NREL Develops Cybersecurity Tool To Flag Threats for Grid

Nov. 7, 2022 | By Connor O’Neil | Contact media relations

Stock image of transmission tower.

Cybersecurity is gaining significant importance on the power grid as more distributed energy resources (DERs) are connecting to operational technology (OT) networks. Visualizing network behaviors and flagging anomalies on the grid network is crucial to manage and mitigate cybersecurity threats while considering the increasing installation of DERs—such as solar, wind, or battery—in numbers and complexity.

With support from the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response and in collaboration with Eaton, the National Renewable Energy Laboratory (NREL) developed a unique intrusion visualization tool, IViz-OT, which can locate and visualize stealthy anomalies on the electrical grid. The work was funded through the Technology Commercialization Fund, a program within the DOE Office of Technology Transitions.

Diagram of cybersecurity software connected to power system showing power lines and communication traffic between Smart grid operator, energy supplier, industrial, power transmission, commercial, residential, SCADA traffic, HIDES, IVis-OT, and visualization.
Utility operators need new solutions to monitor and manage grid threats. IViz-OT is commercially available software that tracks and visualizes distribution system alerts for modern, real-time cybersecurity.
A simplified explanation of how the cybersecurity software works, which includes grid operators, grid devices/communication gateways, IViz-OT, Hybrid Instrustion Detector for Energy Systems tool.

Key Features of IViz-OT:

  • Visualizes alerts to support situational awareness for grid operators
  • Maps alerts to possible scenarios
  • Customized application programming interface (API) and supports the integration of alert scenarios and databases
  • Compatible with vendor devices.

Key Features of HIDES:

  • Detects both IT- and SCADA-specific attacks
  • Aggregates data to integrate cyber logs and grid information
  • Visualizes grid on the dashboard to provide situational awareness.

"This is a much-needed tool to bridge the valley of death between research-and-development innovations and technology commercialization," said Vivek Kumar Singh, an NREL senior cybersecurity researcher who is leading the effort. "IViz-OT is hardware agonistic, scalable through virtualization, compatible, and supports plug-and-play functionality."

Existing cybersecurity solutions are mostly designed for information technology (IT)-based applications and are not directly suitable for OT-based networks. The IViz-OT tool is an advanced threat finder and interprets cyber and physical events on the grid. It uses grid information and network data to deliver real-time state awareness to system owners and operators. The current market lacks such a technology, which can provide defense-in-depth visualization using analytical approaches.

"We identified a market need, built a prototype technical solution, and worked with industry to mature it into viable technology," said Dane Christensen, NREL group manager of cybersecurity science and simulation.

IViz-OT works with the NREL-developed Hybrid Intrusion Detector for Energy Systems (HIDES) to process grid information, detect intrusions, and create a log of alerts. The generated log from HIDES is not necessarily human-readable, so IViz-OT decrypts the alert log into simple scenarios that are easy to understand by operators.

As alerts come in from HIDES, IViz-OT screens cyber and physical data to determine the nature, cause, and location of an anomaly. IViz-OT provides a deeper level of intelligence by correlating events over time. This way, multiple or ongoing events can be recognized and flagged as a wider problem—a sort of meta-analysis that uncovers the true scope and source of issues.

A visualization of cyber and power flow.
NREL's cyber range can visualize emulated power systems. This capability was used to validate IViz-OT and ensure that its alerts reflected activity on the grid.

IViz-OT and HIDES have been tested and validated in the NREL cyber range, where cyber-physical experiments can be customized and visualized. The cyber range setup mimicked a small distribution system, which used hardware and several emulated devices like an electric vehicle charging equipment meter, a power inverter, and site meters. The cyber range allows engineers to visualize the power and communications flow in 3D to witness how IViz-OT and HIDES would respond to various real attacks. Although further developments are planned, IViz-OT is ready for deployment and available for license. Interested organizations can apply to use IViz-OT via the Department of Energy's Lab Partnering Service.

To learn more about these tools, connect with Vivek Kumar Singh at

Tags: Energy Security and Resilience,Grid Modernization