BMWE funding under the 8th Energy Research Programme

Secure interoperability for digital power grids

CloudEnerChain connects IEDs, RTUs, cloud services and grid control technology through an HSM- and TCN-secured interoperability layer, forming an end-to-end chain of trust for KRITIS-compliant grid operations

Project overview Explore focus areas
March 1, 2026 to February 28, 2029 8th Energy Research Programme Lead: Fraunhofer FIT Power grids · Interoperability · Cybersecurity
Diagram of the CloudEnerChain system architecture from IEDs and RTUs via a TCN-secured cloud interoperability layer to SCADA control centre applications.
From IEDs and RTUs via TCN, cloud and the interoperability layer to the control room and digital services.

Project rationale

A continuous chain of trust across substation systems, communications, cloud and control centre is the foundation for secure digital applications in grid operations

36 months

funding period

7 partners

research, software, operations

03EI4113A

BMWE funding

OT, IT, Cloud

secure interfaces across the stack

Context

Power grids are becoming more digital, more decentralised and more security-critical

CloudEnerChain addresses the point where more IEDs, more cloud connectivity and KRITIS-compliant cybersecurity are simultaneously required and existing approaches reach their limits

More dynamics in distribution grids

PV, wind, storage, heat pumps, EVs and the smart meter rollout are increasing the need for observability, automation and faster response in distribution grid operations

OT, IT and cloud are still not connected end to end

Across IEDs, RTUs, SCADA systems and cloud platforms, many environments still lack continuous open information models. Proprietary solutions make cross-vendor interoperability harder

Security often stops at system boundaries

In critical energy infrastructure, identity, integrity and authenticity must be verifiable across the full communication chain. Point solutions such as gateways or VPNs are not enough on their own

Inside the test environments

Test environments across the system chain

These environments represent key levels in power grids, from secondary systems and substation control technology to control rooms and digitally supported operations.

Panoramic view into the Fraunhofer Center for Digital Energy test hall with grid-related experimental setups.

From secondary systems to the control room

The project focuses on making data flows and digital functions secure, reliable and interoperable across these layers

View into a test hall with transformers, testing rigs and further grid-related equipment.

Connecting the field level

Test hall

The test hall represents the physical infrastructure of the power grid. It is where the interaction between digital components and existing assets begins

A central question is how operational data can be captured reliably and prepared for further use

Operator workstations in a control-room environment with multiple screens and a central grid visualisation.

Information where it is needed

Control room

In the control room, system states, warnings and recommendations need to arrive reliably. This is where digital information has to prove its value in day-to-day operations

That requires trustworthy data and digital applications that support grid operations in a meaningful way

Close-up of a hardware-in-the-loop setup with network interfaces and real-time simulation hardware.

Trying out digital functions safely

Hardware-in-the-Loop

Before new digital functions are used in operational contexts, they need to be evaluated in a protected setting. These environments help assess interaction, timing and system behaviour at an early stage

This makes it possible to examine interoperability, security and reliability before later deployment

Open cabinets and digital components in a test environment for local substations.

Visibility at substation level

Digital secondary substations

Digital secondary substations stand for the point where information from the distribution grid is consolidated and transferred into higher-level systems

They stand for the transition from substation data to a shared interoperability layer and operational applications

Image motifs from the testing infrastructures of the Fraunhofer Center for Digital Energy. Source: Fraunhofer Center for Digital Energy, predominantly © Martin Braun. Source: Fraunhofer page

State of the art and novel approach

Connected power grids need interoperable architectures and an end-to-end secured chain of trust

IEDs, RTUs, SCADA systems, cloud platforms and IoT devices communicate via protocols such as IEC 61850 and IEC 60870-5-104. Growing digitalisation and bidirectional data exchange raise requirements for interoperability, IT security and verifiable end-to-end communication integrity across all system boundaries.

KRITIS-COMPLIANT POWER GRID ARCHITECTURE HSM-secured trust chain from IEDs and RTUs to the interoperability layer and SCADA control centre IEC 61850 and IEC 60870-5-104. HSM anchors secure identity and integrity across the full chain. CHAIN OF TRUST Secondary Systems Grid and IT Segments Interop Layer Operations & Control Ctr IED IED / RTU Field & substation IEC 61850 GOOSE/SV IT IT / Access Secure gateway from substation togrid IT IT IT / Aggregation Substation and grid segment level IT IT / Core Verification and integrity check HUB Interoperability Layer Vendor-agnostic IEC 61850/61970 metadata model + TCN FW Firewall Protection boundary for segments and gateways SC Control Centre Monitoring, assistance and response HSM HSM HSM HSM CORE IDEA Security is not achieved by a single component, but by continuous HSM-backed verification of identity, integrity and authenticity from the field device across the cloud to the SCADA control centre.
System landscape of a digitally networked power grid: from secondary systems (IEDs, RTUs) via substation control technology and interoperability layer to the SCADA control centre, connected by an HSM-backed end-to-end chain of trust.

State of the art

Modern power grids connect secondary systems (IEDs, RTUs), substation control technology, SCADA systems and cloud platforms via protocols such as IEC 61850, IEC 60870-5-104 and MQTT. Security and information models are often still vendor-specific and poorly interoperable. Vendor lock-in still limits end-to-end solutions

Central gap

Gateways, firewalls and VPN links can secure individual segments, but they do not create a consistent, verifiable end-to-end level of trust from the field endpoint via cloud services to the control centre. Missing open standards deepen this structural security gap

Innovation of CloudEnerChain

CloudEnerChain combines an interoperability layer with a vendor-agnostic metadata model (IEC 61850/61970), HSM-based trust anchors and TCN integration. AI-powered monitoring and endpoint attack detection complete the approach into a holistic end-to-end security architecture

What the project is about

Six themes shape the technical profile of the project

The research combines security architecture, interoperability, monitoring, digital applications, data infrastructures and transferability into one coherent picture.

Work structure

Five work packages are tightly connected

Five work packages connect security architecture, interoperability, monitoring, digital applications, data infrastructures and transferability.

Illustration of the five work packages and six core thematic areas within CloudEnerChain.
  • WP1 Security architecture
  • WP2 Interoperability & cloud
  • WP3 Monitoring & assistance
  • WP4 Digital applications
  • WP5 Demonstration & validation

Vendor-agnostic interoperability

A cloud-based interoperability layer with a technology-open metadata model based on IEC 61850 and IEC 61970 connects heterogeneous system landscapes, including IoT, smart metering and secondary systems, without proprietary dependencies or vendor lock-in

End-to-end trust chain with HSM and TCN

Hardware Security Modules (HSM) and Trusted Core Networks (TCN) establish an end-to-end secured, continuously verifiable chain of trust from the field endpoint to the control centre, complemented by Secure-by-Design architectures and endpoint detection and response mechanisms

Cloud and edge for utility operations

IoT platforms, smart meter gateway administration (SMGWA) and edge computing enable scalable, real-time-capable data processing that meets regulatory requirements without compromising IT security or data sovereignty

Digital value-added services with operational impact

AI-based anomaly detection, real-time load management and flexible resource control are developed as concrete value-added services, tested in simulation, lab and field environments, and evaluated for transferability across different grid contexts

AI monitoring and control room assistance

An AI-powered assistance system monitors grid status in real time, detects IT security events and anomalies early, and generates concrete action recommendations for control room operators to respond effectively

Transferability and standardisation

All architecture components and services are designed for regulatory compliance and cross-sector transferability. Project results are documented as a replicable blueprint for secure digitalisation across the energy sector

From challenge to solution

From system analysis and security architecture to monitoring, service development and field validation

Analyse

Threat modelling, requirements analysis and security architecture based on real-world KRITIS energy scenarios. Attack vectors are identified and the Secure-by-Design concept for the full system landscape is established

Connect

Data flows and interfaces are designed using open protocols (IEC 61850, IEC 60870-5-104, MQTT) and a vendor-agnostic interoperability data model. TCN anchors security across the communication chain

Secure & Monitor

HSM and TCN are integrated into field devices, cloud components and control systems. An AI-powered monitoring and assistance system detects anomalies early and generates preventive and reactive action recommendations

Develop

Cloud-based value-added services for real-time load management and flexibility control of distributed resources are developed as proof-of-concept and assessed for regulatory compliance

Demonstrate & Transfer

Architecture and services are evaluated in simulation, lab and real field test environments at operational grid operators for practicability, scalability and transferability across grid contexts

Expected project results

Interoperability, cybersecurity and value-added services must deliver measurable impact in grid operations

Vendor-agnostic system integration

A technology-open metadata model based on IEC 61850/IEC 61970 and standardised interfaces reduce integration effort, prevent vendor lock-in and enable seamless data exchange between IEDs, SCADA systems and cloud platforms across system and organisational boundaries

Strengthened resilience against cyberattacks

HSM-based trust anchors, TCN implementation and AI-powered anomaly and attack detection at critical endpoints (RTUs, gateways) increase resilience of KRITIS infrastructure against targeted cyberattacks and compromised devices in the field

Operational value for grid operators

Monitoring and assistance systems with aggregated real-time data, together with value-added services for load management and flexibility control of distributed resources, deliver concrete operational benefits, validated in real field test environments at urban grid operators

Project consortium

Research, industry and grid operations contribute to a shared perspective on secure digitalisation in power grids

Partners at a glance

Research, software and grid operations in one consortium

The consortium combines research expertise, platform development and operational perspectives

Research

Research partners contribute IT security, simulation and data-model expertise for digital power grids

Industry

Software and technology partners contribute platforms, interfaces and grid control systems

Grid operations

Grid-operator partners contribute operational requirements, practical constraints and transferability into operations

See partners

News

Developments, events and milestones from the project

All news