Securing the Grid: A Call for Rigorous Modeling and Standardization

By: Lujo Bauer, Larry Pileggi and Vyas Sekar

Despite increasing concerns over cyber threats to the electrical grids, the academic, operational, and policy communities remain divided on which threats are most pressing — and why.

Our CMU team recently showed that these disagreements are rooted in wide disparities and inconsistencies in how cyber threats against the grid are modeled and analyzed, leading to divergent threat assessments. 

Why it matters: If you can’t identify the most likely threats to the grid, it’s near impossible to protect against them. We call on the research and policy communities to develop more comprehensive and accurate grid evaluation frameworks and datasets, and for updating threat models and grid resiliency requirements to match cyber attackers realistic capabilities.

What we did: As part of our recent work, we surveyed 18 grid‑cybersecurity experts and dissected four representative threats: MadIoT (IoT‑based load attacks), False Data Injection Attacks (FDIA), Substation Circuit Breaker Takeovers (SCBT), and Power Plant Takeovers (PPT). 

What we found: Experts displayed wide variation in both perceived likelihood and impact of the four threats across normal and emergency grid conditions — with averages slipping below 25% confidence on many estimates. This fragmented outlook mirrors conflicting results from prior studies. For instance, the original MadIoT analysis suggested a mere 2% spike in demand could trigger a blackout, but subsequent work reported no effect at 1% and only minimal impact at 10%.

Five inconsistencies in how grids are modeled and threats are analyzed underpin this discord, some causing threats to be overestimated and others causing threats to be severely underestimated. 

  1. Many studies use unrealistic grid topologies that do not meet standard reliability criteria, such as N-1 contingency compliance or adequate reserve margins.
  2. Researchers often assume attackers possess implausibly high levels of access and control — such as manipulating every sensor or breaker in a region.
  3. Most analyses only consider steady-state grid conditions, failing to explore how threats unfold under stress or during emergency states.
  4. Simulations frequently omit essential operational processes, including reserve dispatch, droop control, and automatic load shedding.
  5. When such processes are modeled, they are sometimes implemented incorrectly — for instance, simulating droop response with unrealistic speed or magnitude.

A path forward: The first phase of our work has identified the following needs for performing an accurate assessment of threats against the grid, as outlined in these targeted steps:

  1. Release realistic, validated grid models: Much existing work relies on synthetic or outdated topologies that do not reflect real-world grid resilience. The community must prioritize publishing standardized, N-1-compliant test systems with realistic load, generation, and reserve profiles to enable reproducibility and fair comparison across studies.
  2. Harmonize simulation practices: Discrepancies in how core processes — like droop control, reserve dispatch, and load shedding — are modeled often lead to conflicting results. The field needs shared guidelines and reference implementations to ensure accurate, comparable threat assessments. Assumptions about attacker capabilities must also be grounded in plausible scenarios.
  3. Model threats under emergency conditions: Most analyses focus on normal grid operations, but vulnerabilities often emerge during high-stress states. Researchers should routinely include emergency and degraded operating conditions  — such as generator outages or reserve exhaustion — to uncover risks hidden under idealized scenarios.
  4. Treat the grid as a cyber-physical system: Many studies isolate cyber and physical components, missing critical interactions. Threats must be modeled end-to-end, from cyber compromise to physical impact, using integrated frameworks that reflect real control logic and operator response.
  5. Create community modeling standards: To institutionalize these improvements, the field should develop shared benchmarks and modeling standards through academic-industry collaboration. Workshops, working groups, or open-source consortia could help establish baselines for threat modeling, simulation fidelity, and reproducibility.

The bottom line: Our preliminary research has established the challenges in identifying the most likely threats to the grid. Our work has shown that inconsistencies in threat assessments occur because of ad hoc simulation and modeling methodologies, as well as dataset errors. This shows the need for the creation of standardized public toolkits and datasets and for recommending ways to increase the accuracy of evaluations. This will enable us, as well as other researchers, to develop more rigorous foundations for securing tomorrow’s electric energy grid.