How can regulatory authorities define and monitor the energy sector's cyber resilience?

The energy transition leads to the decentralization and flexibilization of energy systems. This requires more and more automation and communication between the different players.
Increased automation and interconnectivity significantly increase the attack surface for cyber attackers and can thus potentially lead to new dangers for the system. Due to the decentralization of the system, even small actors can now be system critical.
An important question in this context is for regulatory bodies on

how to define and monitor the energy sector's resilience to cyber-attacks.

Suitable IT security regulations have to make a delicate trade-off between sufficient protection levels and manageable operation costs. Especially, when more and more decentral actors are involved, simply targeting maximum security for everything is practically difficult and very costly.
Structurally similar challenges for regulators exist in the financial sector. Here, the European Central Bank (ECB), as the regulator, assesses the financial system's stability and its resilience to external shocks with model-based stress tests. They involve simulating various crisis scenarios, analyzing the interactions and consequences for different interconnected institutions, and adjusting safety (capital) requirements accordingly.
The CyberStress project aims to

develop a concept to transfer the idea of stress tests to the electricity sector.

In addition to the development of a general stress test methodology, a first exemplary stress test for the scenario "IT attack on distributed devices with high power outside the control of the grid operators" will be examined in more detail.
The research work of CyberStress will be conducted jointly by the partners combining their diverse expertise. The research will first define the requirements and relevant scenarios of such an energy sector stress test. Further, a multi-level model of the energy sector regarding electricity, information, and economics is proposed, and new algorithmic approaches are developed for identifying critical players in the sector. Possible damage effect chains of the scenarios and corresponding countermeasures are identified and modeled for the different levels of the energy sector. This quantitative modeling is accompanied by studying and proposing an organizational and legal framework for such stress tests. Finally, a stress test for an exemplary representation of the energy sector is conducted according to the defined scenarios.

The project will provide the national regulatory authorities with an academically and realistically sound methodology for designing and conducting stress tests for the power system. Utilizing such a stress test of the power system, focusing at first on distributed IoT cyberattacks, the security of supply and the protection of society will be strengthened.

Project CyberStress

Model-based Stress Tests for cyber-secure Energy Networks (German: Modellbasierte Stresstests für Cybersichere Energienetze)

Funded by the German Ministry of Education and Research (German: BMBF) within the Civil Security Research Program (

Grant No.: 13N16626

Duration: 05/2023-04/2026

Partners: Technical University Darmstadt (lead), Goethe-Universität Frankfurt am Main, e-netz Südhessen AG, QGroup GmbH, Federal Network Agency (German: BNetzA, associated), Amprion GmbH (associated).

Participating labs at the TU Darmstadt: Energy Information Networks & Systems (lead), Power Electronics and Control of Drives (German: LEA).