Researchers at Germany’s Fraunhofer FKIE institute have developed a virtual simulation platform to help power grid operators defend against cyberattacks by testing security strategies in realistic, controlled scenarios.
“PowerRange has been designed as a flexible and scalable cyber range for power grids,” the research’s corresponding author, Martin Serror, told pv magazine. “It supports both the simulation and emulation of traditional centralized power grids as well as future-oriented decentralized power grids with a high share of renewables and energy storage.”
According to Serror, renewable energy assets are more exposed to cyber threats than conventional power plants, which are easier to “air-gap” from communication networks.
“By contrast, renewable energy systems and bidirectional power flows rely more heavily on digital coordination and communication, exposing them to a broader attack surface, especially when proper security measures are missing,” he went on to say, noting tha typical vulnerabilities affecting renewable energy systems or battery storage units are insecure remote access, interfaces used for monitoring, control, or maintenance, as well as insecure over-the-air firmware updates, especially when authentication or integrity protections are weak or missing.
“Implementing state‑of‑the‑art mechanisms for authentication and integrity protection in remote access and update procedures can therefore significantly enhance system security,” Serror stated.
Presented in the study “PowerRange: An immersive cyber range for power grid operators,” published in the International Journal of Critical Infrastructure Protection, the PowerRange virtual simulation platform is built on the open-source Wattson testbed, which allows safe execution of multi-stage cyberattacks and countermeasures in configurable power grid scenarios, integrating both operational technology (OT) and information technology (IT) networks with power generation and distribution processes.
PowerRange extends this into a realistic, immersive training environment tailored to operators’ needs, the academics said. It enables practical application of security measures, helps identify usability weaknesses, and engages all organizational levels, from management to IT and control room staff. Two pilot training sessions provides preliminary feedback, highlighting the importance of communication and coordination.
The scientists explained that designing cyber ranges for cyber-physical systems (CPSs), like power grids, requires modeling not only IT infrastructure but also control centers, field devices, and physical processes, with modular, extensible architectures and orchestration modules ensuring flexibility and seamless integration.
They also noted that effective training must accommodate diverse users, from IT specialists to management, and support both individual and collaborative exercises. Cyber ranges should replicate standard IT protocols alongside domain-specific OT protocols and training environments must be realistic and comprehensive, covering offensive and defensive strategies while engaging all organizational roles.
The platform also relies on a Virtual Control Center (VCC) that provides operators with intuitive interfaces, synchronized across multiple users, visualizing grid state, issuing control commands, and incorporating state estimation. The platform supports real-world cyberattacks, including reconnaissance, lateral movement, privilege escalation, denial-of-service (DoS), man-in-the-middle (MITM), and false data injection, with modular, configurable attack blocks.
Trainers can adapt scenarios dynamically, combining attacks based on participant actions and defensive measures. Together, these features create a controlled yet highly immersive environment for practicing detection, response, and coordination during cyber incidents, the researchers stressed.
Furthermore, the platform models grid elements as nodes and edges, capturing assets, connections, and annotations, and updates measurements through power flow computations. Users can customize controllability, observability, and scenario complexity through rule-based configurations, with derived scenarios being exportable as Wattson-compatible configurations.
The research team also conducted two pilot sessions with professional operators and said the trainees initially struggled with information flow and tool familiarity, but gradually coordinated effective responses. Feedback also emphasized the value of hands-on experience, realistic scenarios, and cross-team communication.
“Regularly conducted training improves the practical application of cybersecurity measures and fosters better communication and coordination among key stakeholders,” the research team said. “These insights highlight the necessity of addressing the human factor alongside technological advancements to strengthen the overall resilience of grid operations.”
“In general, the distributed nature of renewable assets tends to improve the overall resilience of power systems against targeted cyberattacks, since compromising a few assets usually does not affect the overall system stability,” Serror added. “However, the widespread deployment of similar hardware and software components, such as identical inverters, may create systemic vulnerabilities. In such cases, a coordinated cyberattack could exploit a shared weakness to compromise many assets simultaneously and potentially affecting overall system stability.”
“We anticipate a continued rise in cyber attacks targeting energy systems, as incidents in the energy sector have been gradually increasing over recent year,” he concluded. “However, physical attacks and sabotage, such as those unfortunately occurring in Ukraine, my remain even more disruptive to energy supply, particularly when combined with coordinated cyber attacks.”
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.