From Compliance to Measurement: One Researcher's Case for the Next Phase of Grid Cyber

In 2006, Chee-Wooi Ten was a doctoral student in the U.S., visiting a local transmission utility to talk about something almost no one in the room believed was real: the cyber vulnerability of the U.S. power grid. He had spent the previous four years, from 2002 to 2006, as a power systems engineer at Siemens in Singapore. The IT staff he met with disagreed.

"We have the best defense system," they said. And: "I don't believe this is a problem."

"I had to live with it," Ten says now, "because I needed to finish my doctorate, and I couldn't let that discouragement stop me." His 2009 dissertation at University College Dublin was among the early academic treatments of cyber-physical risk in the grid, six years before the December 2015 Ukraine grid attack flipped the U.S. utility industry's posture from skepticism to acceptance.

Today Ten is a professor of electrical engineering at Michigan Technological University, where he directs the Cyber-Physical Systems Center. In a recent interview, he said that while the industry now accepts grid cyber as a real problem, the field has more work to do.

NERC CIP, the mandatory cyber security standards that govern North American bulk electric utilities, is " well respected," Ten said. It is also qualitative. The next step, he argues, is making grid cyber risk quantitative.

"The technical side can be hard to convince people on, but numbers are easy," he said. "At a doctor's visit, they take your vitals. Your blood pressure is high. That's a measure. We still need more of that kind of quantitative analysis for grid cyber."

"Selling fear doesn't help," Ten said. "We have to put ourselves in the shoes of the decision-maker. They have many things on their plate."

The AI buildout, he believes, makes this urgent. Meeting U.S. AI data center load requires more distributed energy: utility-scale batteries, behind-the-meter solar, EV charging, on-site generation at the data centers themselves. Every battery management system, smart inverter, and EV charger is a potential intrusion point. NERC CIP, written around the bulk electric system, was not designed for tens of millions of small, customer-owned, network-connected energy assets.

"You don't want someone breaking into your home energy management system and manipulating your battery," Ten said.

The lever he keeps returning to is insurance. Auto insurance prices premiums from decades of actuarial data, and that pricing disciplines driver behavior. Cyber insurance for utilities and distributed energy isn't there yet, because the underlying quantitative models don't exist at scale.

Ten sees intersections worth exploring between AI, energy demand, and insurance. Until grid cyber risk is legible to insurers and the capital behind them, he argues, defense investment will keep lagging the threat, and the distributed buildout AI is forcing will arrive without a pricing framework that matches its risk.

"Convincing people takes a lot of time," Ten said. "Making a good case is another thing."