; Raub, T.; Schwarz, J.S.; Stark, S.; et al. CPES Testing with mosaik: Co-Simulation Planning, Execution and Analysis. Appl. Sci. 2019, 9, 923. [Google Scholar] [CrossRef]
Cintuglu, M.H.; Mohammed, O.A.; Akkaya, K.; Uluagac, A.S. A Survey on Smart Grid Cyber-Physical System Testbeds. IEEE Commun. Surv. Tutor. 2017, 19, 446–464. [Google Scholar] [CrossRef]
Lu, Q.; Li, J.; Peng, Z.; Wu, L.; Ni, M.; Luo, J. Detecting the cyber-physical-social cooperated APTs in high-DER-penetrated smart grids: Threats, current work and challenges. Comput. Netw. 2024, 254, 110776. [Google Scholar] [CrossRef]
Liu, M.; Teng, F.; Zhang, Z.; Ge, P.; Sun, M.; Deng, R.; Cheng, P.; Chen, J. Enhancing Cyber-Resiliency of DER-Based Smart Grid: A Survey. IEEE Trans. Smart Grid 2024, 15, 4998–5030. [Google Scholar] [CrossRef]
Krause, T.; Ernst, R.; Klaer, B.; Hacker, I.; Henze, M. Cybersecurity in Power Grids: Challenges and Opportunities. Sensors 2021, 21, 6225. [Google Scholar] [CrossRef]
Khalid, M. Smart grids and renewable energy systems: Perspectives and grid integration challenges. Energy Strategy Rev. 2024, 51, 101299. [Google Scholar] [CrossRef]
Smart Grid System Testbed Facility. NIST. Available online: https://www.nist.gov/programs-projects/smart-grid-system-testbed-facility (accessed on 27 November 2025).
Electric Power Research Institute (EPRI). Information, Communication and Cyber Security. Available online: https://msites.epri.com/der-vpp-ferc2222/Information-Communication-and-Cyber-Security (accessed on 27 November 2025).
Johnson, C.; Badger, M.; Waltermire, D.; Snyder, J.; Skorupka, C. Guide to Cyber Threat Information Sharing; Report No.: NIST Special Publication (SP) 800-150; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2016; Available online: https://csrc.nist.gov/pubs/sp/800/150/final (accessed on 27 November 2025).

Figure 1. Updated NIST SG conceptual model [1].

Figure 2. Study instances (n) by domain (stacked) with cumulative totals (lines). Line endpoints indicate the overall volume by domain. Note: Here and in subsequent figures, n denotes the number of study instances. Totals reflect multi-labeling; a study may map to multiple domains.

Figure 3. Method composition within each NIST domain (100% stacked). Bar tops indicate the total number of study instances (n), and segment labels show method percentages. Note: totals reflect multi-labeling; a study may map to multiple domains/methods.

Figure 4. Attack type distribution by total study instances (n = 153). Bars show the percentage and count for each attack category. Note: totals reflect multi-labeling; a study may cover multiple attack types.

Figure 5. AI/ML usage by the NIST domain. Bars show the share of study instances using AI/ML (%) within each domain; bar tops indicate total study instances (n). “Yes” = study employs AI/ML for detection, classification, prediction, or control. Note: totals reflect multi-labeling; a study may map to multiple domains.

Figure 6. Distribution of tools/platforms in simulation/experimental studies.

Figure 7. Domain composition within each attack type (clustered columns; values = % of attack totals). Cluster tops indicate total instances per attack type (n). Note: totals reflect multi-labeling; a study may map to multiple domains.

Table 1. Summary of some notable cyberattacks on SGs, their targets, and impacts.

Incident	Region	Year	Target Domain/Components	Impact
BlackEnergy3 malware	Ukraine	2015	Distribution (ICSs, grid control centers, SCADA systems)	225,000+ customers affected; 6+ h blackouts through repeated attacks
Industroyer1 malware	Ukraine	2016	Distribution (ICSs, substations)	~400,000 customers affected (~1/5 of the city of Kyiv); 1+ h power outages
Triton	Middle East	2017	Generation (ICSs, industrial safety systems)	ICS’s safety controllers detected the anomaly, and the facility automatically entered a safe state; potential damage estimation: facility damage, system downtime, loss of life
RedEcho advanced persistent threat (APT)	India	2021	Transmission (OT/ICS networks, Regional Load Dispatch Centers (RLDCs))	Total of 10 power sector organizations affected; insufficient public information about the full extent of the impact
Industroyer2 malware	Ukraine	2022	Distribution (ICSs, high-voltage substations)	Attack detected and mitigated before a blackout occurred; potential outage estimation: 2 million customers
Hydro-Québec DoS attack	Canada	2023	Service Provider (State-owned electricity provider’s website, customer portal, and mobile applications)	24 h of website and customer portal shutdown; power grid operations not impacted, and confidential data not compromised

Table 2. Coverage of prior reviews: presence of NIST domain-level mapping and domain-by-methodology/attack type/tool and platform mappings.

Ref. No.	7-Domain NIST Classification (Y/N/P) ¹	Domain × Methodology (Y/N/P)	Domain × Attack (Y/N/P)	Domain × Tool/Platform (Y/N/P)
[53]	P	N	P	P
[54]	N	N	P	N
[55]	P	P	P	P
[31]	P	N	P	P
[7]	P	Y	Y	Y

¹ Y = covered in study; P = partially covered; N = not covered.

Table 3. Summary of existing reviews’ areas of focus and key contributions.

Ref.	Year	Primary Areas of Focus	Key Contributions
[53]	2018	Evaluation of SG cybersecurity testbeds and important features	Summary of existing security-oriented SG testbeds (testbed platform, covered SG domain, communication protocols, network technology/type/media, main cyberattack testing capabilities); Recommendations for security-oriented testbed implementations.
[54]	2019	Interconnection challenges of DERs to the grid (IEEE Std. 1547–2018); Cyber vulnerabilities of DERs and impact on grid operations	A condensed set of recommended DER cybersecurity functionalities for improved device-level cybersecurity of a DER; Recommendations based on collaboration between a DER cybersecurity working group, utilities, vendors, manufacturers, and researchers.
[55]	2020	Modeling, simulation, and analysis methods for SG; Emphasis on Generation, Transmission, and Distribution domains, with in-depth assessment of cyberattacks and impacts on system stability and control	Systematic summary of modeling approaches (interconnection, interaction, and interdependent models) for continuous physical and discrete cyber dynamics; key characteristics and schemes in attack graph modeling for CPPSs; Compilation of simulation and co-simulation software/tools; Comprehensive taxonomy of cyberattack types, detection and mitigation methods, risk analysis, threat modeling, and vulnerability assessments.
[31]	2024	Generation, Transmission, Distribution, and Customer systems; Distribution-side and communication network cybersecurity (impact analysis, detection methods, IoT-enabled Smart Grid components)	Evaluation of robustness of proposed detection techniques and mitigation strategies; analysis of cryptographic platforms, libraries, verification tools, and algorithms; key management and blockchain applications for secure communication; Compilation of real-world case studies.
[7]	2024	Comprehensive overview of SG architecture and cybersecurity (across all NIST domains), and cyberattacks on communication networks	Categorization of cybersecurity solutions and research according to the NIST Cybersecurity Framework (identification/detection, protection, recovery); reviews of attacks and categorization based on target points; Classification and analysis of communication technologies based on SG communication networks; Investigation of AI-based strategies and identification of limitations in addressing the different functions of the NIST Cybersecurity Framework.

Table 4. Summary of attack types and key detection, mitigation, and strategic approaches proposed.

Attack Type	Summary of Common Detection, Mitigation, and Other Strategic Approaches	Citations
False Data Injection (FDI)	Analytics/ML: Symbolic Dynamic Filtering (SDF); Restricted Boltzmann Machines (RBM); Bayesian GANs (BGANs); Nonlinear Auto-Regressive Exogenous (NARX) models; χ² (chi-square)/normalized residual Bad Data Detection (BDD); robust state estimation (L1-norm/Least Absolute Deviations (LADs)); CUSUM (Cumulative Sum)/change-point tests; topology/measurement consistency checks Model-based/Statistical methods: Kalman filters; Forecasting-Aided State Estimation (FASE); Sliding Mode Observers (SMOs) Control and resilience: Secure/unknown-input state estimation; randomized setpoint perturbations (watermark variants); Moving Target Defense (MTD); active probing/watermarking Sensing/placement: PMU-aided (dynamic) state estimation; optimal PMU placement	[8,9,10,13,15,32,43,44,46,47,48,49,50,51,56,57,63,64,65,66,67,68,69,70,71,72]
Denial of Service (DoS)	Network/communications and scheduling: SDN; deterministic/QoS networking and scheduling; traffic-shaping/rate-limiting; priority queuing; time-sensitive networking (TSN) scheduling; redundant Ethernet (PRP/HSR) Control and resilience: Distributed output feedback; adaptive/triggered control; estimation and compensation; mode-dependent control; edge fallback; adaptive sampling; graceful degradation/islanding strategies; watchdog timers; setpoint caching at edges Analytics/ML: Entropy/flow-feature detection (inter-arrival timing, packet rate variance); DDoS detection for grid comms; cellular DoS CNNs; state estimation under attack; digital-twin-based detection and failover; Sliding Mode Observer (SMO)	[13,28,29,30,32,45,49,56,73]
Man-in-the-Middle (MITM)	Authentication: Message authentication (MACs) and digital signatures; IEC 62351 secure profiles Key management/access control: PKI and certificate management for IEDs; Static ARP/DHCP Snooping/Dynamic ARP Inspection to prevent ARP spoofing Network/architecture: Unidirectional gateways (data diodes) for one-way telemetry; ACL/allowlisting in substation switches; SDN-enabled microgrid control System integrity: Firmware integrity for IEDs/inverters	[12,35,36,37,46,64,70,74]
Replay Attack	Time synchronization/anti-spoofing: Secure/authenticated time synchronization; GPS-spoofing hardening Analytics/ML: Anomaly detection for PMU and micro-PMU streams Network/protocols: SDN policy control; protocol anti-replay (IEC 62351; DNP3 SA) Control-loop watermarking/probing: Dynamic watermarking; active probing (AGCs) Anti-replay freshness checks: Timestamp-based MAC/sequence checks (DERMS/SCADA)	[12,16,32,33,34,64,75]
Malware and MCI	Monitoring/detection: Enterprise SOC with SIEM log correlation; network/endpoint IDS for Industrial Control Systems (ICSs); hardware-counter anomaly analytics; application allowlisting on Human–Machine Interfaces (HMIs)/servers Integrity/configuration: Backup and recovery (offline/immutable backups, restore drills); least privilege/role-based access control (RBAC); privileged access management (PAM); firmware integrity validation; rigorous patch and configuration management; code signing	[8,38,39,40,41,42,52,58]
Insider Threat	Controls: Critical Interface Locks (CILs); file signature checking Deception/authentication: Honeypots; two-way authentication protocols	[14,48,59,60,61,62]
Common Controls and Methods that Apply Across Attacks	Defense-in-depth; standards and governance (NISTIR 7628; NERC CIP; IEC 62443); network segmentation; compliance checking; zero-trust/allowlisting for ICS flows; asset inventory and passive discovery; vulnerability management and risk-based patching; secure remote access; operator awareness and periodic training	[11,73,76,77,78,79]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Cybersecurity in Smart Grids: A Domain-Centric Review

Abstract

1. Introduction

2. Background

2.1. SG Architecture

2.2. SG Cybersecurity

2.2.1. False Data Injection (FDI) Attacks

2.2.2. Denial of Service (DoS) Attacks

2.2.3. Replay Attacks

2.2.4. Man-in-the-Middle (MITM) Attacks

2.2.5. Malware and Malicious Code Injection

2.2.6. Comparison of Attack Types and Defense Challenges

2.3. Existing Reviews on Domain-Level SG Cybersecurity

3. Methodology of This Review

3.1. Literature Selection

3.2. Metadata Extraction and Classification

3.3. Domain Classification Criteria

3.4. Primary Approach Classification Criteria

3.5. Data Analysis and Considerations

4. Categorization, Results, and Discussion

4.1. Domain-Level Temporal Trends

4.2. Methodology Distribution Within Domains

4.3. Cyberattacks on SGs—An Overview

4.4. Tools and Platforms in Simulation-Based Studies

4.5. Domain-Wise Distribution of Attack Types

4.6. Discussions

5. Limitations, Future Work, and Implications

5.1. Limitations

5.2. Future Work Directions

5.3. Implications for Standards and Policy

6. Conclusions

Author Contributions

Funding

Data Availability Statement

Acknowledgments

Conflicts of Interest

Abbreviations

References

Article Metrics

Citations

Article Access Statistics