Researchers in Moroco analyzed cybersecurity challenges in smart grids, highlighting AI-driven detection and defense strategies against threats like distributed denial-of-service, false data injection replay, and IoT-based attacks. They recommend multi-layered protections, real-time anomaly detection, secure IoT devices, and staff training to enhance resilience and safeguard power system operations.

Researchers at Morocco's Higher School of Technology, Moulay Ismail University, have conducted a comprehensive analysis of emerging cybersecurity challenges in power systems and detailed recent advances in detection and defense strategies.

Their work emphasizes the growing role of AI in enhancing control, protection, and resilience in modern smart grids. It also classifies cyber threats by origin, impact, and affected system layers to provide a structured understanding and reviews machine learning and optimization-based intrusion detection systems (IDSs) for power systems.

The researchers highlighted that renewable smart grids face diverse cyber threats that can disrupt operations and compromise data. Distributed denial-of-service (DDoS) attacks, for example, flood networks with traffic, blocking legitimate access and delaying control actions, while data integrity attacks manipulate sensor or control data, causing incorrect decisions or blackouts.

Additionally, replay attacks retransmit intercepted data to confuse the system, and false data injection attacks subtly alter real-time data to mimic normal operations while disrupting the grid. Covert attacks inject hidden signals that manipulate system behavior without detection, whereas IoT device-based attacks exploit vulnerabilities in meters or sensors to spread malware, steal data, or launch DoS attacks.

Finally, zero dynamics attacks leverage system models to generate hidden signals that leave output measurements unchanged but affect operations, posing sophisticated stealth threats to smart grid security.

Join us on Apr. 29 for pv magazine Webinar+ | Decoding the first massive cyberattack on Europe’s solar energy infrastructure – The Poland case and lessons learned

The researchers warned that while smart grids have improved energy efficiency and flexibility through advanced communication tools and distributed energy sources, they have also introduced new cyber vulnerabilities. Threats such as phishing, malware, denial-of-service (DoS) attacks, and false data injection (FDI) can disrupt operations, compromise data, and damage infrastructure.

They recommend implementing defense strategies that maintain confidentiality, integrity, and availability, while also incorporating authentication, authorization, privacy, and reliability. Machine learning and data-driven intrusion detection systems can help identify anomalies and detect FDI attacks in real time, particularly in smart grids and industrial control systems such as SCADA, which rely on accurate sensor measurements for state estimation.

The research team also encouraged energy asset owners and grid operators to adopt substation security measures and protocol vulnerability analyses to detect risks at the hardware and network levels. Blockchain, distributed ledgers, and Hilbert-Huang transform methods are highlighted as tools to further strengthen cybersecurity.

IoT devices, including sensors and smart meters, should be secured with strong authentication, safe boot procedures, frequent firmware updates, and standardized security across manufacturers. Sensitive grid data should be protected using techniques such as homomorphic encryption to maintain confidentiality during storage and transmission.

“A multi-tiered security approach that includes firewalls, intrusion detection systems, and network segmentation can enhance grid resilience. Extracting critical elements from vulnerable IoT devices and leveraging redundant control channels ensures operational continuity during attacks,” the researchers stated.

Machine learning and anomaly detection systems should be deployed to enable real-time identification of irregular activities, including FDI and malware propagation. Standardized protocols and rapid incident response measures should also support collaboration among grid operators, IoT manufacturers, and regulators, facilitated by information-sharing platforms.

The researchers emphasize that human-centered attacks, including phishing and social engineering, remain significant threats, but these can be mitigated through regular staff and user training.

The review was presented in “Cybersecurity challenges and defense strategies for next-generation power systems,” published in Cyber-Physical Energy Systems.

An international reserch team developed two deep learning-based IDS models to enhance cybersecurity in SCADA systems. The hybrid approach reportedly improves detection of complex and novel cyber threats with high accuracy, adaptability, and efficiency, outperforming traditional methods across multiple datasets.

A Saudi-British research team has develeped two new deep learning-based intrusion detection systems (IDSs) that can reportedly improve the cybersecurity of SCADA networks.

In large-scale solar power plants, SCADA systems play a vital role by overseeing energy generation, monitoring the performance of solar panels, optimizing output, identifying potential faults, and maintaining smooth overall operations. In essence, they act as the central system that converts raw solar data into practical control decisions, ensuring the plant operates safely, efficiently, and profitably.

The scientists explaind that current cybersecurity frameworks are often inadequate for SCADA systems because they cannot fully cope with the complexity and constantly evolving nature of modern cyber threats. Most existing approaches rely on signature-based detection, which depends on prior knowledge of attack patterns and therefore fails to detect zero-day exploits or novel intrusion techniques.

To address this limitation, the researchers considered deep learning methods, as these techniques allows to process large volumes of data, identify complex patterns, and enable more proactive threat detection.

“Such capability of handling and analyzing big data is particularly useful during scenarios when SCADA systems are generating huge streams of real-time data, including sensor readings, control commands, and other system logs,” they explained. “Furthermore, deep learning methods, especially convolutional neural networks (CNNs) and recurrent neural networks (RNNs), have shown outstanding performances in the detection of complex attack scenarios with sequential or spatial patterns in data.”

The proposed approach integrates two new IDSs, named the Spike Encoding Adaptive Regulation Kernel (SPARK) and the Scented Alpine Descent (SAD) algorithm. By leveraging their complementary strengths, the method reportedly improves spike-threshold accuracy while enhancing adaptability and robustness under dynamic conditions.

The SPARK model introduces adaptive spike encoding by dynamically adjusting thresholds based on input signal characteristics. It uses advanced statistical methods to respond to variations in neural input, improving sensitivity to changes in intensity and frequency. By integrating both temporal and spatial features, SPARK enhances information encoding, especially for complex datasets. Unlike traditional fixed-threshold methods, it provides context-aware thresholding, improving accuracy and reliability.

The SAD algorithm complements SPARK by offering an optimization strategy inspired by olfactory navigation, which is the process by which animals and organisms use odor cues to locate food, mates, or home, and Lévy flight behavior, which is a strategy obeserved in many animal species to randomly search for a target in an unknown environment. This purportedly enables efficient exploration of solution spaces and avoids local minima, ensuring optimal threshold selection.

The hybrid approach can dynamically adjust and optimize spike thresholds simultaneously, surpassing conventional static or isolated approaches, according to scientists, which noted that the SPARK model is well-suited for SCADA and IoT systems due to its scalability, real-time adaptability, and efficient data handling. Additionally, its lightweight design reduces computational overhead and false positives, making it effective for resource-constrained environments.

“SAD is complementary to SPARK in the sense that it focuses on improving the detection accuracy while maintaining computational efficiency,” the researchers emphasized. “SAD's anomaly scoring mechanism can be integrated into this framework to add another layer of detection, which can run parallel with SPARK. In effect, integrating the deep learning models into the scoring mechanism means that SAD would enable a much more fine-grained analysis of attack patterns with little noticeable impact on performance for the SCADA system in question.”

The researchers used multiple benchmark datasets are used to evaluate SCADA intrusion detection performance, including the Secure Water Treatment (SWaT) testbed, Gas Pipeline, WUSTL-IIoT, and Electra. These datasets capture diverse industrial environments, attack types, and operational conditions, enabling comprehensive testing. They also include time-series sensor data, actuator commands, and labeled attack scenarios such as denial-of-service (DoS), distributed denial-of-service (DDoS), malware, and injection attacks.

The diversity of datasets ensured accurate modeling of both normal behavior and complex anomalies in SCADA and IIoT systems, according to the research team. Standardized preprocessing, training, and evaluation procedures also enabled comparison across all tested models. Cross-validation and controlled training conditions, meanwhile, reportedly prevented bias and ensured reliable generalization results. Visualization tools such as histograms, loss curves, and confusion matrices provided insights into model behavior and anomaly detection.

The SPARK model was found to consistently demonstrate “superior” performance, achieving high accuracy, precision, and recall across datasets. It outperformed traditional machine learning and deep learning approaches in detecting diverse intrusion types.

“The findings underline, in summary, that the SPARK and SAD models are basically the final frontier in modern intrusion detection,” the scientists said. “Distinctly designed to provide improved detection capabilities and operational efficiency, the two designs also chart a way into more resilient and intelligent security solutions for modern industrial controlled systems (ICSs) and Internet-of-Things (IoT) networks.”

The novel IDSs have been presented in “SPARK and SAD: Leading-edge deep learning frameworks for robust and effective intrusion detection in SCADA systems,” published in the International Journal of Critical Infrastructure Protection. The research team comprised academics form the Leeds Beckett University in the United Kingdom and King Abdulaziz University in Saudi Arabia.