Demand-Response Technology
The two-edged sword
In previous posts, we've examined various actors in the clean energy ecosystem, from vendors to small-scale generators to prosumers. Today, we'll focus on a critical component of the clean energy transition: demand-response technology.
What is demand-response technology?
Demand-response technology dynamically adjusts consumption. Where traditional grid management tools adjust supply to meet demand, demand-response (DR) technology adjusts demand to match available supply.
DR is increasingly crucial as the grid integrates more renewable energy sources, which tend to produce power intermittently. DR systems can reduce consumption across the grid to maintain stability when, for example, the sun isn’t shining or the wind isn’t blowing. And, when renewable generation is abundant, DR can increase consumption—charging electric vehicles, running industrial processes, or storing energy in batteries.
The rise of demand-response
Several factors have accelerated the adoption of demand-response technologies:
Renewable integration challenges: As renewables grow to dominate our energy mix, the need to balance their intermittency becomes more pressing.
Digitalization of the grid: Smart meters, IoT devices, and advanced control systems have made real-time demand management technically feasible.
Economic incentives: Utilities are increasingly offering financial benefits to consumers who allow their demand to be managed, ranging from residential time-of-use rates to industrial interruptible load programs.
Grid constraints: Building new transmission infrastructure is expensive and slow. Demand-response offers a way to maximize existing infrastructure capacity.
Today, demand-response comes in many forms:
Direct load control: Utilities remotely adjust consumers' devices during peak periods, such as cycling air conditioners or water heaters.
Price-responsive demand: Consumers adjust their usage in response to real-time pricing signals.
Automated demand management: Smart building systems, EV chargers, and industrial equipment that automatically respond to grid conditions without human intervention.
Virtual power plants: Aggregated networks of distributed energy resources (including demand-response capabilities) that can be controlled as a single entity.
The scale is significant: In the United States alone, demand-response programs can reduce peak demand by 30 to 60 gigawatts, equivalent to the capacity of dozens of power plants.1
The cybersecurity blind spot
Despite its growing importance to grid reliability, demand-response technology presents unique security challenges that are often overlooked.
First, demand-response systems fundamentally depend on digital communications. They require real-time data exchange between grid operators, aggregators, and end devices. This communication usually happens over the internet or cellular networks, creating potential points of failure or compromise. (And DR OEMS may have limited incentive—or access to expertise—to adequately analyze their products for vulnerabilities. See our prior post on vendors).
Second, the entities managing these systems have varying levels of cybersecurity expertise. While utilities may have robust security programs, third-party demand-response aggregators—often tech startups—might prioritize functionality over security. End consumers typically have even less security awareness or capability.
Meanwhile, the technology stack is increasingly complex. Modern demand-response systems include:
Control systems that send signals to adjust energy consumption
Communication networks that transmit these signals
End-point devices that execute the commands (smart thermostats, EV chargers, industrial equipment)
Data analytics platforms that predict demand patterns and optimize responses
Integration layers connecting to utility systems and energy markets
Each component represents a potential vulnerability:
Control systems may have insecure APIs or authentication mechanisms
Communication networks could be disrupted or intercepted
End-point devices often sit on consumer networks with weak security practices
Analytics platforms might leak sensitive data about energy usage patterns
Integration points with legacy grid systems create potential entry vectors
The distributed nature of these systems makes securing them particularly challenging. Unlike a traditional power plant with physical security perimeters and dedicated networks, demand-response endpoints are scattered across thousands or millions of locations, many of which are outside the direct control of energy professionals.
The two-way reliance
This leads us to perhaps the most troubling aspect of demand-response technology: it creates a two-way reliance between the internet and the grid. Consider the case of the condo and the cars from our previous post:
Say you live in a condo and want to support electrical charging for each spot in the condo's lot. The grid won't be able to charge all the cars in the lot simultaneously. Fortunately, not everyone’s car will be in equal need of a charge simultaneously—the condo can probably dole out the available energy based on need (a car that's mostly charged can stand to charge more slowly, for example).
These technologies—a car that needs electricity and a condo’s battery that may or may not be able to provide it—need to communicate their state to one another. They do so over the internet.
[…]
In this case, an internet outage would stop batteries from charging even if the grid stays on. But it's worse: because the batteries aren't charged, the condo will demand more power from the grid, which could tax available capacity! If every condo relies on a battery to smooth grid demand, and every battery array is smart, an internet outage of only a few blocks could create enough unexpected demand to cause a blackout!
This thought experiment2 illustrates that internet and grid stability can have unexpected feedback loops. And, if we accept the premise that (1) the clean energy transition will require more grid use at point-of-consumption for things like cars and even factories, and (2) we cannot cost-effectively retrofit the grid to meet those consumption needs, smart devices may be impossible to avoid. Which, in turn, means these feedback loops may be impossible to avoid.
This is a paradigm shift in grid security. Pre-internet grid operations used private, purpose-built networks rather than the public internet. (To borrow a term from cybersecurity, the grid was “air-gapped”). With demand-response, this separation disappears. The grid now depends on the internet to balance supply and demand, while the internet depends on the grid for power.
This situation creates cascading risk scenarios that cross traditional infrastructure boundaries:
An internet outage could prevent demand-response systems from functioning properly
This failure could cause unexpected spikes in electricity demand
These spikes could overload parts of the grid
Grid instability could cause more widespread power outages
Power outages could further disrupt internet infrastructure
The cycle continues, potentially amplifying the original disruption
The more our grid depends on demand-response for stability, the more significant this risk becomes.
Stakes and impacts
What could go wrong? Several scenarios merit consideration:
Coordinated attacks: An attacker who compromises multiple demand-response systems could trigger synchronized load changes, potentially destabilizing the grid. During periods of already high stress, such as heat waves, even small disruptions can trigger cascading failures.
Ransom scenarios: Critical demand-response systems could be held hostage, with attackers threatening to trigger disruptive load changes unless a ransom is paid.
Market manipulation: Demand-response technology increasingly participates in energy markets. Manipulated signals could create artificial scarcity or surplus, affecting prices.
Intelligence gathering: Data from demand-response systems reveals detailed information about energy consumption patterns, potentially exposing sensitive information about industrial operations or critical infrastructure.
Privacy violations: At the residential level, demand-response data can reveal intimate details about occupants' daily lives—when they're home, what appliances they use, and even their personal habits.
The physical consequences of these scenarios could range from localized outages to widespread blackouts, depending on the scale and timing of the disruption. The economic impacts could include direct costs from outages, market distortions, and erosion of consumer trust in clean energy technologies.
Intervention points
Addressing these vulnerabilities requires action across multiple domains:
Technical solutions
Resilient architecture: Design demand-response systems with graceful degradation modes that maintain basic functionality during communication outages.
Local intelligence: Implement more sophisticated edge computing that allows demand-response systems to make intelligent decisions even when disconnected from central control.
Out-of-band communications: Develop backup communication channels that don't rely on the public internet (e.g., dedicated radio networks).
Robust authentication: Implement strong identity verification for all demand-response commands, potentially using hardware security modules.
Anomaly detection: Deploy systems that can identify unusual patterns in demand-response signals that might indicate compromise.
Policy approaches
Critical infrastructure designation: Formally recognize large-scale demand-response systems as critical infrastructure, subject to appropriate security standards.
Security requirements in interconnection standards: Require security assessments before allowing demand-response systems to connect to the grid.
Grid-appropriate security standards: Develop security standards that address the unique characteristics of demand-response systems, rather than applying generic IT security frameworks.
Liability frameworks: Establish clear responsibility for security incidents involving demand-response systems.
Market solutions
Security as a service: Develop specialized security services for demand-response operators, particularly smaller players who lack in-house expertise.
Insurance products: Develop insurance mechanisms that can help mitigate the financial impact of security incidents while creating incentives for enhanced security.
Security certification: Establish certification programs for demand-response technology that validate security capabilities.
Educational initiatives
Consumer awareness: Provide clear guidance for consumers about the security implications of participating in demand-response programs.
Workforce development: Invest in training programs that combine expertise in energy systems, cybersecurity, and communications networks.
Cross-domain collaboration: Foster deeper cooperation between cybersecurity experts and power system engineers, who have historically operated in separate spheres.
More research needed
Several critical knowledge gaps require investigation before we can implement effective solutions at scale:
Resilience modeling
We need better models to understand how demand-response failures propagate through both energy and communication networks. Key questions include:
How many compromised demand-response nodes would create meaningful grid instability?
Which grid topologies are most vulnerable to demand-response manipulation?
How do cascading effects move between the power grid and communication networks?
What threshold of demand-response penetration creates systemic risk?
This modeling needs to account for geographic specificity, temporal patterns, and the unique characteristics of different types of loads.
Security architecture design
We need to develop reference architectures for secure demand-response that balance security with the operational requirements of the grid:
What separation of concerns between systems could minimize cascading risks?
How can we implement zero-trust principles in systems that require real-time responsiveness?
What backup mechanisms would provide sufficient resilience during communications failures?
How can we design interfaces between demand-response systems and legacy grid infrastructure to minimize risk?
Human factors research
The human dimension of demand-response security deserves particular attention:
How do operators respond to potential security incidents in demand-response systems?
What security behaviors can we reasonably expect from consumers who participate in demand-response programs?
How should security information be communicated to non-technical stakeholders?
What organizational structures best support security in organizations that manage demand-response?
Incentive alignment
Perhaps most crucially, we need to understand how to align economic incentives with security outcomes:
Who should bear the costs of securing demand-response systems?
How can rate structures and market designs encourage appropriate security investments?
What regulatory mechanisms most effectively drive security improvements?
How can we quantify the systemic risk of insecure demand-response to inform policy decisions?
The path forward
The challenge of securing demand-response technology exemplifies the broader security challenges of the clean energy transition. We are fundamentally changing the architecture of our energy system—from centralized to distributed, from analog to digital, from supply-following-demand to demand-adapting-to-supply. This transition offers numerous benefits, including more efficient resource utilization, lower carbon emissions, and potentially more resilient energy systems. But it also introduces new interdependencies and vulnerabilities that cross traditional boundaries between sectors, regulatory domains, and technical disciplines.
Successfully addressing these challenges requires collaboration across these boundaries. It demands a systems thinking approach that considers not just individual components but their interactions. And it requires us to move beyond seeing cybersecurity as simply a technical problem, recognizing it as a socio-technical challenge that touches on economics, human behavior, and institutional design.
By addressing these research gaps and implementing thoughtful interventions, we can build demand-response systems that help enable the clean energy transition while maintaining the security and reliability of our critical infrastructure. After all, a smarter grid should not mean a more vulnerable one. The true challenge is creating demand-response capabilities that are not just clean and flexible, but secure by design.
Feedback?
This post represents our current understanding of the demand-response security landscape, but we know there's much more to learn. Are you working on these issues? Do you see risks or opportunities we've missed? Please contact Nick Merrill (ffff@berkeley.edu) or leave a comment below.
This work emerged in collaboration with researchers at the Center for Long-Term Cybersecurity at UC Berkeley and the Institute for Security in Technology. Support for this work comes from Open Philanthropy.
Before you blow up my inbox: I’m referring to existing virtual-power-plant (VPP) capacity, most of which is demand-response. DOE’s 2024 Pathways to Commercial Liftoff: VPPs puts today’s VPP capacity at 30-60 GW (p 19).
In response to some feedback I received earlier, this thought experiment is intended to be a credible possibility, not an inevitable outcome. Ideally, edge fail-safe design would mitigate this scenario. The question is: How rigorously are we verifying fail-safes against both grid outages and network outages?