AI Powered Resilience for Tomorrow’s Electric Grid
The electric grid underpins modern society, powering everything from motorway control systems to refrigerated medicines. Yet this lifeline faces rising disruptions driven by extreme weather events and increasingly sophisticated cyber threats. As grids become smarter and more connected, operators are grappling with the dual challenge of maintaining reliability while defending against attacks that blend digital intrusion with physical manipulation.
Researchers at Sandia National Laboratories have stepped into this complex arena with a brain-inspired artificial intelligence designed to detect physical anomalies, cyberattacks and hybrid cyber-physical threats simultaneously. Remarkably, this advanced neural network can run on inexpensive single-board computers or existing devices already deployed across smart grid infrastructures. According to project leader and cybersecurity specialist Shamina Hossain-McKenzie, the aim is to give operators the speed and clarity they urgently need: “As more disturbances occur, whether from extreme weather or from cyberattacks, the most important thing is that operators maintain the function and reliability of the grid. Our technology will allow the operators to detect any issues faster so that they can mitigate them faster with AI.”
This new approach has emerged at a pivotal moment. Energy systems worldwide are undergoing rapid digitalisation, with distributed renewables, automated controls and intelligent devices woven into every layer of the grid. While these advancements support flexibility and resilience, they also widen the attack surface. Sandia’s AI-driven package seeks to close those gaps through smarter detection, collaboration between operators and broad compatibility with both new and legacy equipment.
Understanding Cyber-Physical Risk
The evolution of the electric grid has delivered enormous operational advantages but at a price: heightened exposure to cyber-physical manipulation. These attacks use digital pathways such as communications networks to influence or disrupt physical systems. In practice, adversaries might alter the behaviour of sensors, smart inverters or protective devices in an attempt to cause instability or damage.
Key vulnerabilities include:
- Smart inverters controlling distributed energy resources
- Network switches enabling secure operator communications
- Legacy hardware lacking coordinated cyber-physical safeguards
Adrian Chavez, another cybersecurity expert on the project, notes the importance of compatibility across generations of equipment. Because the algorithm can operate on small, low-cost devices or embedded hardware already distributed throughout the grid, it can reinforce older systems as effectively as modern ones. That inclusivity was a critical design requirement. As Chavez explained: “To make the technology more accessible and feasible to deploy, we wanted to make sure our solution was scalable, portable and cost-efficient.”
The architecture operates at three levels: local, enclave and global. Locally, the AI monitors the behaviour of the device hosting it. Within an enclave, multiple devices exchange information, allowing operators to identify whether an anomaly is isolated or spreading. Globally, only high-level alerts and results are shared between grids owned by different organisations, ensuring sensitive data remains protected.
To achieve this secure multi-operator communication, Sandia collaborated with Texas A&M University, which specialises in grid protection frameworks and cyber-secure communications. Their contribution was vital in ensuring that operators can receive actionable alerts quickly without compromising proprietary infrastructure information.
How the Neural Network Works
Detecting cyber-physical threats is exceptionally challenging because the data comes from two domains with contrasting characteristics. Physical measurements such as voltage, frequency and current are captured around sixty times per second. Cyber data, on the other hand, arrives in bursts that are sporadic and varied. Fusing these two information streams into a cohesive picture requires a sophisticated analytical approach.
Sandia turned to an autoencoder neural network, a model adept at distinguishing between normal and abnormal behavioural patterns without needing an exhaustive dataset of labelled attack scenarios. Computer scientist Logan Blakely, who led development of the AI components, highlighted the complexity of the problem. Physical data offers a continuous, detailed view of system behaviour, while cyber data reflects intermittent communications traffic and routing events. According to Blakely, the breakthrough lay in applying data fusion techniques that extract the most meaningful correlations from both streams.
Once trained on large quantities of normal operating data, the autoencoder can classify whether incoming information represents stable behaviour or signals a potential threat. Examples include:
- Spikes in network traffic suggesting a denial-of-service attack
- Subtle deviations in physical readings accompanied by irregular cyber activity indicating false-data injection
- Purely physical disturbances such as voltage instability caused by weather or equipment failure
Hossain-McKenzie described the system as effectively plug-and-play once installed. Because it is not constrained by narrow, pre-labelled datasets, the neural network can evolve alongside the systems it monitors and adapt to new forms of disruption.
Trialling the Technology
Before any AI solution can be trusted in real-world grid environments, it must withstand rigorous testing. The Sandia team evaluated their autoencoder across three complementary testbeds.
The first took place within an emulation environment that combined detailed models of power system physics with simulations of communication networks. By subjecting the AI to a diverse mix of cyberattacks, physical faults and hybrid disruptions, researchers assessed how it responded under controlled but realistic conditions. Texas A&M University provided key technical support in designing and validating these tests.
The second testing phase involved hardware-in-the-loop simulations. Here, the neural network was embedded on single-board computer prototypes connected to a software environment that generated attack scenarios. This approach allowed researchers to compare the performance of hardware implementations with virtual ones. According to Chavez, real hardware can operate hundreds or even thousands of times faster, demonstrating the feasibility of deploying the autoencoder at the edge of the grid where response time is critical.
The third stage brought the AI into operational field conditions through collaboration with Sierra Nevada Corporation. Sandia integrated its autoencoder algorithms into Binary Armor, Sierra Nevada’s existing cybersecurity device used within industrial and military systems. This work offered an opportunity to demonstrate compatibility with commercial-grade hardware and provided a proof-of-concept for wide deployment.
Live field testing is underway at the Public Service Company of New Mexico’s Prosperity solar farm under a Cooperative Research and Development Agreement. These tests began last summer and expose the AI to genuine operational data, fluctuating weather conditions and the intricate realities of grid interactions. As Chavez put it: “There’s nothing like going to an actual field site. Having the ability to see realistic traffic is a really great way to get a ground-truth of how this technology performs in the real world.”
The team also engaged early with PNM operators to determine what kind of AI support would deliver the greatest practical value. Those discussions underscored the need for rapid, automated communication between cyber-defenders and system operators, shaping the design of the final architecture.
Continuing Innovation
Sandia’s research builds on the award‑winning Proactive Intrusion Detection and Mitigation System, a project that focused on securing smart inverters against cyber intrusion. The new autoencoder AI greatly expands that scope, delivering broader situational awareness and earlier detection of coupled cyber-physical anomalies.
A patent has been filed for the autoencoder technology, and the team is now searching for corporate partners to help bring it into wider use. Hossain-McKenzie noted that the core design could be adapted to protect other critical infrastructure sectors including water distribution networks, natural gas pipelines, manufacturing facilities and hyperscale data centres.
Blakely sees enormous long-term potential in the methodology: “Whether or not our technology succeeds in the market, every utility around the world is going to need a solution to this problem. This is a fascinating area to do research in because one way or another, everyone is going to have to solve the problem of cyber-physical data fusion.”
Funding for the project comes from Sandia’s Laboratory Directed Research and Development programme, which supports advanced scientific and engineering initiatives with national strategic importance.
Strengthening the Path Ahead
This research signals a significant shift in how grid operators can defend against evolving threats. As extreme weather and malicious cyber activity continue to test the resilience of critical infrastructure, intelligent detection systems capable of interpreting complex, combined data streams will become indispensable.
The work undertaken by Sandia and its collaborators reflects a forward-thinking response to challenges that cut across energy systems worldwide.
