Multi-Domain Moving Target Defense for Resilient Security in Power Cyber-Physical Systems: A Review

1. Introduction

1.1. Limitations of Static and Perimeter-Based Cyber Defenses in Power CPS

The convergence of digital technologies with physical grid operations has given rise to Power Cyber-Physical Systems (Power CPS), enabling real-time monitoring, control, and optimization of power generation, transmission, and consumption [1,2,3]. These systems integrate sensors, actuators, communication networks, control algorithms, and market mechanisms to manage increasingly complex and decentralized energy infrastructures, including distributed energy resources (DERs) [4,5,6], microgrids [7,8,9], and virtual power plants (VPPs) [10].

However, this digital transformation has significantly expanded the attack surface of power systems. Traditional perimeter-based defenses—such as firewalls, static access controls, and fixed network segmentation—were designed under the assumption that once the boundary is secured, internal operations are safe [11]. This assumption no longer holds in Power CPS for several reasons [12,13,14]:

• Interconnectedness: Power CPS are increasingly connected to external networks, cloud services, and third-party platforms, making perimeter boundaries fluid and porous.
• Insider Threats: Compromised insiders or supply chain attacks can bypass perimeter defenses.
• Advanced Persistent Threats: Attackers often penetrate static defenses and maintain long-term stealthy presence.
• Static Configurations: Fixed system configurations provide attackers with stable targets to study, exploit, and compromise over time.

Examples of real-world cyber-physical incidents—such as the 2015 Ukraine grid attack, the Stuxnet worm, and more recent ransomware attacks on critical infrastructure—demonstrate the insufficiency of static defenses. These events reveal the need for dynamic, adaptive security mechanisms that continuously evolve to counter evolving threats [15].

1.2. Concept and Relevance of Moving Target Defense

Moving Target Defense (MTD) is an emerging security paradigm that seeks to increase system unpredictability by continuously changing the system’s attack surface [16,17]. By dynamically reconfiguring aspects of the system—such as network topology, control paths, authentication keys, or even market mechanisms—MTD makes it more difficult for attackers to:

• Gather accurate system knowledge.
• Maintain persistent footholds.
• Launch successful, repeatable attacks.

The key principle of MTD is to shift the security advantage from static defenders to dynamic defenders, forcing attackers to adapt faster than they can reliably exploit. MTD has shown promise in network security, cloud computing, and military systems, but its application to Power CPS remains underexplored [18,19,20].

In the context of Power CPS, MTD strategies can extend beyond the cyber layer to include [21,22,23]:

• Physical Layer Variations: Changing grid topology or switching operational modes (e.g., islanded vs. grid-connected).
• Market Mechanism Dynamics: Introducing variability in market rules, pricing algorithms, or bidding processes to thwart economic manipulation.
• Human-Operator Engagement: Involving operators in orchestrating and validating MTD strategies to ensure safety and operational feasibility.

This multi-domain perspective on MTD represents a promising shift toward proactive, adaptive security in Power CPS, complementing traditional static defenses and AI-driven detection mechanisms [24,25].

1.3. Contributions and Structure of This Review

This review aims to provide the first comprehensive exploration of multi-domain MTD strategies for adaptive Power CPS security. Its key contributions are as follows:

• Identification of Static Configuration Vulnerabilities: Analyzing how fixed system parameters in cyber, physical, and market layers create exploitable attack surfaces.
• Systematic Classification of MTD Techniques: Categorizing MTD strategies across multiple domains and evaluating their applicability to Power CPS.
• Design Trade-Off Analysis: Discussing the operational costs, security benefits, and coordination challenges of deploying MTD.
• Human-in-the-Loop and AI-Augmented MTD Orchestration: Proposing frameworks for integrating human oversight and AI-driven decision support in MTD management.
• Validation Platforms and Deployment Considerations: Reviewing simulation tools, resilience metrics, and practical challenges in operationalizing MTD.
• Future Research Agenda: Highlighting open research questions, regulatory considerations, and cross-sector collaboration needs.

The remainder of this review is structured as follows. Section 2 examines the threat surfaces and defense challenges in Power CPS, highlighting the limitations of static configurations. Section 3 introduces the principles and classification of multi-domain MTD. Section 4 and Section 5 detail MTD strategies for the cyber, physical, and market layers, respectively. Section 6 discusses human-in-the-loop and AI-augmented MTD coordination. Section 7 reviews validation platforms, resilience metrics, and deployment challenges. Section 8 outlines future research directions and collaboration opportunities. Finally, Section 9 concludes the review with key insights and a call to action for advancing dynamic, adaptive defense paradigms in Power CPS.

2. Threat Surfaces and Defense Challenges in Power CPS

Power CPS are inherently complex, multi-layered infrastructures where cyber, physical, market, and human elements interact to manage energy production, distribution, and consumption [26,27,28]. While this integration enhances operational efficiency and flexibility, it also amplifies system vulnerabilities, especially when system configurations remain static over time. This section analyzes the key threat surfaces across different domains and explains why static configurations create long-term security risks.

2.1. Static Configuration Vulnerabilities in Cyber, Physical, and Market Layers

2.1.1. Cyber Layer Vulnerabilities

The cyber layer includes communication networks, software platforms, and control interfaces that enable real-time monitoring and management of power systems [29,30]. Static configurations in this layer include:

• Fixed IP Addresses and Network Topologies: These provide stable targets for attackers to map and exploit through scanning and reconnaissance.
• Unchanging Authentication Credentials or Keys: Static passwords or cryptographic keys are susceptible to brute-force attacks, credential theft, and reuse attacks.
• Predefined Control Paths and Protocol Configurations: Predictable control command paths and protocol settings make it easier for attackers to craft protocol-specific exploits or man-in-the-middle attacks [31].

Such static elements allow attackers to study the system over time, identify weak points, and develop tailored exploits that maximize impact while minimizing detection.

2.1.2. Physical Layer Vulnerabilities

The physical layer consists of power generation units, substations, DERs, and grid control devices such as Phasor Measurement Units (PMUs) and Remote Terminal Units (RTUs) [32,33,34,35]. Static configurations here include:

• Fixed Grid Topologies: Long-standing transmission and distribution network structures that, once mapped, reveal critical dependencies and single points of failure [36].
• Static Control Modes: Fixed operational settings for DERs, energy storage systems, or microgrid controllers, making them predictable targets for control manipulation [37,38].
• Unchanging Load Profiles or Dispatch Patterns: Repetitive scheduling patterns that adversaries can exploit to time their attacks for maximum disruption [39].

These static physical configurations expose the system to targeted manipulation, such as cascading outages, DER misoperation, or incorrect state estimation.

2.1.3. Market Layer Vulnerabilities

Modern power systems operate within market frameworks where bidding, pricing, and settlement processes are automated and data-driven [40,41]. Static vulnerabilities include:

• Fixed Market Rules and Pricing Algorithms: These can be reverse-engineered by attackers to manipulate price signals or create artificial congestion.
• Predictable Bidding Patterns: Attackers can mimic or disrupt legitimate market participants by exploiting consistent bidding behaviors [42].
• Unchanging Demand Response Schedules: Static schedules make it easier for adversaries to predict and exploit load control events.

Such vulnerabilities enable economic attacks, including market manipulation, financial fraud, and artificial scarcity creation.

2.2. Cross-Layer Attack Propagation and Systemic Risk Amplification

One of the defining characteristics of Power CPS is the interdependence between layers. Cyber, physical, and market layers are tightly coupled, meaning that vulnerabilities in one layer can propagate and amplify risk across others [43,44].

Examples of Cross-Layer Attacks

• Cyber-Physical Attacks: An attacker exploits a cyber vulnerability to inject false data into grid control systems, causing physical instability or equipment damage.
• Cyber-Market Manipulation: Compromised market data streams lead to incorrect pricing, which in turn drives grid imbalances and operational risks [45].
• Physical-Cyber Reconnaissance: Physical monitoring of substations or DER installations provides attackers with insights to craft cyber exploits targeting those assets [46].

Systemic Risk Amplification

Cross-layer attacks can escalate localized vulnerabilities into system-wide failures by:

• Triggering cascading outages across interconnected grids.
• Exploiting market dynamics to amplify financial impact.
• Overwhelming operators with misleading or conflicting information.

This highlights the need for defense strategies that span all layers and adapt dynamically to evolving cross-layer threats [47].

2.3. Gaps in Existing Defense Mechanisms

Despite advancements in intrusion detection systems (IDS), machine learning-based anomaly detection, and perimeter security technologies, existing defenses face several limitations:

• Static Defense Posture: Most security measures are configured once and remain unchanged, making them vulnerable to long-term reconnaissance and exploitation [48].
• Siloed Defense Layers: Cyber, physical, and market defenses are often developed and managed in isolation, missing cross-layer attack correlations.
• Reactive Detection Focus: Existing systems prioritize detecting known attack signatures or anomalies after they occur, rather than proactively disrupting attacker reconnaissance and planning [49].
• Operator Overload: Static rule-based systems generate high volumes of alerts, many of which are false positives, overwhelming human operators.

These limitations underscore the need for proactive, dynamic, and coordinated defense approaches that continuously change the system’s attack surface, making it harder for attackers to maintain a stable foothold or execute successful attacks [50,51,52]. A summary of threat surfaces and defense gaps is listed in Table 1.

In summary, the static nature of most Power CPS configurations creates predictable, long-term vulnerabilities that adversaries can exploit. To counter these risks, the next section introduces the principles of MTD as a proactive, multi-domain defense paradigm for disrupting attacker strategies and enhancing system resilience.

3. Principles of Moving Target Defense for Power CPS

Building on the threat analysis presented in the previous section, this section introduces the conceptual foundations, classification, and multi-domain applicability of MTD as a strategy to counter static system vulnerabilities and disrupt adversarial planning in Power CPS [53,54,55]. By continuously altering system configurations and parameters across cyber, physical, market, and human layers, MTD aims to increase system unpredictability, limit attacker reconnaissance effectiveness, and shift the advantage to defenders [56].

3.1. Conceptual Foundations and Classification of MTD Techniques

3.1.1. Definition and Core Philosophy of Moving Target Defense

MTD represents a proactive cybersecurity strategy designed to continuously or periodically alter the characteristics and configurations of a system's attack surface [57]. Unlike traditional static defense measures that offer attackers stable targets for persistent reconnaissance, MTD dynamically shifts the operational environment, significantly elevating attacker uncertainty and complicating their efforts to develop reliable attack models. By continually changing critical system parameters and configurations, MTD dramatically reduces the vulnerability exploitation window, compelling adversaries to continuously restart reconnaissance and adapt their strategies. While not removing vulnerabilities entirely, MTD effectively disrupts the adversary’s ability to predict, analyze, and successfully exploit system weaknesses [58,59,60].

3.1.2. Core Objectives and Strategic Benefits of MTD

The fundamental objectives underpinning MTD are rooted in undermining attacker strategies by continually invalidating their knowledge and assumptions about system operations [61,62]. First, MTD aims to disrupt adversary planning efforts, preventing them from constructing accurate and lasting models of system behaviors and configurations. Secondly, it seeks to substantially reduce exploit longevity; even if an attacker succeeds in compromising an asset, frequent configuration changes ensure such footholds are temporary, minimizing long-term damage. Finally, MTD strategies intentionally force attackers into a continuous state of adaptation, thereby significantly increasing their operational costs and risks [63]. This continuous adaptation not only exhausts attacker resources but also raises the probability of detection, as adversaries must frequently probe the system anew.

3.1.3. Systematic Classification and Application Domains of MTD

MTD techniques can be comprehensively classified based on the specific aspects or parameters of a system that are dynamically altered [64,65]. Each type of MTD addresses unique vulnerabilities and comes with distinct operational considerations:

• Spatial MTD: This category focuses on dynamically adjusting the spatial configurations of the system, including network topologies or physical resource allocations. In the context of Power CPS, spatial MTD strategies might involve dynamically rerouting network traffic, periodically changing grid interconnection patterns, or reconfiguring the operational boundaries of microgrids. Such alterations complicate attackers’ spatial reasoning, hindering targeted exploitation of specific components or locations [66].
• Temporal MTD: Temporal MTD methods periodically vary operational parameters and configurations over time, such as regularly rotating cryptographic keys, authentication credentials, or even control logic modes. By introducing unpredictability into the timing and duration of operational states, temporal MTD substantially narrows attackers’ opportunities to exploit any specific operational mode, reducing the likelihood of sustained system compromise [67,68].
• Behavioral MTD: Behavioral approaches aim to introduce controlled randomness or unpredictability into system responses and actions, such as varying control signal outputs, operational setpoints, or market transaction parameters. Behavioral variability disrupts attackers’ attempts to accurately predict system responses, undermining their ability to design effective manipulation or deception-based attacks [69].
• Information MTD: This approach focuses on altering the visibility, accuracy, or representation of system data accessible to potential adversaries. Information MTD could involve deceptive data streams, dynamic obfuscation of monitoring outputs, or the strategic dissemination of misleading information during reconnaissance phases [70]. These techniques significantly impede attackers’ ability to confidently assess system status and vulnerabilities, compelling them to expend substantial resources distinguishing genuine system states from deceptive signals [71,72].

3.1.4. Trade-Offs and Considerations in MTD Implementation

Despite the substantial defensive advantages, implementing MTD strategies involves careful consideration of several critical trade-offs. Each MTD domain introduces distinct challenges related to complexity, operational overhead, and potential impacts on system stability and performance [73,74,75]. For instance, spatial reconfigurations can inadvertently affect grid stability or communication reliability if not properly synchronized with operational constraints. Similarly, frequent temporal adjustments could result in increased system latency or operational disruptions if transitions between states are not managed effectively. Behavioral and informational MTD techniques, while highly effective at deception, risk confusion among legitimate operators and may introduce unforeseen complications in routine operational decision-making [76,77,78].

Therefore, the successful deployment of MTD in Power CPS requires a balanced and integrated approach that carefully assesses defense effectiveness against operational feasibility. It demands comprehensive cross-layer coordination, robust real-time management tools, and significant investment in operator training and adaptive decision support systems to achieve optimal security gains without compromising system reliability or regulatory compliance [79].

3.2. Multi-Domain MTD: Cyber, Physical, Market, and Human Layer Dynamics

3.2.1. Cyber Layer MTD

Moving Target Defense strategies within the cyber domain primarily aim at dynamically altering network configurations, communication protocols, and authentication mechanisms, thus directly confronting the reconnaissance efforts that cyber attackers typically rely on [80,81,82]. Techniques such as IP address randomization periodically shift the network identities of critical components, rendering attackers’ mapping efforts obsolete. Similarly, dynamic routing techniques continuously vary data transmission paths, effectively mitigating persistent surveillance or man-in-the-middle interception attempts. Furthermore, MTD includes strategies like protocol parameter variation, which introduce unpredictability into communication settings, impeding protocol-specific exploitation and significantly increasing the complexity for attackers to reliably execute known attack patterns [83]. Complementing these, the regular rotation of cryptographic keys and authentication credentials significantly diminishes the risk of credential reuse, credential stuffing, or brute-force attacks, forcing adversaries into perpetual cycles of re-acquisition and recalibration of their attacks [84,85].

3.2.2. Physical Layer MTD

In the physical realm of Power CPS, MTD addresses vulnerabilities tied to static configurations of grid infrastructures and control settings [86]. The core method, grid topology reconfiguration, involves dynamically activating or deactivating transmission lines, switching transformer connections, or temporarily modifying substation connectivity. These changes obscure critical interdependencies and pathways that attackers might exploit, while also limiting the potential spread of disruptions through strategic segmentation [87,88]. Further, physical MTD encompasses dynamic control mode switching, alternating control settings of DERs—such as transitioning between voltage control, frequency regulation, and reactive power management modes—to prevent attackers from accurately predicting operational behaviors [89]. Additionally, virtual islanding strategies periodically segment parts of the grid into self-sufficient microgrids [90,91]. Such controlled segmentation localizes potential disruptions, providing intrinsic resilience by containing failures and limiting cascading effects across interconnected networks [92].

3.2.3. Market Layer MTD

Beyond technical infrastructure, energy markets represent another crucial attack surface susceptible to manipulation. Attackers aiming for economic exploitation depend heavily on predictable market dynamics, such as fixed pricing algorithms or static demand response schedules [93,94]. To counteract this, Market Layer MTD employs strategies like dynamic rotation of market rules and pricing algorithms, introducing controlled unpredictability in bidding processes and market clearing outcomes. This unpredictability effectively reduces adversaries' abilities to reverse-engineer and exploit market mechanisms [95]. Further extending this unpredictability, randomized demand response signaling varies the timing, duration, and magnitude of demand-side interventions, significantly complicating adversarial planning aimed at load manipulation. Additionally, strategic adjustments in market clearing intervals and timing serve to further complicate attackers' synchronization with market operations, thereby safeguarding economic stability and fairness [96,97].

3.2.4. Human Layer MTD

Recognizing the critical role of human operators, Human Layer MTD emphasizes orchestrating dynamic defenses through human oversight and interactive control mechanisms [98,99,100]. Operators empowered by real-time situational awareness can engage in manual triggering of defense actions, proactively initiating MTD measures in response to emergent threats or anomalies. Furthermore, structured but adaptive playbooks offer operators predefined yet randomized defensive scenarios, enhancing their ability to rapidly and effectively respond without predictable patterns [101]. To ensure operators remain adept at managing dynamic scenarios, MTD emphasizes continuous training and simulation exercises, fostering familiarity and competence with rapidly changing operational landscapes. This human-centered approach ensures that MTD deployments remain operationally safe, context-aware, and adaptable to unexpected circumstances [102].

3.3. Design Trade-Offs: Security Gains vs. Operational Overhead

3.3.1. Security Benefits of Implementing MTD

Deploying Moving Target Defense across cyber, physical, market, and human layers significantly enhances the security posture of Power CPS [103,104,105]. Foremost, MTD strategies substantially increase attacker uncertainty, disrupting their reliance on stable, predictable system configurations. By introducing continual variations, adversaries are forced to operate under conditions of incomplete and frequently obsolete information, dramatically lowering the probability of successful exploitation [106,107]. Another critical advantage is the pronounced reduction in the exploit window, limiting the duration for which any discovered vulnerability remains actionable. Frequent changes rapidly invalidate attacker reconnaissance data and disrupt persistent footholds, thus significantly shortening attackers' opportunities to cause sustained harm [108]. Additionally, the continuous adaptive nature of MTD strategies results in considerably higher attacker costs, both in terms of operational complexity and resource allocation, effectively deterring prolonged or large-scale attack campaigns by increasing the probability of detection and failure [109,110,111,112,113,114,115,116,117,118,119,120].

3.3.2. Operational Challenges Associated with MTD

Despite these substantial security benefits, deploying dynamic MTD mechanisms across multiple domains inherently introduces operational challenges [121,122,123]. One primary concern is the potential risk to system stability, particularly prevalent in the physical domain, where frequent grid reconfigurations or control-mode switching could inadvertently destabilize operational processes or create unforeseen vulnerabilities. Another significant challenge is the increased complexity arising from maintaining, monitoring, and managing dynamically changing configurations [124]. Such complexity demands advanced, real-time situational awareness tools and rigorous operator training to ensure that these dynamic defenses remain transparent, manageable, and operationally sound [125]. Furthermore, the necessity for cross-domain coordination introduces additional overhead, requiring precise synchronization among cyber, physical, market, and human layers. This complexity demands sophisticated orchestration frameworks and robust inter-domain communication to maintain cohesive defensive operations without disrupting routine activities [126,127,128].

3.3.3. Strategically Balancing Defense Effectiveness and Operational Integrity

Successful implementation of Multi-Domain MTD requires carefully balancing enhanced security with the maintenance of operational reliability and compliance [129]. Strategic design considerations must ensure that dynamic configuration changes neither compromise system reliability nor violate regulatory standards and compliance frameworks. Critical to achieving this balance is ensuring transparency and controllability of defense actions by human operators. Operators must have clear insights into the rationale, expected outcomes, and potential impacts of any proposed dynamic adjustment, supported by advanced, explainable decision-support systems [130]. Furthermore, to mitigate operational disruptions, real-time system performance must be continuously monitored, validated, and managed, enabling operators to rapidly identify and rectify any unintended consequences of defensive actions. By thoughtfully addressing these trade-offs, Multi-Domain MTD can be deployed safely and effectively, significantly enhancing overall system resilience against sophisticated cyber-physical adversaries [131,132,133].

A summary of MTD principles and their associated trade-offs is presented in Table 2.

4. MTD Strategies for Cyber Layer Protection

The cyber layer forms the digital backbone of Power CPS, encompassing communication networks, data protocols, control platforms, and digital interfaces that enable real-time grid monitoring and management [134,135]. This layer is highly exposed to cyber intrusions, persistent reconnaissance, and protocol-specific exploits, especially when system configurations remain static.

This section introduces cyber-specific MTD strategies designed to continuously alter the digital attack surface, thereby increasing attacker uncertainty and reducing exploitation success rates.

4.1. Dynamic Network Reconfiguration and IP Randomization

4.1.1. Conceptual Rationale and Importance

Dynamic network reconfiguration and IP randomization represent widely recognized and extensively implemented MTD techniques within network security [136]. In traditional Power CPS, critical infrastructure assets—including substations, DER controllers, and supervisory control and data acquisition (SCADA) systems—often utilize static network addresses and fixed network configurations [137,138,139]. These static attributes provide attackers with stable, easily discoverable targets for systematic reconnaissance and persistent surveillance [140].

By periodically randomizing IP addresses and dynamically altering network topologies, defenders proactively disrupt the attackers' operational models [141,142,143]. These methods effectively invalidate existing attacker reconnaissance, abruptly terminate persistent connections from compromised devices, and compel attackers into repeated cycles of re-scanning and reconnaissance. Consequently, attackers face substantially elevated operational costs, decreased efficiency, and increased detection likelihood [144,145,146].

4.1.2. Technical Implementation and Methodologies

Several well-established methodologies enable the realization of these dynamic strategies:

• IP Hopping: Periodically assigning new IP addresses to networked devices at randomized intervals, preventing attackers from reliably tracking device locations over time and disrupting persistent targeted attacks [147].
• Network Address Translation (NAT) Randomization: Continuously modifying external-to-internal IP mappings while ensuring internal network consistency. This approach complicates attacker attempts at accurately identifying and targeting critical assets through external scanning [148].
• Topology Obfuscation: Altering logical network architectures, such as shifting among mesh, ring, star, or hybrid topologies. Regularly changing network structures prevents attackers from forming durable models of the system's communication pathways and dependencies, significantly complicating network-based attacks [149,150].

4.1.3. Operational Considerations and Practical Challenges

Despite their defensive advantages, these dynamic techniques pose several critical operational considerations. Effective network reconfiguration necessitates precise synchronization to maintain session continuity and avoid operational disruptions [151,152,153]. Without careful management, poorly timed IP or topology changes could result in increased latency, packet loss, or interruptions in critical control communications. Furthermore, compatibility with legacy infrastructure presents another considerable challenge; older SCADA and control devices might lack the requisite capabilities to handle dynamic address resolution protocols or frequent reconfiguration commands, requiring either substantial upgrades or the introduction of hybrid solutions that balance legacy and modern components seamlessly [154,155,156].

4.2. Rotating Authentication and Key Management Protocols

4.2.1. Conceptual Rationale and Security Justification

Static cryptographic keys and unchanging authentication credentials constitute prevalent targets for attackers employing brute-force attacks, dictionary attacks, credential stuffing, or sophisticated cryptographic exploits [157,158,159]. Regular rotation of keys and credentials fundamentally mitigates these risks by continuously limiting the temporal validity of compromised credentials, drastically reducing attacker opportunities for prolonged exploitation [160]. Furthermore, frequent credential rotations compel attackers to persistently expend significant effort reacquiring valid credentials, thereby heightening their resource expenditures and exposure to detection [161,162,163].

4.2.2. Advanced Technical Implementation Strategies

Several robust techniques underpin effective key management practices in dynamic environments:

• Time-Based Key Rotation: Implementing scheduled and predictable rotations of cryptographic keys to ensure that any compromised credentials swiftly become obsolete, minimizing exploitation windows [164].
• Event-Driven Key Changes: Triggering immediate and proactive key updates in response to identified anomalies, potential security breaches, or significant policy modifications, thereby containing emergent threats swiftly [165].
• Distributed Key Management: Utilizing blockchain-based or federated key distribution systems to enhance resilience against centralized attacks, eliminate single points of compromise, and ensure secure and decentralized credential management across geographically dispersed grid assets [166,167].

4.2.3. Operational Considerations and Management Challenges

Efficient management of dynamic key rotations involves meticulous planning and significant operational oversight. The secure and timely distribution of keys poses logistical and technical overhead, necessitating sophisticated key management infrastructure to avoid disruptions in critical services [168,169]. Additionally, seamless transitions during key updates are critical to maintaining continuous operations, demanding rigorous adherence to industry standards such as IEC 62351, which specifies requirements for secure communications in power systems. Failure to comply with such standards can introduce vulnerabilities and undermine the entire authentication infrastructure [170].

4.3. Control Path Diversity and Switching Strategies

4.3.1. Conceptual Rationale and Necessity

Typical control communications within Power CPS follow predictable, predefined network paths, presenting attackers with stable targets for interception, man-in-the-middle attacks, or injection-based sabotage [171]. Implementing diversity and dynamic switching strategies in control communication paths disrupts attackers' assumptions and complicates their planning by continuously altering the routes through which critical control commands travel [172].

4.3.2. Innovative Techniques and Implementation Approaches

The realization of control path diversity encompasses multiple advanced approaches:

• Multi-Channel Control Communication: Employing parallel and redundant communication channels (e.g., fiber optics, LTE, satellite) for the transmission of critical control signals, ensuring resilience against single-channel failures or targeted disruptions [173].
• Random Path Selection: Dynamically and probabilistically selecting communication routes based on real-time network conditions, threat intelligence, or randomized policies, thereby continuously invalidating attackers' surveillance and path interception efforts [174].
• Protocol Switching: Alternating among secure communication protocol variants (such as IEC 60870-5-104 and DNP3 Secure Authentication) to prevent attackers from reliably exploiting known protocol-specific vulnerabilities, forcing adversaries to continuously adapt their attack methodologies [175].

4.3.3. Operational Considerations and Deployment Challenges

Managing control path diversity introduces operational complexities and performance considerations. Ensuring continuous availability and reliability of alternative communication paths requires significant investments in infrastructure redundancy and robust real-time orchestration tools [176]. Variability in latency and performance across different communication channels demands meticulous management to maintain system responsiveness. Furthermore, implementing protocol switching strategies requires sophisticated orchestration capabilities and extensive operator training to avoid disruptions arising from protocol mismatches or interoperability issues [177,178].

4.4. Adaptive Service Virtualization and Obfuscation

4.4.1. Conceptual Rationale and Security Advantages

Attackers routinely rely on port scanning and service fingerprinting techniques to systematically map network services, identify vulnerabilities, and target exploitation efforts [179,180]. Adaptive service virtualization and obfuscation methodologies actively mislead adversaries by dynamically altering visible service characteristics and responses, thus introducing considerable uncertainty into attackers' reconnaissance activities [181].

4.4.2. Implementation Strategies and Tactical Techniques

Adaptive obfuscation approaches include several sophisticated methods:

• Moving Target Honeypots: Deploying dynamically configurable decoy systems designed to imitate real assets and attract attackers' attention, effectively diverting adversarial efforts away from genuine critical infrastructure [182].
• Service Masking: Regularly altering identifiable characteristics of network services—such as banners, port assignments, and signature identifiers—to prevent accurate fingerprinting and complicate attackers' attempts to associate services with known vulnerabilities.
• Protocol Behavior Variability: Introducing subtle and controlled randomness into protocol-level interactions and responses to thwart automated exploitation scripts and confuse attackers attempting protocol-specific reconnaissance or exploitation [183].

4.4.3. Operational Risks and Strategic Management Considerations

These obfuscation strategies, while powerful, also carry the potential for operational interference. Introducing dynamic and deceptive service characteristics may inadvertently disrupt legitimate network diagnostics or asset management tools that rely on stable service identities [184,185,186]. Additionally, running honeypots and maintaining adaptive obfuscation introduces non-negligible computational and network resource overhead. Thus, careful orchestration and clear separation of genuine and deceptive assets are critical, necessitating advanced management frameworks capable of reliably differentiating legitimate operator requests from adversarial probes [187,188].

A summary of cyber layer MTD strategies is presented in Table 3.

In summary, cyber-layer MTD strategies offer powerful tools to disrupt attacker planning and execution, but they must be carefully integrated into operational workflows to maintain system reliability. The next section extends this discussion to physical and market layer MTD strategies, which further broaden the defensive posture of Power CPS.

5. MTD Strategies for Physical and Market Layer Protection

While cyber-layer MTD strategies primarily address digital attack surfaces, physical and market layers present equally critical, yet often overlooked, opportunities for dynamic defense [189]. Static physical configurations—such as fixed grid topologies and operational modes—and predictable market mechanisms provide adversaries with stable targets for physical disruption or economic manipulation [190,191]. This section explores how MTD principles can be extended to these layers, enhancing overall system resilience through topology reconfiguration, market dynamics variation, and adaptive operational strategies.

5.1. Reconfigurable Grid Topologies and Virtual Islanding

5.1.1. Conceptual Rationale and Strategic Significance

Static grid topologies inherently expose Power CPS to predictable vulnerabilities, including single points of failure and cascading outages [192,193]. Attackers often exploit well-known, static grid configurations to propagate failures deliberately, maximizing damage and disruption. MTD strategies mitigate these risks by introducing deliberate and controlled variability into grid topology. Through periodic reconfiguration, attackers lose their static reference points, complicating their attempts to map critical paths and operational dependencies, thus significantly reducing the likelihood of successful targeted disruptions [194,195].

Additionally, dynamic topological adjustments enable operators to strategically isolate impacted regions via temporary segmentation—referred to as virtual islanding. By containing faults and localizing impacts within controlled segments, cascading effects are effectively curtailed, enhancing overall grid resilience and operational continuity even amidst adversarial disruptions.

5.1.2. Advanced Techniques and Implementation Approaches

• Dynamic Tie-Line Management: This involves real-time activation or deactivation of interconnection lines based on ongoing threat assessments or system operational conditions. By strategically controlling these connections, operators can dynamically alter the grid's electrical connectivity, preventing attackers from reliably predicting network states and significantly mitigating cascading failure propagation [196].
• Virtual Islanding of Microgrids: Temporarily transitioning microgrids between connected and autonomous islanded states allows localized management of disturbances. By enabling autonomous operation, islanded segments maintain critical functions independently, reducing the potential for widespread disruption and aiding in rapid post-event recovery [197].
• Reconfigurable Protection Schemes: Adaptively adjusting protective relay settings and system control policies to match dynamically changing grid topologies. This technique ensures consistent, reliable, and context-sensitive protection across varying operational configurations, safeguarding against erroneous relay actions or protection failures resulting from rapid topological changes [198].

5.1.3. Operational Considerations and Practical Challenges

Frequent topological reconfigurations introduce significant operational challenges, notably risks to system stability, voltage regulation, and frequency control. Ensuring smooth transitions between different configurations necessitates advanced monitoring and rapid-response control systems [199]. Additionally, the coordination complexity escalates, demanding high levels of operator training and situational awareness tools capable of real-time decision support. Regulatory and market constraints may further complicate dynamic reconfiguration strategies, as certain actions—such as islanding—could conflict with existing reliability standards, contractual obligations, and market participation rules, thereby necessitating careful alignment and compliance measures [200].

5.2. Dynamic Market Mechanism Variations to Thwart Economic Attacks

5.2.1. Conceptual Rationale and Economic Security Implications

Energy markets, encompassing day-ahead, real-time, and ancillary service operations, typically employ fixed algorithmic rules and predictable clearing mechanisms [201,202]. Attackers leveraging static market dynamics can execute economically disruptive attacks, such as market manipulation or strategic bidding interference. Introducing controlled variability into market mechanisms—through MTD techniques—actively disrupts attacker modeling and planning, significantly reducing the predictability and thus the vulnerability of economic operations.

By varying market operations dynamically, adversaries lose stable benchmarks for synchronization and manipulation, increasing the operational complexity and uncertainty for potential attackers, and thus safeguarding the integrity and fairness of market transactions [203,204].

5.2.2. Technical Approaches and Implementation Techniques

• Variable Market Clearing Intervals: Strategically varying the timing and frequency of market clearing processes disrupts attackers' synchronization, complicating the precise timing required for manipulative bidding or price influencing schemes, and thereby preserving market integrity.
• Rotating Pricing Algorithms: Regularly alternating between distinct locational marginal pricing (LMP) methodologies or congestion management strategies prevents adversaries from effectively reverse-engineering and exploiting predictable pricing structures. Such rotations significantly impair attackers' strategic planning capabilities and reduce economic attack feasibility [205].
• Randomized Demand Response Signals: Introducing controlled randomization into the timing, duration, and magnitude of demand response (DR) events significantly hinders attackers attempting to exploit predictable load-shifting patterns. This unpredictability safeguards the reliability of demand response mechanisms, ensuring their effectiveness in maintaining grid stability.

5.2.3. Operational Considerations and Stakeholder Implications

Although dynamic market variability offers substantial defensive advantages, it must be balanced against the imperative to maintain market transparency, efficiency, and participant confidence [206]. Excessive variability can potentially be perceived as arbitrary or unfair by legitimate market participants, thus potentially undermining trust and market participation. Regulatory compliance also presents significant considerations, as market rules and operational transparency are typically mandated by regulators. Additionally, the introduction of variability inevitably involves trade-offs in economic efficiency, necessitating careful analysis and design to balance market resilience with economic optimality [207].

5.3. Adaptive Resource Dispatch and Control Mode Switching

5.3.1. Conceptual Rationale and Operational Necessity

Traditional, static resource dispatch schedules and DER control settings offer attackers predictable operational patterns, providing opportunities for precise timing attacks aimed at disrupting or destabilizing power system operations. Adaptive resource dispatch and dynamic DER control mode switching directly counter these threats by continuously altering operational baselines, thereby complicating attacker efforts to accurately model and predict grid behavior [208,209].

Dynamic operational adjustments not only impede adversarial exploitation efforts but also enhance overall operational flexibility, empowering operators to rapidly respond to evolving threats or emergent operational conditions with adaptive dispatch and control mode adjustments [210].

5.3.2. Advanced Implementation Techniques

• Dynamic DER Mode Switching: Alternating DER operational modes—such as voltage regulation, frequency support, and power factor correction—in response to real-time grid conditions and threat intelligence. This variability significantly complicates adversarial targeting, while simultaneously optimizing grid performance under fluctuating conditions.
• Adaptive Dispatch Scheduling: Introducing controlled yet systematic variability into power generation dispatch orders and ramping sequences to prevent attackers from exploiting fixed or repetitive scheduling patterns. This approach enhances operational security without significantly compromising dispatch efficiency.
• Real-Time Re-Optimization: Continuously updating Optimal Power Flow (OPF) solutions based on real-time situational assessments, threat intelligence, and changing operational objectives. This approach maintains optimized and secure grid operation in dynamically evolving threat landscapes, ensuring robustness against targeted disruptions.

5.3.3. Operational Challenges and Practical Implementation Issues

Implementing adaptive resource dispatch and control mode switching introduces notable operational challenges, including increased computational complexity and coordination overhead. Real-time re-optimization and frequent mode changes require substantial computational resources and sophisticated coordination mechanisms to maintain operational reliability and performance consistency [211]. Improper synchronization or overly aggressive mode transitions could inadvertently cause operational instability or control oscillations. Consequently, successful deployment of these adaptive strategies mandates robust, real-time visualization and decision-support tools, extensive operator training, and clearly defined procedural guidelines, ensuring operators effectively manage and safely execute dynamic operational actions [212].

A summary of MTD strategies in the physical and market layers is presented in Table 4.

In summary, physical and market layer MTD strategies extend the defense perimeter beyond cyber infrastructure, enabling cross-layer resilience that addresses both operational and economic threat surfaces. The next section will introduce human-in-the-loop and AI-augmented orchestration frameworks to coordinate these multi-domain MTD strategies effectively.

6. Human-in-the-Loop and AI-Augmented MTD Coordination

While MTD introduces dynamic adaptability to Power CPS, effective coordination of MTD strategies presents significant operational challenges. Uncoordinated or overly aggressive MTD actions risk service disruption, system instability, or operator disorientation. To balance defense effectiveness with operational reliability, Power CPS require human-in-the-loop (HITL) orchestration frameworks, supported by AI-driven monitoring and decision support tools. This section discusses the roles of human operators, AI-based orchestration, and explainable interfaces in managing safe and adaptive MTD deployments [213].

6.1. Operator-Centered MTD Orchestration Platforms

6.1.1. Significance of Human Oversight

While automated MTD mechanisms offer rapid response capabilities and adaptability, the role of human operators remains critically indispensable. Humans possess unique capabilities in evaluating nuanced contextual information, exercising judgment in ambiguous situations, and ensuring that automated defense measures align with broader operational safety and regulatory requirements. Specifically, human operators play a crucial role in verifying the practical feasibility and safety of proposed MTD actions, particularly when automated systems lack comprehensive situational context or risk introducing unintended operational disruptions. Furthermore, operators are vital for managing complex, cross-domain coordination across cyber, physical, market, and human layers, ensuring holistic synchronization and coherent strategy implementation. In emergency or unexpected scenarios, operators can decisively override automated recommendations, safeguarding system integrity and reliability [214,215].

6.1.2. Key Functional Capabilities of Operator-Centric Platforms

• Situational Awareness Dashboards:
  Advanced visualization platforms present operators with real-time, intuitive displays of current system conditions, active MTD strategies, operational risks, and evolving threat landscapes. These dashboards significantly enhance operators' capability to rapidly comprehend complex dynamics, enabling swift and informed decision-making.
• MTD Playbook Management:
  Interactive tools allow operators to select, tailor, and deploy pre-validated dynamic defense strategies quickly and effectively. These playbooks support structured yet adaptable defense execution, empowering operators to respond proactively while ensuring consistency and reliability in operational processes.
• Risk-Benefit Analysis Tools:
  Decision-support modules systematically evaluate the operational implications and defensive effectiveness of potential MTD actions, providing transparent, data-driven recommendations. These tools enable operators to explicitly weigh operational risks against anticipated security benefits, thereby facilitating informed and strategic decision-making.
• Collaboration and Communication Platforms:
  Integrated platforms foster seamless coordination and effective communication among diverse teams spanning cyber-security, operational control, and market management domains. These collaborative tools enhance shared situational understanding, streamlining the coordinated implementation of complex, multi-layered MTD actions.

6.2. AI-Driven Attack Surface Monitoring and Adaptive Strategy Selection

6.2.1. Real-Time Attack Surface Monitoring

Advanced artificial intelligence (AI) techniques significantly enhance system resilience by continuously assessing and adapting to evolving threat landscapes. Real-time AI-driven monitoring tools provide comprehensive visibility of current attack surfaces, meticulously tracking network configurations, service exposure, communication pathways, and system configurations. By proactively identifying static and vulnerable elements within the network that may benefit from immediate reconfiguration, AI-based monitoring substantially mitigates potential attack vectors, providing operators with actionable intelligence drawn from real-time threat indicators [216].

6.2.2. Adaptive Selection of MTD Strategies

Employing sophisticated AI methodologies, such as reinforcement learning (RL) and multi-objective optimization algorithms, MTD platforms dynamically determine the most effective defense actions under varying operational contexts. These AI algorithms rigorously balance the inherent trade-offs between security enhancement and operational continuity, considering real-time constraints, system stability, and resource availability. Additionally, AI systems continuously refine their strategic recommendations through iterative learning from observed outcomes and operator feedback, ensuring sustained adaptability and effectiveness [217].

6.2.3. Human-in-the-Loop Validation for Strategic Decision-Making

Given the critical nature of operational decisions, AI recommendations must maintain transparency and interpretability to secure operator trust and validation. Platforms incorporating explainable AI methodologies enable operators to fully comprehend the rationale behind suggested actions, simulate and visualize potential operational impacts, and explicitly review and adjust recommended strategies prior to deployment. This human-centric validation mechanism ensures that dynamic defense actions align with safety standards, regulatory compliance, and practical feasibility [218].

6.3. Explainable MTD Recommendations for Operator Trust and Validation

6.3.1. Necessity of Explainable AI (XAI) in Critical Environments

In safety-critical systems such as Power CPS, operators are typically hesitant to adopt recommendations from opaque, "black-box" AI systems. Consequently, ensuring the interpretability and transparency of AI-driven decisions is paramount. XAI methods foster operator trust by clearly elucidating the reasoning behind specific MTD recommendations, explicitly highlighting operational implications, security benefits, and potential risks [219].

6.3.2. Innovative Techniques for Providing Explainability

• Feature Attribution Analysis: Clearly identifying and visualizing specific system parameters, configurations, or threat indicators that significantly influenced the AI’s recommendation. Operators thus clearly understand the decision-making factors and can quickly assess recommendation validity.
• Counterfactual Scenario Analysis: Demonstrating hypothetical alternative outcomes if different defense actions had been selected or avoided. This analysis provides operators with comparative insights, enabling them to clearly grasp the necessity and potential consequences of chosen strategies.
• Visual Impact Simulations: Graphically illustrating projected system states before and after implementing recommended MTD actions. Visual simulations facilitate intuitive understanding of potential operational impacts and enable effective risk assessment by operators.
• Interactive What-If Tools: Allowing operators to dynamically explore alternative MTD actions and their implications in a controlled, virtual environment. Such interactive exploration empowers operators to systematically evaluate and confidently validate recommended actions, significantly enhancing operational trust and decision-making effectiveness [220].

6.4. Feedback Loops for Continuous MTD Refinement

6.4.1. Integration of Operator Feedback

Sustaining the efficacy and relevance of MTD mechanisms requires iterative and continuous refinement. Real-time operator feedback, drawn from actual operational experiences, provides invaluable insights into the practical effectiveness, operational safety, and unforeseen challenges associated with specific MTD implementations. Operators actively contribute by highlighting unexpected outcomes, identifying unintended operational disruptions, and suggesting improvements derived from direct field experience [221].

6.4.2. Adaptive AI Learning from Feedback

Leveraging advanced adaptive learning frameworks, AI systems incorporate operator feedback to continuously refine underlying attack surface models, strategy selection algorithms, and recommendation logic. This continuous learning paradigm ensures ongoing enhancement of defensive effectiveness, operational resilience, and human-AI collaboration quality. Adaptive AI mechanisms thus become increasingly attuned to practical operational considerations, significantly improving their strategic relevance, decision accuracy, and operator acceptance over time [222].

Through the integration of continuous feedback loops, explainable interfaces, and robust human oversight, human-in-the-loop and AI-augmented MTD orchestration frameworks provide a comprehensive and adaptive defensive posture, ensuring optimal balance between dynamic security measures and operational stability within Power CPS environments.

A summary of human-in-the-loop and AI-augmented MTD coordination approaches is presented in Table 5.

In summary, human-in-the-loop and AI-augmented orchestration frameworks are critical for safe, effective, and trustworthy MTD deployment in Power CPS. These frameworks enable dynamic defense without compromising operational stability or human control.

7. Validation Platforms, Metrics, and Real-World Deployment Challenges

While MTD offers promising strategies for dynamic and adaptive defense, realizing these capabilities in operational Power CPS requires rigorous validation and careful consideration of deployment challenges. This section outlines the requirements for validation platforms, proposes resilience metrics, and discusses practical barriers to real-world adoption, including scalability, interoperability, and human factors [223,224].

7.1. Digital Twin and Co-Simulation-Based MTD Validation

7.1.1. Strategic Role of Digital Twins in MTD Evaluation

Digital twins, representing precise, real-time virtual counterparts of physical power systems, offer an indispensable validation environment for MTD strategies. By replicating complex system dynamics accurately, digital twins provide operators and researchers a secure, controllable, and highly realistic testbed. Crucially, these digital replicas facilitate rigorous experimentation involving attack-defense scenarios without endangering operational stability of actual physical infrastructures. Moreover, advanced digital twins enable comprehensive, multi-layer modeling, effectively capturing intricate interdependencies among cyber, physical, market, and human dimensions of Power CPS. Through detailed, scenario-driven experimentation, operators can validate the efficacy and feasibility of proposed MTD strategies under realistic and diverse operational conditions, significantly enhancing confidence before practical deployment [225].

7.1.2. Multi-Domain Co-Simulation Frameworks

Effective validation of MTD necessitates integrated co-simulation platforms that harmonize disparate modeling domains, including power system simulators, network emulators, market operation models, and human-interaction simulators. Such co-simulation environments enable operators to assess cross-layer impacts and interactions in real time, effectively evaluating MTD strategies through comprehensive end-to-end resilience tests. Real-time operator-in-the-loop simulations further allow for nuanced validation, considering human decision-making behaviors and operational responses to dynamic defensive measures [226].

7.1.3. Representative Validation Scenarios

• Topology Reconfiguration Stress Tests: Evaluating the stability implications and grid performance under frequent and dynamic switching of grid topology and virtual islanding configurations, highlighting critical thresholds for operational reliability and safety.
• Market Manipulation Defense Simulations: Testing robustness of randomized market mechanisms against sophisticated economic attacks and manipulative behaviors, providing insights into trade-offs between economic efficiency and defensive variability.
• Human-AI Collaboration Exercises: Examining operator acceptance, decision effectiveness, and operational efficiency in scenarios involving explainable AI recommendations, ensuring seamless integration of human judgment and AI-driven defense strategies.

7.1.4. Challenges to Realism in Simulation

Despite their significant utility, digital twin and co-simulation approaches face critical limitations. Achieving sufficient model fidelity remains challenging, as overly simplified simulations might inadequately reflect the intricate complexities of operational environments. Additionally, robust calibration and validation of digital twins demand high-quality, real-world data, which are often scarce or restricted due to privacy and security considerations. Scalability is another significant concern, as comprehensive simulations involving extensive grid systems require considerable computational resources, often necessitating dedicated high-performance computing infrastructures [227].

7.2. Resilience and Effectiveness Metrics for MTD Strategies

Beyond Traditional Security Metrics

Traditional cybersecurity metrics—such as detection accuracy or false-positive rates—fail to adequately capture the systemic and dynamic nature of MTD strategies. A more sophisticated and comprehensive set of resilience metrics is imperative to assess the broader impacts of MTD on Power CPS security and operational continuity. Metrics must extend beyond mere detection efficacy, encompassing attacker disruption effectiveness, system adaptability, operational resilience, and human factors such as operator trust and usability [228].

Proposed Advanced Metrics

• Security Effectiveness: Evaluating attacker time-to-compromise, required attacker resources, and degree of disruption to adversarial planning and operational effectiveness, providing a nuanced measure of defensive success.
• Operational Impact: Quantifying service continuity and stability under dynamic defense conditions, including performance degradation indices, latency impacts, and overall operational resilience during defense activations.
• Adaptability and Flexibility: Tracking the frequency and effectiveness of successful defense adaptations to evolving threats, as well as measuring system learning rates and responsiveness to new operational contexts.
• Human Factors: Gauging operator acceptance, decision confidence levels, cognitive workload, and usability metrics, ensuring that dynamic defense implementations remain practically manageable and operationally accepted.

A summary of the proposed metrics is presented in Table 6.

7.3. Scalability, Performance, and Usability Considerations for Deployment

7.3.1. Addressing Scalability Challenges

Successful real-world MTD deployment demands robust scalability, capable of accommodating large, heterogeneous power grids with extensive numbers of nodes, diverse generation resources, and complex interconnections. Effective scalability requires advanced computational resources and sophisticated algorithms to manage real-time monitoring, strategy selection, and cross-domain coordination without compromising system responsiveness or stability [229].

7.3.2. Ensuring Real-Time Performance

Critical infrastructures necessitate MTD strategies that can promptly respond to emerging threats without introducing detrimental delays or operational interruptions. Balancing real-time constraints with computationally intensive decision-making processes demands optimized algorithms and infrastructure that prioritize operational responsiveness alongside defense efficacy.

7.3.3. Prioritizing Usability and Human Factors

Human operators play a pivotal role in dynamic defense management, necessitating interfaces designed for clarity, intuitive use, and minimized cognitive load. Continuous operator education, reinforced through realistic training simulators, remains essential for maintaining operator preparedness and competence. Ensuring organizational alignment, including buy-in from operations teams, IT departments, market operators, and regulatory bodies, is crucial for successful practical adoption and sustained effectiveness of MTD strategies [230].

7.4. Regulatory and Standardization Barriers

7.4.1. Alignment with Industry Standards

Effective deployment of dynamic defense strategies must align with prevailing industry standards, such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and International Electrotechnical Commission (IEC) 62351. Compliance with these standards ensures interoperability, operational transparency, and trustworthiness of MTD deployments within the broader regulatory and operational landscape [231].

7.4.2. Certification and Validation Pathways

Currently, formal certification frameworks specifically tailored for dynamic and adaptive defense mechanisms in critical infrastructures remain underdeveloped, leading to regulatory uncertainty and increased hesitancy among utility stakeholders. The absence of clear certification processes may heighten regulatory risks, deterring utilities from adopting potentially disruptive or unproven MTD approaches due to concerns about non-compliance or operational penalties [232].

7.4.3. Recommendations for Policy Evolution and Industry Collaboration

Overcoming these regulatory barriers necessitates proactive engagement with regulatory bodies from early stages of MTD strategy development. Collaborative efforts must define acceptable practices, develop standardized validation methodologies, and establish clear metrics for assessing MTD performance and reliability. Demonstrating tangible operational benefits through pilot projects and controlled field trials will provide robust, evidence-based arguments supporting the adoption and integration of MTD strategies. Moreover, active participation with industry standards organizations to formalize and disseminate comprehensive guidelines and best practices will further facilitate regulatory acceptance and widespread industry adoption [233].

A summary of validation and deployment considerations is presented in Table 7.

In summary, while MTD offers promising avenues for enhancing Power CPS security, rigorous validation and thoughtful deployment planning are essential to ensure safe, effective, and scalable adoption. The final section will outline future research priorities and cross-sector collaboration opportunities to accelerate the transition of MTD from concept to practice.

8. Future Research Directions and Cross-Sector Collaboration

While MTD offers a transformative shift toward proactive, adaptive security for Power CPS, significant research and collaboration gaps remain. Addressing these gaps will require coordinated efforts across academia, industry, government, and standards bodies. This section outlines key research priorities, cross-sector collaboration pathways, and recommendations for operationalizing MTD at scale.

8.1. Theoretical and Practical Gaps in Multi-Domain MTD

8.1. Need for Unified Multi-Domain MTD Frameworks

Current MTD research remains largely fragmented, with most studies focusing on single domains—particularly the cyber layer—while neglecting the critical interdependencies that exist across physical, market, and human dimensions within Power CPS. This siloed approach limits the systemic effectiveness of MTD. Future research must therefore prioritize the development of holistic, cross-layer MTD frameworks capable of:

• Capturing and modeling interconnected dependencies among infrastructure layers.
• Balancing the often conflicting objectives of cybersecurity, grid reliability, and economic efficiency.
• Incorporating human-in-the-loop coordination to ensure the practical feasibility and operator acceptance of dynamic strategies.

Such integrated frameworks would provide a foundational architecture for designing, analyzing, and deploying MTD at system scale while maintaining operational resilience and regulatory compliance.

8.2. Formal Modeling of MTD Effectiveness and Trade-Offs

There is a pressing need for formal, quantitative models that can capture and evaluate the effectiveness of various MTD strategies under realistic constraints. These models should aim to:

• Characterize the evolution of attack surfaces as a function of deployed MTD techniques.
• Quantify security-performance trade-offs, evaluating how changes in configuration improve security while affecting system latency, cost, or service quality.
• Simulate adversarial adaptation dynamics, enabling defenders to anticipate how intelligent attackers may respond and evolve in the presence of moving targets.

Such rigorous modeling will support data-driven strategy design and provide the analytical backbone for comparative performance evaluations.

8.3. Standardization and Benchmarking of Resilience Metrics

At present, the absence of standardized metrics to evaluate the impact of MTD strategies remains a significant bottleneck. Research must focus on the development and consensus-building of resilience indicators, including:

• Core MTD effectiveness metrics, such as attacker resource cost, disruption potential, and exploit longevity.
• Benchmarking frameworks that enable comparative evaluations of different MTD architectures under standardized test scenarios.
• Performance baselines for various grid configurations and threat models to support reproducibility and cross-institutional comparison.

Establishing a standardized metric suite will be critical for guiding research, validating prototypes, and achieving regulatory recognition.

8.2. Integration with Regulatory and Market Frameworks

8.2.1. Challenges to Regulatory Acceptance

A significant obstacle to MTD deployment lies in its limited alignment with existing regulatory frameworks. Current standards, such as NERC CIP and IEC 62351, emphasize static controls and deterministic compliance measures. The lack of regulatory precedent for adaptive, dynamic defenses creates uncertainty and risk aversion among utility stakeholders, who may fear penalties for deviating from compliance norms—even if such deviations are motivated by improved security.

8.2.2. Policy Recommendations for Enabling MTD Adoption

• Collaborative Policy Development: Early engagement with regulators, utilities, and researchers is essential to co-develop MTD-specific guidelines that clarify acceptable practices, define boundaries, and integrate dynamic security into regulatory frameworks.
• Operational Demonstrations and Pilots: Field trials and sandbox demonstrations provide empirical evidence of MTD’s operational benefits and feasibility. These pilots can serve as reference models to inform policy and encourage incremental regulatory inclusion.
• Regulatory Sandbox Environments: Regulatory sandboxes allow utilities to test and refine MTD strategies in controlled, consequence-free settings, enabling iterative learning and reducing the risk of penalties while innovation occurs.

Together, these approaches offer a path toward regulatory transformation that both respects existing compliance structures and enables future-ready adaptive defense mechanisms.

8.3. Roadmap for Cross-Sector Implementation and Standardization

8.3.1. Multi-Stakeholder Collaboration Models

Realizing the full potential of MTD requires coordinated action across academia, industry, government, and standardization bodies. Key mechanisms include:

• Industry-Academic Consortia: Joint research centers that focus on applied MTD development, supported by utility testbeds and academic expertise.
• Public-Private Partnerships: Government-backed initiatives that fund operational MTD pilots and foster cross-sector knowledge transfer.
• Standards Development Organizations: Bodies such as IEEE, IEC, and NERC must be actively engaged to formalize MTD best practices, develop interoperable protocols, and define certification criteria.

8.3.2. Knowledge-Sharing Platforms and Open Innovation

• Threat Intelligence Sharing: Establishing secure, cross-sector platforms for disseminating information about emerging attack patterns, MTD case studies, and deployment lessons learned.
• Open-Source MTD Toolkits: Supporting community-driven development of reusable MTD components—such as simulation frameworks, playbooks, and orchestration engines—to lower adoption barriers and accelerate innovation.

8.3.3. International Cooperation and Grid Resilience Alignment

With energy systems increasingly operating across national and regional boundaries, MTD standardization must be globally coordinated. Key opportunities include:

• Alignment of Global Standards: Harmonizing MTD definitions, metrics, and compliance requirements across jurisdictions to support multinational grid operations.
• Cross-Border Resilience Programs: Joint development of transnational defense strategies for interconnected grids vulnerable to spillover effects from cross-border cyber or physical attacks.

8.4. Emerging Research Opportunities

8.4.1. AI-Driven MTD Strategy Optimization

Future research should prioritize the development of autonomous, intelligent agents capable of dynamically co-evolving MTD strategies in real time. These AI-driven systems must be able to integrate live threat intelligence feeds and system telemetry, enabling continuous situational awareness. Moreover, they should possess the ability to learn iteratively from both operator feedback and observed system responses, thereby refining their strategy selection over time. Optimization should consider multiple competing objectives—such as security effectiveness, operational cost, and system latency—to ensure that defense actions remain balanced and adaptive. Such real-time, context-aware AI agents will be crucial for maintaining robust and responsive defense postures in the face of evolving and sophisticated threats [234].

8.4.2. Behavioral MTD and Human Deception Engineering

While conventional MTD strategies primarily focus on introducing technical unpredictability, emerging research suggests promising directions in behavioral deception, targeting the human cognition of adversaries. This includes the strategic dissemination of misinformation to distort attacker reconnaissance and impair situational awareness. In parallel, deploying dynamic honeynets—configured as moving targets—can lure and analyze attacker behavior in real time, enhancing intelligence gathering while misleading adversaries. Additionally, psychological decoys can be used to manipulate attacker expectations about system topology or operational states. These techniques shift MTD from purely technical disruption to influencing the attacker’s decision-making processes, opening a novel and underexplored front in cyber-physical defense [235].

8.4.3. Federated MTD for Distributed Grids

As energy infrastructures become increasingly decentralized—with the rise of microgrids, DERs, and VPPs—there is a growing need for federated MTD frameworks. Such approaches involve distributed entities collaboratively learning and implementing defense strategies without sharing raw or sensitive data, preserving privacy while enhancing collective resilience. Federated learning architectures can enable these decentralized agents to co-train robust models against emerging threats [235–237]. Moreover, hierarchical coordination mechanisms will be essential to ensure consistency and synchronization of MTD actions across multi-layered control architectures, allowing local autonomy while maintaining global coherence in distributed grid environments.

8.4.4. Digital Twin-Enhanced Operator Training and Simulation

To ensure operators are well-prepared to manage increasingly dynamic and AI-augmented defense strategies, future research should focus on building immersive training and simulation platforms powered by high-fidelity digital twins. These environments can simulate realistic attack-defense scenarios across cyber, physical, and market layers, enabling operators to practice cross-domain coordination and real-time decision-making in a risk-free setting. Integration with AI systems will allow operators to refine their trust calibration and response behaviors under uncertainty, while enabling researchers to continuously assess and improve human-AI interaction dynamics. Ultimately, such platforms will serve as critical tools for capacity building, skill retention, and operational readiness in the face of adaptive threats [238].

A summary of future research and collaboration priorities is presented in Table 8.

In summary, realizing the full potential of MTD for Power CPS requires multi-disciplinary research, regulatory engagement, cross-sector collaboration, and international standardization efforts. The concluding section will synthesize these insights and call for a unified effort to operationalize proactive, dynamic, and adaptive grid security.

9. Conclusion

In response to the growing complexity and interdependence of Power CPS, this review has positioned MTD as a transformative paradigm that shifts security from static and reactive to dynamic and proactive. By systematically analyzing threat surfaces across cyber, physical, market, and human layers, we identified how fixed system configurations enable long-term attacker reconnaissance and exploitation. We proposed a multi-domain classification of MTD strategies—ranging from IP randomization and grid reconfiguration to adaptive market mechanisms—and emphasized the critical role of human-in-the-loop and AI-augmented orchestration in ensuring safe, explainable, and effective deployment. Moreover, we underscored the importance of digital twin-based validation, resilience metrics, and scalable deployment architecture to bridge the gap between theoretical innovation and operational feasibility.

Looking forward, the successful operationalization of MTD will depend on coordinated efforts across research, industry, regulation, and international collaboration. Future work must prioritize the development of unified, cross-layer MTD frameworks, formal modeling of dynamic defense trade-offs, and standardization of evaluation metrics. Regulatory adaptation—through sandbox environments, pilot demonstrations, and updated compliance models—will be essential for industry uptake. Meanwhile, emerging research frontiers such as AI-driven defense adaptation, behavioral deception engineering, federated MTD for distributed grids, and immersive digital twin training offer exciting opportunities to further enhance resilience. Ultimately, advancing MTD from concept to practice will be foundational for securing next-generation energy systems against persistent and adaptive threats in an increasingly uncertain cyber-physical landscape.