Focus Areas

CloudEnerChain connects secure
interoperability and digital
applications in grid operations

The focus is on the themes that advance secure and interoperable power grids

Content focus

Six themes structure the technical work of the project

The work structure brings security architecture, interoperability, monitoring, digital applications, data infrastructures and transferability together into one coherent picture.

Work structure

Five work packages are tightly connected

Five work packages connect security architecture, interoperability, monitoring, digital applications, data infrastructures and transferability across the project.

Illustration of the five work packages and six core thematic areas within CloudEnerChain.
  • WP1 Security architecture
  • WP2 Interoperability & cloud
  • WP3 Monitoring & assistance
  • WP4 Digital applications
  • WP5 Demonstration & validation

Vendor-agnostic interoperability

A cloud-based interoperability layer with a technology-open metadata model based on IEC 61850 and IEC 61970 connects heterogeneous system landscapes, including IoT, smart metering and secondary systems, without proprietary dependencies or vendor lock-in

End-to-end trust chain with HSM and TCN

Hardware Security Modules (HSM) and Trusted Core Networks (TCN) establish an end-to-end secured, continuously verifiable chain of trust from the field endpoint to the control centre, complemented by Secure-by-Design architectures and endpoint detection and response mechanisms

Cloud and edge for utility operations

IoT platforms, smart meter gateway administration (SMGWA) and edge computing enable scalable, real-time-capable data processing that meets regulatory requirements without compromising IT security or data sovereignty

Digital value-added services with operational impact

AI-based anomaly detection, real-time load management and flexible resource control are developed as concrete value-added services, tested in simulation, lab and field environments, and evaluated for transferability across different grid contexts

AI monitoring and control room assistance

An AI-powered assistance system monitors grid status in real time, detects IT security events and anomalies early, and generates concrete action recommendations for control room operators to respond effectively

Transferability and standardisation

All architecture components and services are designed for regulatory compliance and cross-sector transferability. Project results are documented as a replicable blueprint for secure digitalisation across the energy sector

Technical framing

From power-grid foundations to digital applications

Together they connect system understanding, secure communication and digitally supported grid operations

Connected secondary and control technology

From sensors and actuators to grid control systems, data and communication relationships in the power grid are becoming denser

Cloud and edge integration for utility operations

Digital infrastructures must balance scalability, latency constraints, security requirements and regulatory conditions at the same time

Interoperability as a prerequisite

Without shared models and clear interfaces, new applications often get stuck at proprietary system boundaries

Holistic cybersecurity

Prevention, monitoring, attack detection and response need to work together if digitalisation is to remain robust

Distributed generation and sector coupling

Solar, wind, storage and flexibility assets are fundamentally changing the distribution grid and require new control architectures built for bidirectional data flows

KRITIS regulation and compliance

The IT Security Act, the KRITIS umbrella law and NIS2 create concrete obligations for grid operators whose technical measures must be demonstrable, scalable and robust under regulatory scrutiny

System landscape

Communication paths between field, substation, control and cloud systems

Primary Secondary IT (Access) IT (Aggregation) IT (Core) Firewall Control DMZ Exchange DMZ Workstation WAN / Corporate IT Process signals GOOSE / SV IEC 61850 MMS IEC 60870-5-104 OPC UA / Server MQTT / API Routing / Segmentation IEC 60870-5-104 Client TASE.2 / ICCP VPN · internet · cellular / sat Extra-high voltage 380 kV Extra-high voltage 220 kV High voltage 110 kV Medium voltage 10/20 kV Low voltage 0.4 kV IED IED / protection and control unit 380 kV IED IED / protection and control unit 220 kV IED IED / protection and control unit 110 kV IED IED / local substation and MV feeder device IoT IoT gateway / smart home SMGW Smart meter gateway SCADA SCADA control system TSO SCADA SCADA control system DSO WS Workstation TSO WS Workstation DSO fiber / OPGW · MPLS fiber / MPLS · radio fiber / MPLS · 450 MHz PLC · ZigBee · LTE-450 · LoRaWAN DSL · LTE · fiber RTU Remote terminal unit 380 kV RTU Remote terminal unit 220 kV RTU Remote terminal unit 110 kV RTU Remote terminal unit medium voltage GW CLS / IoT gateway low voltage GWA Gateway administrator / SMGW administration / SM-PKI INT Integration service TSO (primary) INT Integration service TSO (aggregation) INT Integration service 110 kV INT Integration service 110 kV preprocessing INT Integration service MV/LV INT Integration service cloud services INT Integration service SMGW / MSB SW Core IT routing TSO SW Core IT routing TSO SW Core IT routing DSO SW Core IT routing DSO SW Core IT routing cloud services SW Core IT routing cloud services SW Core IT routing MSB infrastructure VPN · cellular · internet CL Cloud platform / IoT services / aggregator WAN Corporate WAN / backbone TSO WAN Corporate WAN / backbone DSO WAN Corporate WAN / backbone services ERP ERP / maintenance / asset management BO Back office / billing / market processes CC Call centre / customer service CRM Customer portal / CRM / API MSB MSB head-end / MDM / CLS proxy WAN MSB WAN / SM-PKI aEMT Active external market participant / portal / API SM-PKI · TLS · WAN FW Firewall between core IT and control system FW Firewall DSO network FW Firewall cloud services handover FW Firewall DMZ cloud / services FW Firewall MSB / SMGW infrastructure FW Firewall DMZ MSB DMZ Secured exchange zone TSO DMZ Secured exchange zone DSO EX Remote exchange / TASE.2 / ICCP TSO EX Remote exchange / TASE.2 / ICCP DSO Control centre coupling TASE.2 / ICCP DMZ Outer DMZ for workstation access TSO DMZ Outer DMZ for workstation access DSO Transmission system operator Distribution system operator Utilities / suppliers Metering operator OEM / platforms CRM / portal / API MSB / MDM / CLS aEMT / portal / API On Edge IDS Interoperability Layer Value-Added Services HSM HSM HSM HSM HSM HSM Assistance Systems Trusted Core Network
Schematic system landscape from field and substation systems through access, integration and core IT to cloud and control systems

Project logic

From system analysis and security architecture to monitoring, service development and field validation

Analyse

Threat modelling, requirements analysis and security architecture based on real-world KRITIS energy scenarios. Attack vectors are identified and the Secure-by-Design concept for the full system landscape is established

Connect

Data flows and interfaces are designed using open protocols (IEC 61850, IEC 60870-5-104, MQTT) and a vendor-agnostic interoperability data model. TCN anchors security across the communication chain

Secure & Monitor

HSM and TCN are integrated into field devices, cloud components and control systems. An AI-powered monitoring and assistance system detects anomalies early and generates preventive and reactive action recommendations

Develop

Cloud-based value-added services for real-time load management and flexibility control of distributed resources are developed as proof-of-concept and assessed for regulatory compliance

Demonstrate & Transfer

Architecture and services are evaluated in simulation, lab and real field test environments at operational grid operators for practicability, scalability and transferability across grid contexts