Everyone’s Talking VPPs—No One’s Talking Trust

Julian Durand is GM Intertrust Secure Systems and Chief Security Officer at Intertrust Technologies.

getty

The next phase of the energy transition is already underway.

Energy retailers are moving beyond simply supplying electricity to actively orchestrating distributed energy resources—residential batteries, EVs and smart devices—into what are known as virtual power plants (VPPs). These systems promise to transform scattered assets into coordinated, dispatchable infrastructure capable of participating in wholesale markets.

A recent example is Rhythm Energy’s push into residential battery aggregation in Texas, leveraging a platform built at scale in Australia and integrating interoperability technologies designed to connect heterogeneous devices.

But beneath the surface of this momentum lies a hard truth:

VPPs will not scale—not technically, not economically—without a foundational trust layer.​

The Illusion Of Connectivity

Today’s VPP architectures are built on a fragile assumption: that connectivity equals control. In reality, most distributed energy assets are managed through inconsistent OEM APIs, connected via brittle cloud-to-cloud integrations and governed by unclear or misaligned economic incentives.

Some vendors charge excessive fees, while others provide APIs with little long-term reliability. This creates a systemic risk. If you cannot reliably and securely communicate with an asset, you do not control it—you are merely hoping it behaves.​

The Real Bottleneck: Trust, Not Technology

The core challenge facing VPPs is not battery technology, AI optimization or market design. It is trust at scale. To function as a true grid resource, a VPP must answer the following in real time: Is this device authentic? Is this command authorized? Can this action be verified and audited later? Will this behavior remain consistent across vendors and over time?

Today’s architectures struggle to answer these questions consistently. Traditional approaches—including VPNs, TLS sessions and perimeter security—were not designed for millions of intermittently connected, heterogeneous edge devices operating across organizational boundaries. They secure connections. They do not secure intent.​

Why This Breaks The VPP Business Model

This lack of trust has direct economic consequences. When access to devices is uncertain or fragmented, integration costs rise dramatically, value chains become contested and revenue is captured by intermediaries rather than operators or customers.

In practice, some OEM models extract so much value just for connectivity that downstream participants are left hoping to break even. This is not a scaling problem—it is a structural flaw. Without a shared trust model, every integration becomes a bespoke negotiation, both technically and commercially.

The Missing Layer: Trust At The Message Level

What VPPs require is not more connectivity but a standardized trust fabric. That means shifting security from the network to the message, from implicit trust to explicit authorization and from vendor-specific integration to interoperable trust. Here, trust is enforced in a way that works across manufacturers without rebuilding security models from scratch for each new relationship.

In practical terms, this requires cryptographic identity for every device and system, fine-grained policy-driven authorization for every command and end-to-end attestation of data and actions.

Efforts such as the Trusted Energy Interoperability Alliance are beginning to define how such a framework can operate across the energy ecosystem, enabling devices and systems to participate in a common trust model regardless of manufacturer or platform.

From Distributed Assets To Grid-Grade Infrastructure

If VPPs are to evolve from experimental programs into critical infrastructure, they must meet a higher bar. They must become deterministic, meaning predictable and reliable enough to be counted on by grid operators. They must be auditable, provable for regulators and wholesale markets. And they must be truly interoperable, vendor-agnostic and scalable across jurisdictions and device types. Orchestration software alone cannot deliver this. It requires trust embedded into every interaction.​

The energy sector is at an inflection point, moving from centralized generation to distributed orchestration, from static infrastructure to dynamic software-defined systems and from implicit trust to continuous verification. In this new paradigm, the question is no longer whether devices can connect. It is whether they can be trusted to act.

Anyone building or investing in VPP platforms should evaluate their architectures not just on integration breadth but on trust depth: the degree to which every command, every data point and every device interaction is authorized, attested and auditable. That foundation is what separates a compelling pilot from grid-grade infrastructure.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?