The Dutch eFORT demonstrator shows how to improve the resilience of Electrical Power and Energy Systems (EPES) by enabling immediate response against cyber-attacks at both physical and cyber layer. This is achieved by establishing collaboration between the Control Room, that controls the Operational Technology (OT) in the EPES and Security Operations Centre (SOC), that monitors the IT and OT infrastructures for cybersecurity attacks. The collaboration is implemented using automated interfaces for:
- Requesting (pre-)authorization from Control Room for (automated) response actions by the SOC;
- Reporting a cybersecurity incident by the SOC to the Control Room;
- Reporting results of potential impact assessment by the Control Room to the SOC.
The first interface is to enable automated incident response (on the cyber layer) to detected cyber-attacks. Such request can be made beforehand, for instance based on new information about a serious cyber threat, or during incident response. An example incident response action could be to disconnect the enterprise network from the OT network.
The second interface is to inform the Control Room of detected cybersecurity incidents and the severity of the incident. For the Network Code for Cybersecurity (NCCS), the European Network of Transmission System Operators for Electricity (ENTSOE) and DSO ENTITY (the association for Distribution System Operators (DSOs) in Europe) have developed a Cyber-Attack Classification Scale for the potential impact and the severity of the cyber-attack. As this Classification Scale will be used to determine if a cybersecurity incident must be reported to the authority, we adopted this methodology. By reporting the severity of a cyber-attack in combination with the location (e.g. which substation), the Control Room can assess the potential impact of cascading failures and start preparing response action on the physical layer (e.g. preventative islanding of a substation). Through the third interface, the Control Room will report the result of the potential impact assessment to the SOC such that it can determine the potential gravity of the cyber-attack and thus automatically determine when it becomes a reportable cyber-attack and must contact the Single Point of Contact (SPOC), according to the NCCS.
This Control Room and SOC integration and automated response to cyber-attacks, both physical and cyber layer, have been implemented as part of the Dutch eFORT demonstrator and will be integrated in the Control Room of the Future (CRoF) at the TU Delft. The TU Delft has developed a tool for potential impact assessment and preventative action of cascading failures using Digital Twin technology. TNO developed a Security Orchestration, Automation and Response (SOAR) tool for playbook driven automation, and set up an integrated IT and OT SOC for EPES. The SOAR tool is called SOARCA https://cossas-project.org/portfolio/SOARCA/ and has been released as open-source tool on TNO’s COSSAS platform.
At the upcoming Power Europe Congress 2026, 6th – 8th of May 2026, Amsterdam, Netherlands, TNO and TU Delft will present and demonstrate this part of the Dutch eFORT demonstrator on behalf of the eFORT project.
In addition, the cooperative cybersecurity incident response will also be demonstrated at the CroF at a public eFORT event on June 10th, 2026, Delft, The Netherlands. Additional information will follow soon.
Contact us
Follow us on: