Cyberattacks on electric power utilities are on the rise. From 2020 to 2022, weekly attacks more than doubled. An attack that exploits a vulnerability in intelligent electronic devices (IEDs) like power distribution units, relay, and circuit breakers can turn off the lights in a neighborhood or entire city. On the surface, it seems simple enough to remediate vulnerabilities as soon as they’re reported—for example, by upgrading firmware. Fact is, detecting and remediating vulnerabilities in operational technology (OT) poses a supersized challenge for utilities.

Take CPFL Energia, a Brazilian utility with 10.3 million customers. CPFL wanted to boost the security posture at its 600+ distribution substations, where high-voltage electricity is transformed to lower voltage for distribution to homes and businesses. The roadblock? You can’t secure what you can’t see, and CPFL’s operations team was in the dark about exactly what IEDs were deployed in substations. Just setting foot in a substation in Brazil requires a lengthy approval process, so some substations hadn’t been visited for months. OT visibility became urgent In 2021, when national grid operator ONS required utilities to conduct a cybersecurity vulnerability assessment.

Operations and IT teams join forces

The utility’s operations team knew it didn’t have cybersecurity know-how to assess and mitigate risk. The IT team had the cybersecurity know-how but didn’t understand the finer points of substation operations, like which industrial protocols could be blocked to shrink the attack surface. So, operations and IT decided to team up, pooling their strengths. The IT team saw the OT security project as an opportunity to meet another longstanding goal—upgrading the aging switches at substations to take advantage of advances like power over ethernet (PoE) and management automation.

OT visibility and switching in one box, with Cisco industrial switches

CPFL accomplished both goals—vulnerability assessment and network modernization—with one solution, Cisco industrial switches. Included on the switches is Cisco Cyber Vision, a software which automatically identifies all industrial and IT assets connected to the network, including detailed characteristics and communication activities. The two-in-one solution is much simpler and less costly than CPFL’s other alternatives: buying separate visibility appliance for each substation or else replicating network traffic to a control center with a centralized visibility appliance. Cisco’s industrial switches meet utilities’ stringent requirements, including the ability to withstand harsh environments, IEC 61850 certification to operate in high-voltage environments, and support for industrial protocols like DNP3 and Modbus TCP/IP.

Immediate payoff: 20 malware infections discovered

Today every transmission and distribution substation has been upgraded to Cisco Catalyst IE3400 Rugged Series switches with built-in Cyber Vision. With a glance at the Cyber Vision console, CPFL’s operations team can view a detailed inventory of all connected IEDs and workstations, including their software vulnerabilities.

“Right away Cyber Vision identified more than 20 cases of malware in the OT network, as well as many unneeded communication activities and protocols we could shut down to reduce the attack surface,” said Emerson Cardoso, CPFL’s chief information security officer. “We now have visibility into our critical grid network, the first step toward mitigating vulnerabilities and improving our security posture.”

Real-time alerts: the ones that count

CPFL’s security analysts now receive real-time alerts about critical events because CPFL integrated Cyber Vision with its security information and event management (SIEM) system. To avoid alert fatigue and make sure critical events are addressed quickly, the IT and OT teams worked together to define 20 types of security events that generate alerts. “Cyber Vision helped us overcome the challenge of integrating OT into our security operations center (SOC),” explains Cardoso. “Our security analysts now have visibility across both IT and OT to act on the alerts, manage risks, and enforce security policies throughout our networks.”

While deploying the new Cisco industrial switches, CPFL also deployed Cisco Secure Firewalls to filter industrial network traffic between substations and control centers. This gave IT the ability to contain malicious activities and avoid threats to spread to the entire infrastructure in the case a breach occurs.

Award-winning project benefiting operations, IT, and customers

With its new Cisco industrial switches, Cyber Vision, and Cisco firewalls, CPFL solved multiple challenges that utilities have struggled with for years. Operations teams gained visibility into grid assets and complied with a new regulation for vulnerability assessment and risk management. IT modernized substation networks and can monitor and contain threats to transmission and distribution operations.

The Brazilian cybersecurity community has taken note, recognizing CPFL and Emerson Cardoso as National Security Leaders of 2023. The award calls out CPFL’s comprehensive approach to cybersecurity and effective collaboration between OT and IT. In Cardoso’s words, “Having robust cybersecurity protections not only helps mitigate risks and protect our employees, it also ensures we can better serve our customers.”

Read the full case study here.

Learn more


Fabien Maisl

Senior Marketing Manager, IoT Security

Cisco Internet of Things (IoT)