The Ukrainian Demonstrator (D4) of the eFORT project, implemented by JSC “Prykarpattyaoblenergo” in close collaboration with ISOLUTIONS and CIRCE, continues to evolve into a mature and scientifically valuable platform for validating cybersecurity technologies in realistic operational conditions. As the project enters its fortieth month, Demonstrator 4 has reached several important technological and organisational milestones. Ukraine’s energy infrastructure remains under persistent hybrid pressure, which increases the scientific and operational relevance of a controlled but authentic test environment capable of replicating real substation behaviour and communication flow. This environment serves as a critical validation platform for intrusion detection, network isolation, secure maintenance, and blockchain‑based resilience mechanisms being developed across the consortium.
A major achievement in this period is the installation, configuration, and integration of the SecureBox device supplied by CIRCE. SecureBox is now operational within the SCADA–RTU chain of the testbed and is directly connected to the Intelligent Platform. Its internal capabilities include secure handling of field‑level communication, intrusion detection, micro‑segmentation functions for operational networks, blockchain‑supported integrity validation, and tamper‑resistant logging. These functions are now being exercised in preliminary test cycles. The presence of SecureBox transforms the demonstrator into a realistic enforcement node capable of isolating malicious traffic, applying automated countermeasures, and supporting dynamic response behaviour during ethical cyberattack simulations.
The substation testbed provided by JSC is not a full physical digital twin, but it is a highly accurate operational replica of a real high‑voltage substation. It mirrors the complete control chain between dispatch systems and field‑level equipment, including switching infrastructure, SCADA communication channels, RTU modules, voltage measurement systems, and protection signalling based on IEC 61850 GOOSE/MMS.
This accurate architectural representation enables ethically executed cyberattack simulations to be performed without any risk to live operational assets. At the same time, it preserves all essential structural dependencies and communication flows present in real operational substations. As a result, the testbed provides a unique opportunity to observe malformed frames, spoofed commands, and protocol manipulation under safe laboratory conditions.
Case Study 1 of Demonstrator 4 focuses on cyber intrusion detection and operational continuity. Experiments carried out within the testbed demonstrate how IDS components, SIEM correlation, operator notification tools, and SecureBox enforcement interact as part of a unified defence workflow. Detection of abnormal GOOSE or MMS traffic, recognition of command manipulation attempts, and identification of complex multi‑stage intrusion patterns are all being validated within realistic operational constraints. These activities help to quantify the performance and reliability of the developed tools and highlight practical challenges in detecting low‑signal, high‑impact behaviours typical for adversaries targeting energy systems.
In parallel, Case Study 2 is expanding the visual and analytical interface of the demonstrator through the integration of blockchain‑supported resilience functions with 3D and VR environments.
The ongoing refinement of the 3D model of the Iltsi 110/35/10 kV substation includes improved texturing, more detailed representation of equipment, and greater visual fidelity, enabling operators and researchers to interact with an immersive virtual representation of the substation. Within this environment, it becomes possible to visualise incident traces, configuration histories, and maintenance actions recorded on a blockchain ledger. This combination of visual and cryptographic verification enhances situational awareness and supports the assessment of how cyber incidents propagate through physical and logical layers of the substation architecture.
These visualisation improvements also support dissemination and communication objectives, as stakeholders who cannot access real infrastructure can still experience realistic demonstrations of attack detection, system isolation, and event reconstruction. The integration of VR/AR components with secure data provenance mechanisms improves transparency and understanding among operators, researchers, and decision‑makers. It also strengthens cross‑disciplinary cooperation between cybersecurity, energy engineering, and operational management teams.
Beyond its technical validation objectives, Demonstrator 4 provides a strong foundation for market-oriented exploitation of project outcomes. In particular, the integration of cyber-resilience mechanisms with immersive 3D and VR-enabled visualisation introduces a transferable approach to operational decision support. By enabling operators and stakeholders to interpret cyber incidents through both logical and physical layers of substations, the developed interface supports more informed management of conventional and unconventional threats, including cyber intrusions, hybrid disruptions, and cascading operational failures.
Building on the knowledge and capabilities validated in D4, this approach is being further developed and transformed into the Ukrainian cybersecurity and resilience platform CyberJab.ua. CyberJab.ua aims to provide a scalable digital environment for training, preparedness, and cyber-physical risk awareness, leveraging the validated 3D substation modelling methodology, incident traceability principles, and secure data provenance concepts demonstrated within eFORT. The platform represents a concrete pathway for national-level exploitation, as it is designed to support replication across multiple energy distribution system operators in Ukraine, enabling consistent adoption of advanced cyber-resilience practices and structured response workflows across geographically distributed infrastructures.
At the same time, the international relevance of the demonstrator outcomes creates strong opportunities for European collaboration and market expansion. CyberJab.ua is already entering the Czech Republic market through engagement in a Horizon Europe context, where the platform has been invited for use in training and educational activities targeting energy-sector stakeholders. This expansion demonstrates the broader applicability of the developed solutions and confirms that operationally grounded, visually interpretable cyber-resilience environments can provide value beyond Ukraine, supporting European operators in preparing for both conventional and unconventional threat scenarios.
Overall, Demonstrator 4 serves not only as a validation environment for advanced security technologies, but also as an exploitation catalyst, enabling the transition from research results into practical tools, services, and training capabilities that strengthen resilience across Ukrainian and European energy ecosystems.
Looking ahead, the Demonstrator 4 team will continue advancing system integration, scenario execution, and validation activities. The finalisation of the SecureBox–Intelligent Platform interface, enhancement of the 3D visualisation layers, and execution of comprehensive end‑to‑end scenario runs remain key priorities for the upcoming period. These efforts will further validate the stability, efficiency, and real‑world applicability of the solutions developed in the project. Operating under conditions that reflect real‑world constraints and threats, Demonstrator 4 continues to provide exceptional insight into how next‑generation cybersecurity capabilities can be adapted and implemented to support the resilience of future European energy systems.
Contact us
Follow us on: