We are pulling together climate related resources.

Smart-Grid Network Visualization, Intrusion Detection, and Network Healing

Stage: Development

Developing the next-generation secure and smart electric grid is an ongoing challenge as advanced persistent threats (APTs) continue to exploit existing vulnerabilities in legacy supervisory control and data acquisition (SCADA) infrastructure; meanwhile, traditional intrusion detection systems (IDSs) lack consistent performance because of the continuously evolving attack surface of SCADA systems, which include synchrophasors, phasor measurement units (PMUs), and phasor data concentrators (PDCs). To counter and understand APTs, researchers at NREL have developed a system that combines a Hybrid Intrusion Detector for Energy Systems (HIDES) with a Self-Healing and Attack-Resilient PMU Network (SHARP-Net). The system can be monitored by an intuitive user interface, through which data processed and generated by the system can be quickly understood with a real-time visualization of large-scale environments including linked physical hardware with emulated devices.

Researchers at NREL have developed next-generation tools for smart-grid intrusion detection, network self-healing, and network visualization. The system includes the following components:

  • Hybrid Intrusion Detector for Energy Systems (HIDES) integrates a network-based intrusion detection system (IDS), state-of-the art machine learning, and a model-based IDS to detect unknown, coordinated, and stealthy cyberattacks targeting SCADA networks. HIDES uses synchrophasor measurements and cyber logs to learn patterns of different scenarios based on spatiotemporal behaviors of power systems.
  • Self-Healing and Attack-Resilient Phasor Measurement Unit (PMU) Network (SHARP-Net) combines a state-of-the-art IDS, such as HIDES, with an intrusion mitigation system (IMS) and an alert management system (AMS). SHARP-Net detects anomalies during cyberattacks on phasor data concentrators (PDCs), based on the rules defined in the IDS, with generated alerts published to the IMS through the AMS. The IMS automatically (1) reconfigures the synchrophasor network to isolate the compromised PDCs, (2) configures replacement PDCs to prevent the future propagation of attacks, and (3) reconnects the replacement PDCs to make the grid attack-resilient.
  • A network visualization/emulation environment includes physical hardware and virtual devices communicating with each other as part of the same system. The visualization platform is also capable of streaming, collecting, storing, and transporting data within the emulated environment. The platform enables high-fidelity visual analysis of events to be performed in real time as well as the use of historical data for forensic analysis.

NREL’s system may include containerized virtualization technologies for system components, such as PDCs. The system architecture enabled by virtual components in containers ensures system availability and endurance while preserving serial connections to hardware.

To learn more about Smart-Grid Network Visualization, Intrusion Detection, and Network Healing, please contact Erin Beaumont at:


ROI 19-128

Applications and Industries

  • Cybersecurity solution for energy delivery systems
  • Smart-grid SCADA system design and component manufacturing
  • Smart-grid SCADA interface software-as-a-service providers
  • Grid operators


NREL’s system facilitates

  • the data handling of hybrid alerts/events,
  • the orchestration and/or deployment of virtualized systems and software-defined networks,
  • the orchestration and/or deployment of HIDES modules/software, and
  • the orchestration and/or deployment of SHARP-Net modules/software.

HIDES (SWR 19-65) and SHARP-Net (SWR 19-64) are available as software for licensing. Please contact Jean Schulte at Jean.Schulte@nrel.gov for information about SWR 19-64 and 19-65.