The Grid Doesn’t Know It’s Been Opened

The connected energy attack surface isn’t just larger. It’s structurally different, and the architecture is moving faster than the defenses behind it.

For most of its history, the dominant security assumption of the power grid was not zero connectivity, but constrained reachability. The most critical operational systems (PLCs, RTUs, SCADA systems, and substation controllers that actually govern physical infrastructure) were supposed to be isolated, specialized, locally administered, and difficult for outside adversaries to touch directly. Dial-up modems existed. Vendor remote access existed. Serial gateways and leased lines existed. But the architecture oriented itself around minimizing exposure rather than managing it, and for a long time that orientation held.

The assumption underneath it was that constrained reachability was a durable condition, not a posture that could be quietly dissolved by business decisions made far up the stack.

That assumption is gone. The industry knows it, but the operating model has not fully caught up.

Three Layers, One Surface

The connected energy attack surface has three distinct layers, and for a long time the security community treated them as separate problems. They aren’t anymore. They’re touching each other in ways that weren’t designed, at a pace that wasn’t planned, and the convergence is where the real exposure lives.

The first layer is the legacy OT/ICS environment: the substations, distribution automation systems, energy management platforms, and control centers that form the backbone of grid operation. This infrastructure was designed for reliability and determinism, not for network-connected operation. Its security model was the air gap. That gap has been eroding for decades as utilities added remote monitoring, vendor connectivity, and network-accessible historian systems: slowly, incrementally, often without a full accounting of what was being opened.

Volt Typhoon made the cost of that erosion visible.

Starting no later than mid-2021, a Chinese state-sponsored threat actor targeted and compromised U.S. critical infrastructure environments across sectors including energy, water, communications, and transportation. Their technique wasn’t novel malware. They used legitimate administrative tools already present in the environments they penetrated: PowerShell, WMIC, certutil. Living off the land. Blending into normal operational traffic. At Littleton Electric Light and Water Departments, a small Massachusetts utility, Dragos later described an intrusion attributed to Voltzite (which overlaps with the broader Volt Typhoon activity cluster) that persisted for more than 300 days, from February to November 2023. There was no outage. That is precisely the point. The actor was not there to cause immediate disruption. Dragos assessed the objective as pre-positioning: collecting GIS data, network diagrams, and operating instructions. Building a target package. U.S. agencies have warned publicly that PRC state-sponsored actors are seeking to pre-position on critical infrastructure networks for potential disruptive or destructive action during a future crisis or conflict. The access was the objective: not what they did with it, but that they held it undetected across months and retained the option to act.

A December 2023 court-authorized operation, announced publicly in January 2024, disrupted the KV Botnet infrastructure Volt Typhoon used to conceal its activity. The disruption did not end the campaign. Researchers later reported that Volt Typhoon had begun rebuilding KV Botnet infrastructure, and U.S. agencies continued to frame the activity as an active pre-positioning threat against critical infrastructure.

That’s the first layer. It’s the one the security community has at least begun to focus on. The other two are where the structural exposure is accelerating.

The Edge Exploded

The second layer is the grid edge, and it grew faster than anyone planned to secure it.

Distributed energy resources (solar inverters, battery storage systems, smart meters, EV charging infrastructure, demand response controllers) are now embedded throughout the distribution grid at scale. They didn’t exist in meaningful numbers a decade ago. Today there are millions of them, and the deployment pace is accelerating with every new renewable interconnection, every new EV, every behind-the-meter storage installation.

Each of these devices has two properties the OT infrastructure it sits alongside was never designed to accommodate: cloud connectivity and updateable firmware. They’re managed remotely, often by third-party platforms. Their software changes. Their configurations change. Their operational parameters change, sometimes through automated dispatch signals from DERMS platforms, sometimes through firmware updates pushed by the manufacturer, sometimes through both simultaneously.

In 2024, attackers reportedly hijacked roughly 800 Contec SolarView Compact remote monitoring devices used at Japanese solar facilities by exploiting known vulnerabilities. The incident did not shut down generation, but it demonstrated how widely deployed, internet-exposed monitoring equipment can be repurposed at scale, showing that the grid edge is not just a target of direct attack but a reservoir of accessible devices available to adversaries with other objectives. In December 2025, CERT Polska reported coordinated destructive cyberattacks targeting more than 30 wind and photovoltaic farms, a manufacturing company, and a large combined heat and power plant serving nearly half a million customers. The attacks disrupted communications and remote-control capability at renewable sites. Electricity production and heat supply were not interrupted. The significance of that outcome is worth sitting with: the attacks were destructive enough to sever the operational link between grid operators and a large fleet of renewable assets, without producing an outage that would have been immediately visible to the public. That is not necessarily a failed attack. It is what a rehearsal can look like.

The attack geometry here is different from the legacy OT model. You’re not trying to penetrate a hardened substation. You’re identifying the weakest device in a widely deployed class: a specific inverter firmware version, a smart meter with a default credential, an EV charger whose API was never designed to be internet-accessible, and then determining how many of that device type are deployed. The answer, in any mature DER market, is: a lot. Enough to matter physically when coordinated.

The Orchestration Layer

The third layer is the cloud management platform: the DERMS, VPPs, and EMS systems that sit above the device layer and provide dispatch, optimization, and monitoring across large portfolios of distributed assets. This is where the economics of the energy transition are realized. Aggregating thousands of distributed resources into a single dispatchable portfolio requires centralized orchestration. That layer is, by definition, connected: to the field devices it manages, to the grid operators it coordinates with, to the cloud infrastructure it runs on.

It is also, by definition, the highest-leverage point in the architecture from an adversary’s perspective.

Compromising an individual inverter is interesting. Compromising the system that sends dispatch signals to ten thousand inverters is something else. Control over aggregated dispatch authority is not a data theft problem. It’s a grid stability problem. An adversary with the ability to simultaneously drive a large enough DER fleet to disconnect, to inject reactive power in a coordinated pattern, or to pull load at scale has a physical effect on the bulk electric system that bypasses every assumption baked into grid stability models.

The Compliance Model Can’t Hold

This is where the structural problem lives.

NERC CIP is the primary regulatory framework governing cybersecurity for the bulk electric system. It is not a simple checklist. It includes recurring controls, evidence retention requirements, change management obligations, vulnerability assessment cycles, incident response planning, and supply-chain risk management. That is a serious framework.

But its audit-and-evidence model is built to demonstrate that required processes existed and were followed over a review period. That is different from proving, continuously, that the operational state of every connected asset still matches the risk model.

The problem is that the systems it governs don’t stay in the state they were in when compliance was demonstrated.

Firmware gets updated. Network configurations change. New devices connect to existing infrastructure. Vendor remote access credentials provisioned for a specific maintenance window don’t always get deprovisioned. Assets that were outside CIP scope at the time of categorization have since been aggregated into portfolios that affect bulk system reliability. The gap between the compliance record and the actual operational state keeps growing, quietly, until something happens.

This is Assumption Decay at grid scale.

The attestation model assumes that what was true at the point of certification remains true. In a continuously updated, software-defined, cloud-connected grid, that assumption decays from the moment it’s made. The decay is systematic, not exceptional. It is the normal operating condition of the modern connected energy environment.

The regulatory model is beginning to notice this mismatch. In its FY2025 CIP audit findings, FERC staff warned that some registered entities were not accounting for DERs and distribution-connected generation when determining Control Center impact ratings. Staff also documented cases where DERs and transmission-connected BES generation were being operated from the same physical control center by the same personnel, a setup that allows the cyber risk of lower-classified assets to propagate directly to higher-classified BES systems. The operational reality had outrun the model’s ability to categorize it.

Expanding scope and tightening controls on newly covered assets are meaningful steps. But they don’t resolve the structural problem: compliance certifies what was true at a point in time. It cannot tell you what is true right now.

The Real Threat Model

What Volt Typhoon was doing at Littleton Electric clarifies the actual adversarial logic.

They weren’t encrypting files for ransom. They weren’t running credential harvesting for financial fraud. They were collecting GIS data, network diagrams, and operating instructions. Building a picture of how the system works, where the dependencies are, what a disruptive action would require. They were pre-positioning for an optionality they don’t intend to exercise in peacetime.

That is the strategic logic of a near-peer conflict scenario. You don’t attack the power grid during normal times. You establish persistent access, map the environment thoroughly, preserve optionality, and act when the strategic moment arrives. The target packages get built years in advance.

The convergence of the three attack surfaces creates an environment where persistent access can be maintained simultaneously at multiple levels, where lateral movement between those levels is increasingly possible as IT/OT/cloud boundaries blur, and where coordinated action on distributed assets can produce physical outcomes at bulk system scale without ever touching the transmission infrastructure that most defensive attention has historically focused on.

A small Massachusetts utility with no meaningful military significance was inside Volt Typhoon’s target set. The selection logic wasn’t about Littleton. It was about the topology of what Littleton connects to.

What Continuous Assurance Requires

Regulatory frameworks are reactive by design. They codify yesterday’s threat environment, then spend years catching up to today’s. That’s not a criticism of the people writing them. It’s an observation about what standards bodies can structurally do and how fast they can do it.

The gap between what compliance certifies and what continuous operational assurance requires is not a gap that expanded regulation can close. It’s an architectural gap.

Continuous runtime monitoring of OT environments, with behavioral baselining, anomaly detection against known operational profiles, and closed-loop evidence chains that capture the actual state of systems rather than their last certified state, is a fundamentally different operational discipline. It requires knowing what every device in a fleet is doing right now, not what it was configured to do eighteen months ago when the audit snapshot was taken.

The grid edge makes this harder. Millions of devices, from dozens of manufacturers, with update cycles that are neither coordinated nor visible to grid operators, running on communication protocols designed for interoperability rather than security, connected to cloud platforms that aggregate their behavior without necessarily monitoring it. The attack surface isn’t just larger. It’s continuously reshaping itself, pushed by business drivers (cost reduction, remote management efficiency, renewable integration) that have no natural stopping point.

The adversaries operating in this space understand the architecture. The state-sponsored threat actors pre-positioning for conflict scenarios are doing systematic reconnaissance. They know where the compliance model ends and where the actual operational visibility ends, and they know those two lines don’t coincide.

The grid doesn’t know it’s been opened. That’s not a metaphor. It’s a description of the instrumentation gap between what the compliance record shows and what the operational state actually is.

Closing that gap requires something the compliance model was never designed to provide: continuous, runtime, evidence-based assurance of what the system is doing, not just what it was certified to do.

The infrastructure to do that exists. The operational discipline to require it doesn’t yet.

#cybersecurity #criticalinfrastructure #energysecurity #operationaltechnology #gridsecurity #operationalassurance #energytransition

Michael Entner-Gómez is a strategist, technologist, and writer focused on the convergence of the world’s most critical infrastructure sectors: energy, transportation, and telecommunications. Using a systems-thinking approach, he helps industry incumbents and disruptors future-proof their operations, scale complex platforms, and navigate the shift to software-defined everything.

This article is not sponsored, not paid, and not written to please. It’s written to inform.