To explore how this works in practice, we spoke with two of the minds behind our security strategy: Dr. Alei Salem (A), Head of IT Security, and Lukas Mauer (L), Product Manager of our "Ready for gridX" initiative. Together, they share how we approach trust, risk and responsibility in today’s complex secure energy systems landscape.

1. Why is security such a critical topic in today’s energy and digital infrastructure landscape, especially when integrating devices from many different manufacturers?

A: Cybersecurity in the energy sector isn’t just about keeping the lights on – it’s about protecting the backbone of modern society. Every industry, from healthcare to manufacturing to transportation, depends on a stable and secure energy system. Without power, everything grinds to a halt. As I’ve said in a previous blog of ours, we’d be thrown back into the caveman era. In such an interconnected landscape, even a single weak point can have widespread consequences. That’s why at gridX, we treat energy management system cybersecurity as a core responsibility, ensuring that every device and connection in our ecosystem is secure by design and continuously monitored to prevent and contain threats.

L: You also have to understand that flexibility and optimizing decentralized energy resources (DERs) will be core aspects of energy grids in the future. As this is something that influences all of us in our private and professional lives, it’s logical that we make this part of the energy transition secure. This starts at every DER we connect to platforms like XENON, forming the building blocks of truly secure energy systems.

External oversight: Working with trusted institutions

2. A big topic nowadays is having faith and trust in technology that is not manufactured domestically. What kind of security or fail-safes are there when it comes to imported tech, especially within the European Union?

L:  In the European Union – and specifically in Germany – multiple governmental bodies are involved in ensuring that imported technology used in critical infrastructure meets strict security standards. While gridX itself does not import hardware directly, we (and all tech companies in general) rely on these government bodies to enforce baseline security requirements, which we then complement with our own internal vetting and system design principles to ensure safe and secure integration.

3. Why is it important that security doesn’t rely solely on the device manufacturer or on gridX alone?

A: Generally speaking, the more eyes you have on something, the more it will be vetted for potential security threats and vulnerabilities, especially if the involved parties look at things from different angles and possess different skillsets. In this particular case, device manufacturers can focus on the security of their hardware and firmware, whilst gridX focuses on the security of the communication between devices and gridBoxes, how data is transferred and stored in the cloud, and how it is relayed to the users. Together, both parties deliver a well-vetted, secure product to the consumer. Long story short: it’s a team effort.

Internal safeguards: The checks from our side

4. Can you walk us through the steps gridX takes when integrating a new device into our EMS ecosystem? What kinds of checks or evaluations happen behind the scenes?

L: There are obviously some steps here that are confidential, but when integrating a new device into our ecosystem, our process begins with controlled testing in a secure environment where we evaluate how the device communicates and behaves under different conditions. While we don’t publicly share all the details of our internal processes, every integration is guided by a clear goal: to ensure that the device can be safely and seamlessly connected to our platform without introducing risks to the wider system.

5. What are some typical vulnerabilities that your team looks for, and how do you mitigate them?

A: Whether found in the code we write ourselves or in third-party dependencies, we pay particular attention to any vulnerabilities that might leak (personal) data about end users (e.g., vertical or horizontal privilege escalation), or those that might disrupt our around-the-clock service. That said, you never know – you might come across a small vulnerability that, at first, seems irrelevant, but in combination might have devastating consequences. So, any vulnerability we come across, we strive to address as soon as possible.

6. What kind of safety net does gridX put in place in case a vetted device later proves to have security flaws?

L: Fortunately, we haven’t yet encountered this situation, but we’re fully prepared if it ever happens. We strive for strong partnerships with supported manufacturers. We regularly exchange with them and employ quick release procedures in case we register an unwanted behavior.

System segregation: Designing for resilience

7. Even with strong vetting, no system is ever 100% immune to attack. How does gridX ensure that a compromised device doesn’t jeopardize the entire system?

A: We built the ecosystem to prioritize compartmentalization. That means, if one system is compromised, it would not have a cascading effect on the other systems. For example, if an attacker manages to compromise one gridBox, they will remain confined to that system and will not be able to pivot to and compromise other ones.

8. Can you explain what a “zero trust” architecture means in practice for gridX and how it helps protect customers?

A: As opposed to “trust but verify”, “zero trust” means that you should always expect attacks whether internal or external, and have the necessary security controls to detect such attacks, contain and correct them, and recover from them in a timely manner. That is exactly what we focus on at gridX. In addition to limiting access and privilege on a need-to-know basis, we verify our policies by monitoring our systems around the clock and continuously widening our monitoring scope to include different parts of our ecosystem. We also have security experts looking at the generated logs and events, and very capable engineers that assist with dealing with any events the security team deems as incidents to be dealt with immediately. Equally important, we learn from our mistakes and continue to improve and optimize our processes and policies.

9. What does system segregation look like in gridX’s platform, and how does it contribute to security?

A: XENON is built to enforce complete mediation of requests (e.g., to system details). That means we process all requests made by users and make sure that users can retrieve and modify data that belongs to them and nothing beyond that.

Security at its core: It takes a village

10. You’ve mentioned that “it takes all of us” to make security work. What role do partners and customers play in maintaining a secure energy infrastructure?

A: There is this famous saying: “A system is as secure as its weakest link.” It means that security is a shared responsibility. While gridX takes the lead on securing our platform, partners and customers also play an essential role. For example, when our employees who interact with partners are trained in security best practices, they can both recognize risks early and pass on that awareness to others. This creates a ripple effect: better-informed users and partners are more likely to report issues promptly and handle devices securely. Even if we’re not directly responsible for educating every external stakeholder, empowering our own people makes the entire ecosystem more resilient.

11. What would you say to customers who are concerned about the trustworthiness of imported technology in their energy systems?

A: It’s completely reasonable to have concerns about any technology being integrated into critical infrastructure, regardless of where it comes from. That’s why we focus less on where a device is manufactured and more on how it’s vetted, secured and integrated. Through a combination of regulatory oversight, technical evaluation and continuous monitoring, we ensure that only devices meeting our strict standards are allowed into our ecosystem. What matters most is not geography, but transparency, collaboration and the strength of the controls in place.

L: Origin alone doesn’t determine a device’s trustworthiness. It’s the security processes, technical safeguards and long-term collaboration behind it that matter most. We apply strict technical controls, monitor behavior and ensure that only devices meeting our integration standards are allowed into the system. While we can’t speak for the internal policies of every OEM, we focus on securing the parts we do control and we do that thoroughly.

12. In one sentence, what gives you the most confidence in gridX’s ability to keep our systems and our customers safe?

A: We genuinely care about customers and their data, and we will never settle for a mediocre or below par security in the product(s) we deliver to them.

L: We incorporate security into the features we build as an integral part; for example, our recent plug-and-play commissioning technology was built on the latest security standards.