Dutch eFORT Demonstrator: Coordinated response to cybersecurity incidents by Control Room and SOC collaboration
The Dutch eFORT demonstrator shows how to improve the resilience of Electrical Power and Energy Systems (EPES) by enabling immediate response against cyber-attacks at both physical and cyber layer. This is achieved by establishing collaboration between the Control Room, that controls the Operational Technology (OT) in the EPES and Security Operations Centre (SOC), that monitors the IT and OT infrastructures for cybersecurity attacks. The collaboration is implemented using automated interfaces for:
Requesting (pre-)authorization from Control Room for (automated) response actions by the SOC;
Reporting a cybersecurity incident by the SOC to the Control Room;
Reporting results of potential impact assessment by the Control Room to the SOC.
The first interface is to enable automated incident response (on the cyber layer) to detected cyber-attacks. Such request can be made beforehand, for instance based on new information about a serious cyber threat, or during incident response. An example incident response action could be to disconnect the enterprise network from the OT network.
The second interface is to inform the Control Room of detected cybersecurity incidents and the severity of the incident. For the Network Code for Cybersecurity (NCCS), the European Network of Transmission System Operators for Electricity (ENTSOE) and DSO ENTITY (the association for Distribution System Operators (DSOs) in Europe) have developed a Cyber-Attack Classification Scale for the potential impact and the severity of the cyber-attack. As this Classification Scale will be used to determine if a cybersecurity incident must be reported to the authority, we adopted this methodology. By reporting the severity of a cyber-attack in combination with the location (e.g. which substation), the Control Room can assess the potential impact of cascading failures and start preparing response action on the physical layer (e.g. preventative islanding of a substation). Through the third interface, the Control Room will report the result of the potential impact assessment to the SOC such that it can determine the potential gravity of the cyber-attack and thus automatically determine when it becomes a reportable cyber-attack and must contact the Single Point of Contact (SPOC), according to the NCCS.
This Control Room and SOC integration and automated response to cyber-attacks, both physical and cyber layer, have been implemented as part of the Dutch eFORT demonstrator and will be integrated in the Control Room of the Future (CRoF) at the TU Delft. The TU Delft has developed a tool for potential impact assessment and preventative action of cascading failures using Digital Twin technology. TNO developed a Security Orchestration, Automation and Response (SOAR) tool for playbook driven automation, and set up an integrated IT and OT SOC for EPES. The SOAR tool is called SOARCAhttps://cossas-project.org/portfolio/SOARCA/ and has been released as open-source tool on TNO’s COSSAS platform.
At the upcoming Power Europe Congress 2026, 6th – 8th of May 2026, Amsterdam, Netherlands, TNO and TU Delft will present and demonstrate this part of the Dutch eFORT demonstrator on behalf of the eFORT project.
In addition, the cooperative cybersecurity incident response will also be demonstrated at the CroF at a public eFORT event on June 10th, 2026, Delft, The Netherlands. Additional information will follow soon.
eFORT Demonstrator 4: Advancing Cyber‑Resilience in Operational Energy Environments.
The Ukrainian Demonstrator (D4) of the eFORT project, implemented by JSC “Prykarpattyaoblenergo” in close collaboration with ISOLUTIONS and CIRCE, continues to evolve into a mature and scientifically valuable platform for validating cybersecurity technologies in realistic operational conditions. As the project enters its fortieth month, Demonstrator 4 has reached several important technological and organisational milestones. Ukraine’s energy infrastructure remains under persistent hybrid pressure, which increases the scientific and operational relevance of a controlled but authentic test environment capable of replicating real substation behaviour and communication flow. This environment serves as a critical validation platform for intrusion detection, network isolation, secure maintenance, and blockchain‑based resilience mechanisms being developed across the consortium.
A major achievement in this period is the installation, configuration, and integration of the SecureBox device supplied by CIRCE. SecureBox is now operational within the SCADA–RTU chain of the testbed and is directly connected to the Intelligent Platform. Its internal capabilities include secure handling of field‑level communication, intrusion detection, micro‑segmentation functions for operational networks, blockchain‑supported integrity validation, and tamper‑resistant logging. These functions are now being exercised in preliminary test cycles. The presence of SecureBox transforms the demonstrator into a realistic enforcement node capable of isolating malicious traffic, applying automated countermeasures, and supporting dynamic response behaviour during ethical cyberattack simulations.
Figure 1: Testbed and installed Secure Box.
The substation testbed provided by JSC is not a full physical digital twin, but it is a highly accurate operational replica of a real high‑voltage substation. It mirrors the complete control chain between dispatch systems and field‑level equipment, including switching infrastructure, SCADA communication channels, RTU modules, voltage measurement systems, and protection signalling based on IEC 61850 GOOSE/MMS.
This accurate architectural representation enables ethically executed cyberattack simulations to be performed without any risk to live operational assets. At the same time, it preserves all essential structural dependencies and communication flows present in real operational substations. As a result, the testbed provides a unique opportunity to observe malformed frames, spoofed commands, and protocol manipulation under safe laboratory conditions.
Case Study 1 of Demonstrator 4 focuses on cyber intrusion detection and operational continuity. Experiments carried out within the testbed demonstrate how IDS components, SIEM correlation, operator notification tools, and SecureBox enforcement interact as part of a unified defence workflow. Detection of abnormal GOOSE or MMS traffic, recognition of command manipulation attempts, and identification of complex multi‑stage intrusion patterns are all being validated within realistic operational constraints. These activities help to quantify the performance and reliability of the developed tools and highlight practical challenges in detecting low‑signal, high‑impact behaviours typical for adversaries targeting energy systems.
In parallel, Case Study 2 is expanding the visual and analytical interface of the demonstrator through the integration of blockchain‑supported resilience functions with 3D and VR environments.
Figure 2. 3D renders of substation model.
The ongoing refinement of the 3D model of the Iltsi 110/35/10 kV substation includes improved texturing, more detailed representation of equipment, and greater visual fidelity, enabling operators and researchers to interact with an immersive virtual representation of the substation. Within this environment, it becomes possible to visualise incident traces, configuration histories, and maintenance actions recorded on a blockchain ledger. This combination of visual and cryptographic verification enhances situational awareness and supports the assessment of how cyber incidents propagate through physical and logical layers of the substation architecture.
These visualisation improvements also support dissemination and communication objectives, as stakeholders who cannot access real infrastructure can still experience realistic demonstrations of attack detection, system isolation, and event reconstruction. The integration of VR/AR components with secure data provenance mechanisms improves transparency and understanding among operators, researchers, and decision‑makers. It also strengthens cross‑disciplinary cooperation between cybersecurity, energy engineering, and operational management teams.
Beyond its technical validation objectives, Demonstrator 4 provides a strong foundation for market-oriented exploitation of project outcomes. In particular, the integration of cyber-resilience mechanisms with immersive 3D and VR-enabled visualisation introduces a transferable approach to operational decision support. By enabling operators and stakeholders to interpret cyber incidents through both logical and physical layers of substations, the developed interface supports more informed management of conventional and unconventional threats, including cyber intrusions, hybrid disruptions, and cascading operational failures.
Building on the knowledge and capabilities validated in D4, this approach is being further developed and transformed into the Ukrainian cybersecurity and resilience platform CyberJab.ua. CyberJab.ua aims to provide a scalable digital environment for training, preparedness, and cyber-physical risk awareness, leveraging the validated 3D substation modelling methodology, incident traceability principles, and secure data provenance concepts demonstrated within eFORT. The platform represents a concrete pathway for national-level exploitation, as it is designed to support replication across multiple energy distribution system operators in Ukraine, enabling consistent adoption of advanced cyber-resilience practices and structured response workflows across geographically distributed infrastructures.
At the same time, the international relevance of the demonstrator outcomes creates strong opportunities for European collaboration and market expansion. CyberJab.ua is already entering the Czech Republic market through engagement in a Horizon Europe context, where the platform has been invited for use in training and educational activities targeting energy-sector stakeholders. This expansion demonstrates the broader applicability of the developed solutions and confirms that operationally grounded, visually interpretable cyber-resilience environments can provide value beyond Ukraine, supporting European operators in preparing for both conventional and unconventional threat scenarios.
Overall, Demonstrator 4 serves not only as a validation environment for advanced security technologies, but also as an exploitation catalyst, enabling the transition from research results into practical tools, services, and training capabilities that strengthen resilience across Ukrainian and European energy ecosystems.
Looking ahead, the Demonstrator 4 team will continue advancing system integration, scenario execution, and validation activities. The finalisation of the SecureBox–Intelligent Platform interface, enhancement of the 3D visualisation layers, and execution of comprehensive end‑to‑end scenario runs remain key priorities for the upcoming period. These efforts will further validate the stability, efficiency, and real‑world applicability of the solutions developed in the project. Operating under conditions that reflect real‑world constraints and threats, Demonstrator 4 continues to provide exceptional insight into how next‑generation cybersecurity capabilities can be adapted and implemented to support the resilience of future European energy systems.
Press Release: eFORT Featured in Global Power System Flexibility Monitor Insight Report Prepared for COP30
Salima Ismayilzada 29.01.2026
The eFORT project has been featured in the Global Power System Flexibility Monitor (GPFM) Insight Report series, prepared in the context of COP30, which took place in Belém, Brazil, from 10 to 21 November 2025.
Results of scenario 2 RMS diagram (frequency and voltage).
The GPFM Insight Reports compile practical tools and application cases addressing key challenges in distributed integrated renewable energy systems at the edge of the power grid. The series focuses on system stability, power quality, and intelligent digital operation and maintenance, and aims to provide practical engineering reference material for the development of safe, efficient, clean, and intelligent power systems.
Within this framework, eFORT is featured in Insight Report 2, “Tool Solutions for Key Issues in Distributed Integrated Renewable Energy Systems at the Edge of the Power Grid”, under Use Case 2.2: Solutions for Resonance and Oscillation Suppression. The eFORT contribution is presented as “Case 3: Studies on Oscillation Damping and Black-Start Strategies in Cyber-Physical Grids.”
The case is based on work developed within Task T4.4 – Algorithms and strategies for secure grid operation modes and black-start recovery, led by project partner, CIRCE – Centro Tecnológico. It summarises simulation-based research on improving stability and restoration in renewable-rich cyber-physical power systems, including studies on oscillation damping, optimisation of grid-support controllers using artificial intelligence-based techniques, and black-start and stepwise restoration strategies supported by reinforcement-learning approaches.
Eigenvalue diagram with POD-P activated.
Through its inclusion in the GPFM Insight Report series, eFORT contributes a technical application case to an international knowledge-sharing initiative addressing key challenges in renewable-intensive power systems, within the context of COP30.
The Horizon Europe–funded eFORT project aims to support the development of a resilient and secure energy system in Europe, enabling reliable electricity supply for societies and economies in the context of increasing digitalisation and renewable energy integration. The project’s overarching objective is to contribute to power grids with fewer outages and faster service restoration in the event of disruptions.
To achieve this objective, eFORT develops novel strategies and technological solutions to analyse risks and vulnerabilities and to strengthen the robustness of Electrical Power and Energy Systems. The project’s work includes the development of an intelligent platform, the use of digital twins of the power grid, data confidentiality procedures, and the application of blockchain layers across selected solutions to support secure and reliable grid operation.
The digitalization of energy systems brings unprecedented opportunities for efficiency and flexibility—but it also introduces new vulnerabilities. As more Internet of Things (IoT) devices and Distributed Energy Resources (DER) connect to the grid, attackers gain potential entry points to disrupt operations. Within the eFORT project, researchers at Universidad Pontificia Comillas have been investigating these risks for European power systems, publishing two scientific articles:
Rodríguez Pérez, N., Matanza, J., Sigrist, L., Rueda Torres, J.L., López, G., MaDIoT 3.0: Assessment of Attacks to Distributed Energy Resources and Demand in a Power System. IEEE Open Access Journal of Power and Energy. Vol. 12, pp. 552 – 563, 2025.
Rodríguez Pérez, N., Matanza, J., Sigrist, L., Rueda Torres, J.L., López, G., Confronting the threat: analysis of the impact of MaDIoT attacks in two power system models. Energies. Vol. 16, nº. 23, pp. 7732-1 – 7732-12, December 2023.
The attacks under analysis were:
MaDIoT attacks—cyberattacks that manipulate electricity demand through compromised IoT devices.
MaDIoT 3.0 attacks—a new class of attacks that simultaneously target demand-side IoT devices and DER, such as solar PV systems.
Why MaDIoT Attacks Matter
Modern power systems are increasingly dependent on digital technologies and connected devices. While this connectivity enables smart grids, demand response, and consumer participation, it also creates a larger attack surface. IoT devices—such as electric vehicle chargers, smart thermostats, and home appliances—often lack robust security features. Many use default passwords, outdated firmware, or insecure communication protocols, making them easy targets for hackers.
A MaDIoT attack leverages these vulnerabilities by coordinating thousands or even millions of compromised devices to alter electricity demand suddenly. This is not a theoretical risk: the infamous Mirai botnet attack in 2016 demonstrated how millions of IoT devices could be hijacked to disrupt internet services. In the energy sector, similar tactics could destabilize the grid.
Why is this so dangerous? Power systems operate under tight stability margins. A sudden surge in demand can:
Trigger frequency deviations: If demand rises sharply, system frequency drops. If it falls too low, generators and loads disconnect automatically to protect equipment.
Activate protection schemes: Mechanisms like Under-Frequency Load Shedding (UFLS) disconnect loads to restore balance, while Over-Frequency Generator Rejection (OFGR) trips generators if frequency rises excessively.
Cause cascading failures: In extreme cases, these disconnections can propagate, leading to widespread blackouts.
Comillas’ research compared the impact of MaDIoT attacks on two benchmark systems:
IEEE 39-Bus system (New England, USA)
PST-16 system (simplified European model)
The findings were striking:
In the IEEE 39-Bus system, attacks compromising more than 150,000 devices almost always succeeded in triggering protections.
In the PST-16 system, success ratios were lower (max ~30%), but when attacks succeeded, the impact was severe—up to 20% of demand disconnected, causing rotor angle instability and voltage collapse.
This means that success probability and impact are not the same. Smaller systems may be easier to destabilize, but larger systems can suffer catastrophic consequences under worst-case conditions. Moreover, attackers do not need deep knowledge of grid topology to cause harm—randomly targeting nodes during peak demand can still yield high success rates. As IoT adoption accelerates, MaDIoT attacks could become a real-world threat unless proactive measures are taken to secure the access to these devices.
Going Beyond Demand: MaDIoT 3.0 to Attack Demand and Generation
The second study carried out introduced MaDIoT 3.0 attacks, which combine demand-side manipulation with DER disconnection. As distributed solar PV becomes more common, attackers could exploit vulnerabilities in inverter controls or communication protocols to disconnect generation while increasing demand elsewhere.
Using the PST-16 model with 10% distributed solar PV penetration (representative of expected conditions in Southern Europe by 2030), simulations revealed:
DER improves resilience against MaDIoT 1.0 attacks: Higher initial voltages reduce success ratios and impact compared to systems without DER.
Combined attacks (MaDIoT 3.0) remain dangerous: When demand and DER are attacked together, success ratios increase significantly—especially if demand is concentrated in a few nodes. In one scenario, disconnecting 546 MW of solar PV and attacking 1.5 GW of demand caused a voltage collapse, disconnecting 2.85 GW of generation and 15% of demand.
Interestingly, the distribution of attacked demand matters more than DER. Concentrating demand attacks on three nodes had a greater destabilizing effect than spreading them across six nodes, even when the total power compromised was the same.
Key Insights for Grid Resilience
These studies highlight several critical points for operators, policymakers, and technology providers:
IoT and DER security must be prioritized: Vulnerabilities in consumer devices and inverter controls can cascade into systemic risks.
Attack success depends on system characteristics: Grid size, topology, and operational conditions influence both probability and impact.
DER integration changes the game: While DER can improve resilience against certain attacks, it introduces new attack vectors that must be secured.
Regulatory frameworks are evolving: Initiatives like the EU Cybersecurity Certification Scheme (EUCC) and the Network Code on Cybersecurity set minimum requirements for device security and cross-border risk management.
What Can Be Done?
Mitigation strategies include:
Secure-by-design IoT and DER devices: Enforce cryptographic firmware updates, authentication, and encryption.
Advanced intrusion detection systems: Use AI-driven algorithms and edge computing for real-time anomaly detection.
Collaborative cybersecurity governance: Implement information-sharing protocols under NIS2 Directive and sector-specific network codes.
Operational resilience measures: Develop coordinated response plans between DSOs, TSOs, and DER operators.
Looking Ahead
Cybersecurity in energy systems is no longer a niche concern—it is becoming a strategic pillar for the energy transition. As grids evolve into complex cyber-physical systems, the stakes are higher than ever. A single vulnerability in a consumer IoT device or a distributed solar inverter can ripple through the entire network, affecting millions of users and critical infrastructure.
The challenge lies in balancing innovation with security. Digitalization enables flexibility, demand-side participation, and integration of renewables, but every new connection is a potential entry point for attackers. This means cybersecurity must be embedded at every layer—from device design to system operation—rather than treated as an afterthought.
Research within eFORT is paving the way for a deeper understanding of these threats for energy systems and the development of robust countermeasures. By anticipating and studying risks like MaDIoT and MaDIoT 3.0 attacks, projects like eFORT contribute to the security, sustainability, and resiliency of Europe’s energy systems.
First Stability Assessment in the Italian Demonstration Case
The work carried out by our partner, Fraunhofer EMI, over the past few months has produced initial results for assessing frequency stability in the Italian Demonstration case within the eFORT project. To this end, a series of dynamic disruption simulations were performed, and the corresponding results were evaluated in terms of frequency stability. All simulations and analysis were performed using the PyDyn-EMI simulation program developed in-house by Fraunhofer EMI.
The underlying grid is a section of the 20kV distribution grid in the region around Sarentino. Approximately ten thousand consumers are connected to this section of the grid, which are supplied via the transmission grid during normal operation. In the event of an imminent failure of the transmission grid, the distribution grid is to be operated as an island grid with the help of local renewable energy sources (RES) mainly hydro, biogas and photovoltaic generators.
Groundwork by the other effort partners, Selta DP and LINKS, focused on the optimal segmentation of the distribution grid to form viable grid islands, taking online system conditions into account. Based on these results, one of the grid islands found was finally investigated from a dynamic point of view. Figure 1 shows the topology of a section of the distribution grid under consideration, which can be operated in isolation. It contains four conventional generators (hydro and biomass) and a PV system.
Figure 1: Island topology including generators.
A task that precedes the frequency of stability assessment is the dynamic modeling of the connected generators, including their control and regulation components. This was carried out in the PyDyn-EMI simulation program.
In general, if there are several generators in the island grid and the grid is weakly coupled, power oscillations can occur between the generators. Initial simulations using standard models for the generators showed precisely such oscillations as shown in Figure 2. The implementation and targeted parameter setting of so-called power system stabilizers in each of the power plants effectively eliminated the oscillations (compare Figure 3), allowing the actual analysis task, namely the frequency stability assessment.
Figure 2: Stacked generator power curves without PSS.
Figure 3: Stacked generator power curves with tuned PSS.
Another special feature of island grids is the typically high proportion of generators with low or even no inertia, which can lead to a reduction in frequency stability. This makes the investigation of frequency stability an increasingly important task. A central indicator in the context of evaluating frequency stability is the rate of change of frequency (rocof) immediately after a sudden active power imbalance occurs. Such imbalances can occur, for example, due to load steps or the outage of generators. Figure 4 shows the simulated frequency curve after the hypothetical failure of a hydroelectric power plant. The value in this example of 0.58 Hz/s is within a moderate range, based on typical limits for transmission grids. These are typically in the range of 1-2 Hz/s.
Figure 4: Frequency curves after the outage of generator 4.
Further simulations will be carried out using more realistic generator models and underlying operating conditions to enable comprehensive and reliable assessments of the frequency stability of the islands.
Not Just Technology: The Human Side of Innovation Success – Join the Social Innovation Workshop at ENLIT Europe 2025
Five Horizon projects, CHRONICLE, PROBONO, REEFLEX, eFORT, and FORTESIE, will come together at ENLIT Europe 2025 in Bilbao to host a hybrid Social Innovation Workshop titled “Not Just Technology: The Human Side of Innovation Success.” The session will explore how inclusion, trust, and citizen engagement define whether innovation succeeds – both onsite and online.
Introduction
Behind every smart grid, connected building, or renewable system lies a simple truth: technology alone doesn’t drive change – people do!
As Europe accelerates its green and digital transition, the role of social innovation has become more critical than ever. Without public trust, citizen participation, and inclusive design, even the most advanced technologies risk falling short of their potential.
Recognising this, five Horizon Europe projects, CHRONICLE, PROBONO, REEFLEX, eFORT, and FORTESIE, are joining forces at ENLIT Europe 2025 in Bilbao to host a joint Social Innovation Workshop titled “Not Just Technology: The Human Side of Innovation Success.”
Organised by Smart Innovation Norway, the event will take place on 19 November 2025 (10:00–12:00, Room 05.08+05.09, and online via Microsoft Teams). It invites researchers, industry experts, policymakers, and citizens to experience how human factors, from trust and fairness to communication and behaviour, determine whether innovation truly works in real life.
Objective & Approach
The Social Innovation Workshop aims to bridge the gap between technological excellence and social acceptance. Designed as a truly hybrid experience, it ensures equal participation for both onsite and online audiences.
Instead of traditional slides or lectures, the workshop uses interactive storytelling and dialogue. Participants will explore real-life dilemmas inspired by the five Horizon projects, touching on topics such as data ethics, inclusivity, workforce adaptation, and public trust.
One of the key interactive elements, inspired by Placemaking Maptivity, will transform technical project results into accessible, human-centred scenarios. Participants will discuss and “map” these cases according to social impact and feasibility, learning how innovation decisions affect communities, equity, and resilience.
Whether sitting in Bilbao or joining virtually, every participant will play a role in shaping the discussion, sharing insights, reflecting on values, and contributing to a shared vision of people-centred innovation.
What to Expect from the Workshop
CHRONICLE – End-User: Friend or Foe?: CHRONICLE will challenge the assumption that digitalisation automatically improves user experience. By examining how occupants interact with smart building and energy systems, the project highlights that real behaviour often defies design expectations. Participants will explore how feedback loops, empathy, and co-creation can make digital transformation more meaningful and accepted
FORTESIE – One Size Doesn’t Fit All: FORTESIE will explore how energy renovation and efficiency measures can only succeed when they reflect social diversity. Through examples from local communities, the project demonstrates that engagement is not a one-size-fits-all process, it must be tailored, inclusive, and culturally relevant. The discussion will focus on how to motivate participation across generations and socio-economic groups.
PROBONO – Why Should We Care About Jim Ryan?: PROBONO will bring storytelling to the forefront with the case of Jim Ryan, a social housing manager in Dublin. His everyday challenges managing buildings and residents show how innovation must account for maintenance realities, community relationships, and lived experience. The story reminds participants that sustainability is not just about technology, it’s about the people maintaining it.
REEFLEX – Understanding Citizens’ Needs for Flexibility: REEFLEX will share lessons from citizen engagement around flexibility markets and smart energy systems. Participants will discuss how perceptions of fairness, clarity, and local benefit shape public trust in new energy models. The project’s findings reveal that flexibility is not just technical, it’s deeply social, requiring transparency and cooperation.
eFORT – Invisible Systems, Visible Impact: eFORT will take participants into the unseen world of cybersecurity and grid resilience. The session will highlight how human understanding is crucial for the success of even the most advanced technical systems. Participants will explore how clear communication, transparency, and stakeholder engagement can turn complex resilience measures into something relatable and trusted by citizens.
Together, these five perspectives will demonstrate that innovation success depends not only on what we build but on how we involve people in building it.
Mapping Innovation Together: An Interactive Session with Placemaking Maptivity
The interactive session will also feature Placemaking Maptivity, a collaborative tool originally developed within the PROBONO project. Designed to support sustainable urban planning and citizen engagement, it enables participants to visualise how different social, spatial, and technical factors interact within real environments. Through guided mapping and dialogue, Maptivity helps identify opportunities, challenges, and trade-offs linked to innovation implementation. In this workshop, an extended version of the tool will include perspectives from all five projects and invite both onsite and online participants to collaborate in real time. Whether contributing from Bilbao or joining via Microsoft Teams, everyone will take part in shaping shared maps and reflections that connect innovation results to social impact, equity, and community acceptance.
Why Attend: In Person or Online
The Social Innovation Workshop offers a rare opportunity to explore the human side of Europe’s innovation landscape in a collaborative, creative format.
Participants will:
Experience a dynamic, discussion-based session connecting social innovation with real-world research.
Engage directly with five Horizon Europe projects addressing buildings, energy, and digital resilience.
Learn how behavioural insights, participatory design, and storytelling can strengthen technology adoption.
Network with peers at ENLIT and exchange reflections online in a live, hybrid dialogue.
Whether joining from Bilbao’s conference halls or tuning in from another country, all participants will contribute equally, sharing experiences, voting on scenarios, and shaping conclusions together.
Conclusion
The Social Innovation Workshop at ENLIT Europe 2025 will challenge the idea that innovation success is purely technical. It will show that inclusion, fairness, and trust are the real foundations of progress.
Join us in Bilbao or online for a hands-on, people-centred conversation on how Europe’s leading projects are redefining what innovation means – from grids and buildings to communities and lives.
From Threat Classification to Dynamic Risk Assessment: How eFORT is Building Resilient Power Systems
Europe’s power systems are facing increasing challenges from both natural and cyber threats. To protect the reliability of the electricity supply, it is not enough to react to crises, operators must anticipate, classify, and dynamically manage risks.
Within the eFORT project, two key deliverables demonstrate how this process is unfolding: D2.1 (Characterization and Classification of EPES Threats) and D3.1 (Results of Dynamic Risk Assessment Tools). Together, they illustrate how systematic threat identification feeds into innovative tools for continuous resilience management.
Mapping the Threat Landscape (D2.1)
D2.1, led by our partner, HYPERTECH, focused on building a consolidated picture of the threats facing Electrical Power and Energy Systems (EPES). Drawing on literature reviews and expert surveys across Europe, the study identified vulnerabilities related to:
Natural hazards such as windstorms and ice storms.
Technological risks including operational faults and DER integration.
Human-caused threats, with a growing emphasis on advanced cyber-attacks.
The results were prioritised using a risk scoring and heat map approach, which highlighted that cyber threats and distributed energy resources (DERs) are emerging as top concerns, alongside climate-related risks.
Building on these insights, D3.1, led by our partners, RINA-C, FRAUNHOFER and COMILLAS, developed a Dynamic Risk Assessment (DRA) methodology. Where D2.1 provided a static classification of threats, D3.1 created the tools to monitor them continuously.
The DRA integrates:
Physical risk assessment modules (asset health and hazard exposure).
Power network stability analysis (anticipating cascading failures).
Cyber risk evaluations (including MaDIoT attacks via IoT devices).
This transition from classification to dynamic monitoring ensures that vulnerabilities are not just identified once but are constantly reassessed in light of evolving threats.
The Link Between the Two
Without the foundational work of D2.1, the development of the DRA in D3.1 would lack context. The prioritization of threats in D2.1 directly informed the design of the risk modules in D3.1. For example:
The prominence of cyber risks in D2.1 justified the inclusion of a dedicated cyberattack evaluation module in the DRA.
The identification of DER-related vulnerabilities in D2.1 influenced the DRA’s focus on distributed generation and IoT-enabled devices.
The risk heat maps from D2.1 provided a baseline against which dynamic risk monitoring could be benchmarked.
Why This Matters for Resilience
eFORT shows how research and innovation work hand in hand:
Research (D2.1) maps the problem space.
Innovation (D3.1) develops tools to address it in real time.
Together, they provide a pathway for operators to prioritize resources, anticipate disruptions, and safeguard the continuity of Europe’s electricity supply.
Conclusion
The outcomes of D2.1 and D3.1 continue to inform other work packages in eFORT, from cascading effects analysis to self-healing grid development and standardization guidelines. Resilience measures are grounded in both empirical evidence and cutting-edge tools.
The journey from characterizing threats to dynamically assessing them demonstrates eFORT’s holistic vision for grid resilience. Through this interconnected work, the project responds to today’s vulnerabilities and also anticipates tomorrow’s challenges, ensuring Europe’s energy systems remain reliable, secure, and adaptable.
Press Release: eFORT – Strengthening Europe’s Power Grids for a Resilient and Secure Future
Abstract
The Horizon Europe project eFORT is developing secure-by-design solutions to protect Europe’s power grids against cyberattacks, physical hazards, and extreme weather. With 23 partners across nine countries and four pilot sites, eFORT combines digital twins, AI, blockchain, and intrusion prevention to safeguard citizens, businesses, and operators while supporting Europe’s sustainable energy transition.
eFORT project video
Introduction
Electricity is the backbone of modern society, powering our homes, businesses, hospitals, and digital infrastructure. Yet Europe’s power grids are facing increasing pressure as they become more interconnected and digitised. From cyberattacks to extreme weather events, disruptions can lead to costly blackouts and widespread instability.
The eFORT project, funded under the Horizon Europe programme brings together 23 partners from nine European countries to tackle this challenge. Running from September 2022 to August 2026, eFORT is developing innovative tools to make electricity systems more secure, reliable, and sustainable.
Methodology
At its core, eFORT follows a two-pronged approach:
Identify vulnerabilities in Europe’s transmission and distribution networks.
Deploy cutting-edge solutions that detect, prevent, and mitigate risks in real time.
The project is guided by a secure-by-design philosophy, ensuring that protection is built into systems from the ground up. eFORT’s solutions integrate:
Intelligent Platform – a cloud-based hub for vulnerabilities databases, risk assessment, and real-time grid monitoring.
Digital Twins – virtual models of the grid, continuously updated with real data.
Blockchain – to enhance trust, resilience, and transparency in grid transactions.
AI-based Control Algorithms – for dynamic stability and self-healing capabilities.
Intrusion Detection & Prevention Systems – to safeguard against cyber threats.
SecureBox – a localised defence system that protects assets such as substations and smart meters.
Results & Discussion
Although the project is ongoing, eFORT is already shaping how Europe thinks about grid resilience. Its solutions will be tested and validated across four pilot sites that reflect diverse challenges:
Spain – addressing cybersecurity threats in critical network infrastructure.
Italy – deploying grid islanding algorithms to secure supply in remote areas.
The Netherlands – protecting interconnected networks against cascading failures and European-wide blackouts.
Ukraine – enhancing cybersecurity in digital substations to protect critical infrastructure.
These demonstrations will ensure that eFORT’s tools are tested in real-world environments, achieving a technology readiness level (TRL) of 5–6.
Conclusion
As Europe advances towards a low-carbon, digital future, the resilience of its electricity systems is paramount. eFORT provides a pioneering suite of solutions, from AI and blockchain to SecureBoxes and digital twins, to future-proof Europe’s grids.
With its multinational consortium, strong technical foundation, and real-world pilots, eFORT is building the foundation for a more secure, reliable, and sustainable energy system. The results will not only benefit citizens and businesses but also support Europe’s long-term energy and climate goals.
eFORT Intelligent Platform(D4.3) Released: A Practical Step Towards Resilient, Cyber-Secure Grids
The eFORT consortium has delivered D4.3 – eFORT Intelligent Platform, a working demonstrator that helps operators make sense of substation data in real time and react faster to incidents. Built and hosted by the eFORT partner, SIA, on SIACloud, the platform securely ingests field telemetry and intrusion-detection events, normalises them, and provides an operator-friendly view with alerts and supporting tools. From September onwards, the demonstrator will be exercised with real data from the demo sites, allowing partners to validate functionality under realistic conditions and fine-tune where needed.
What the platform does
Secure data ingest, one place: Field devices and partner tools send JSON to the platform over HTTPS/VPN using opaque company tokens (no JWT, no signing).
Two data families, one view: The platform handles RTU telemetry (equipment status and measurements) and IDS events (e.g., IEC 61850 GOOSE anomalies).
Actionable alerts: Entries are flagged as alerts when (i) an engineered threshold is breached, (ii) the anomaly-detection model sees unusual behaviour, or (iii) an incoming IDS event is explicitly marked as alarm. Operators can see what triggered each alert at a glance.
Operator-first UI: Clear dashboards, an alerts panel (view/acknowledge), and utilities for islanding-related data management round out day-to-day operations.
Interoperability by design: Field data are aligned with IEC 61850 logical-node naming, while security controls follow IEC 62351 recommendations at transport and access layers.
How it fits within effort
The Intelligent Platform is the integration point where different eFORT partners outcomes meet practical operation: RTU telemetry and IDS insights feed a unified backend; operator workflows are exercised through the UI; and Communication & dissemination activities can showcase a tangible, running artefact. Importantly, the build balances demonstrator pragmatism (simple token model, curated feature set) with a clear path to production (role-based access, company scoping, and a cloud architecture that can scale).
What’s new or distinctive
Clarity for integrators: The ingest contract is intentionally simple. This keeps partner implementations straightforward while preserving a clean operator experience.
Standards in practice: With support from Schneider Electric, the team validated logical-node conventions and security profiles using representative IEC 61850 traffic, helping to ensure a smooth bridge between legacy substation protocols and modern cloud APIs.
Environments ready for pilots: SIACloud provides three dedicated environments (LAB, INT, DEMO), reachable via site-to-site VPN. The demonstrator is already deployed and will host upcoming pilot data.
What’s next
From September 2025, the partners will run the demonstrator with real datasets and network conditions from the demo sites. The focus will be on confirming end-to-end ingest, checking alert fidelity, and collecting operator feedback. Minor software/documentation adjustments may follow, but the goal remains the same: a usable, realistic platform that improves grid visibility and response.
Learn more
Deliverable 4.3 is accompanied by a User Manual (operator-focused), an Administrator Manual, a Technical System Documentation and an Integration Manual for API clients. Together, they provide the “how-to” needed for pilots while keeping the demonstrator footprint clear and reproducible.
New Study by CERTH and CIRCE for Power System Resilience Enhancement
The new Conference publication by CERTH and CIRCE, entitled “Power System Resilience Enhancement and Restoration Strategies” has been presented in the 25th International Conference on Environment and Electrical Engineering (EEEIC), held in Chania Crete, in July 2025.
The motivation behind this research is the fact that the ongoing energy transition promotes digitized and decentralized systems which can be vulnerable to cyber and physical disruptions. Therefore, it is critical to have a plan against such threats.
In this context, the CERTH-CIRCE cooperative paper, which will also be published IEEE’s website, presents a multi-layered approach for power system resilience enhancement and restoration, comprising:
CERTH/ITI’s real-time cyber monitoring tool, eSIEM, which collects data and calculates each asset’s health, also utilizing vulnerabilities databases, hypothesis reports and past mitigations action databases.
CIRCE’s oscillation dumping controller, for high voltage applications, which, according to PowerFactory simulations, can eliminate coordinated attacks that would propagate in the entire power system and challenge its stability, even causing a blackout, and
CERTH/CPERI’s black start optimization algorithm, in case a blackout happens, for medium voltage applications, considering a back-up generator, photovoltaics, a battery, critical and regular loads. The optimizer is verified with PowerFactory, proving the effectiveness of the proposed solution.
The Figure of the black start process, developed by the first author, Alexandros Kanousis, shows the steps towards power system restoration, with special focus on system stability as well as the optimal utilisation of photovoltaic production.
The authors of the research paper are Alexandros Kanousis, Maria Fotopoulou, Marta Bernal Sancho, Gonzalo Martin Sanchez Escriche, Georgios Rizos, Paschalis Gkaidatzis, Dimitrios Rakopoulos, Dimosthenis Ioannidis, and Dimitrios Tzovaras, and this study is a result of their cooperation in eFORT, especially at the stage of developing the algorithms that underpinned the project’s solutions implementation.
