Iowa engineers, researchers build cybersecurity tools to protect nation’s power grid

This story first appeared in Engineers Week 2025, an annual special section that showcases a variety of local engineering topics to celebrate all that engineers contribute to our world.

Utility engineers and crews have extensive experience in securing the nation’s power grid — some 120,000 miles of transmission lines operated by 500 companies and cooperatives — against natural disaster. Researchers and engineers in Iowa are working to ensure the system is safe from intentional sabotage by hackers.

“Never trust, always verify,” is the guiding principle, according to Manimaran Govindarasu, professor in electrical and computer engineering at Iowa State University.

Computer technology has made the delivery of electricity from where it’s generated to where it’s needed more efficient and resilient in recent decades. But it’s also made them a prime target for hackers intent on disrupting the nation’s power supply.

“The threats to cybersecurity keep getting greater, and this project is a tool to combat that,” said Terry Fett. “It’s a tool for reassuring ourselves that we can continue to operate the grid.”

Fett is director of engineering and operations for Cedar Rapids-based Central Iowa Power Co-op (CIPCO), owned by 13-member rural electric cooperatives serving more than 300,000 customers across 58 Iowa counties. CIPCO is collaborating with ISU on a project to apply “zero-trust” principles to its operating software — and in turn, to the hardware it runs.

  Buy Photo

Begun in August, ISU’s $500,00 three-year project is one of 16 programs funded through $45 million from the federal Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response. CIPCO and ISU are longtime collaborators.

“They have a renewable infrastructure, and they are a distribution utility,” Govindarasu said. “It’s a distribution network that is closer to the communities and the businesses. That’s where a lot of the renewable power is happening.”

“We’ve collaborated with ISU on quite a few projects,” Fett said. “We really appreciate the technical exchange between ISU and the industry.”

Zero trust requires all users, whether in or outside an organization’s network, to be authenticated, authorized, and continuously validated before getting access to applications and data.

“It’s focused on how devices talk to reach other and the language they use to talk to each other and making sure there’s nothing nefarious going on,” said Paul Hofman, CIPCO’s vice president for information technology.

That means authenticating every command or request from every user to every generating plant, substation and switch.

  Buy Photo

“It’s really focused on the protocol, the network communications,” said Brandon Anderman, CIPCO’s network operating technology systems engineer. “It’s the software involved with the operations technology and securing that traffic.”

The grid and the computer network supporting it have become more complex with the growth of renewable energy. Instead of a fairly centralized collection of generating plants powered by coal, gas or nuclear fuels, consumers today also draw from a disbursed network of wind farms and solar arrays.

“The powerplant we used to think of, they’re all well-guarded by the utilities and secure, for the most part,” Govindarasu said. “You see wind farms all over in Iowa. It’s not all owned by utilities; some of them are communities, some people have rooftop solar connected to the grid, and you have co-ops. The number of access points they can exploit has exponentially grown. How do we reduce that exposure?”

CIPCO owns or manages power generated by six wind farms, seven solar installations, three coal-fired plants, a gas-fueled plant, dams on the Missouri River in Montana and the Dakotas, and even gas generated at the Linn County Solid Waste Agency’s landfill near Marion.

  Buy Photo

“The impact of a compromised operation on that network would be widespread,” Fett said. “The goal of the project is to ensure a more secure operational network so we can maintain control of our network.”

The COVID-era shift to working from home further complicates security issues.

“Every access point to your network is protected through a firewall and so on,” Govindarasu said. “It’s called perimeter defense. (People working from home) have to connect to their businesses and industries, and the perimeter defense doesn’t work there. You have to address the challenges of additional perimeter defense. That’s what led to zero-trust.”

CIPCO staff meets every other week with the ISU team supervised by Govindarasu. The project also includes researchers at Arizona State University collaborating on the construction of a model grid to test against simulated attacks.

“We are building a test bed with ASU, utilizing input from CIPCO,” he said. “We mimic what is happening in the real world. We’ll detect attacks and implement those solutions to see how effective they are.”

The project also draws on real-world lessons from Ukraine, where the grid has faced attacks from Russian hackers since 2015.

“We’ve been able to mimic within our lab environment what actually happened,” Govindarasu said. “We modeled those processes within our environment, and we tested various countermeasures.”

  Buy Photo

ISU hosted utility officials from the Black Sea nations of Ukraine, Moldova, Georgia and Romania to share their results.

Govindarasu noted zero-trust operating systems are being adopted by tech firms such as Microsoft and Google and the Department of Defense. It’s a matter of confirming the approach will reliably, securely deliver power.

“It has to be tested and validated and verified for performance and the security features,” he said. “Everything has to be validated before it’s deployed.”

By summer 2027, the project should deliver software that operates as smoothly and quickly as current systems, with the added layer of zero-trust protection. Govindarasu said some of the software may be patented for sale to users, with others made available open-source.

“A goal is that they come up with software and other things that vendors could perhaps incorporate into their devices so that the technology can be commercialized,” Hofman said. “The threats to the grid increase every day. Projects like this to try and stay ahead of the bad guys are vital.”