CPFL Energia Secures Grid Operations

Mitigating the hurdles of OT security

Brazil’s second-largest power utility, CPFL Energia, has contributed to the nation’s urban development through power generation, distribution, and commercialization since 1912. Providing uninterrupted power supply to its 10.3 million customers is mission-critical for CPFL. Equally important is to maintain a robust security posture. Emerson Cardoso, Chief Information Security Officer at CPFL Energia, remarks, "Security at CPFL is non-negotiable. It is aligned with the company's strategy and supported by the board."

As the digitalization of CPFL’s power generation and distribution increased over time, it became a business imperative to secure its operational technology (OT) environment. "Our goal is to guarantee business and service continuity for our customers by proactively reducing risks for our IT and OT environments," says Cardoso.

CPFL has a geographically distributed presence. "We have four control centers, 466 distribution substations in the state of São Paulo, 154 in the state of Porto Alegre, in addition to 80 generation plants and 20 transmission substations spread across the southeast and south regions of Brazil," Cardoso explains.

Soon after joining CPFL, Cardoso recognized the stark differences in IT and OT security operations. He says, "When we detect vulnerability in a corporate-issued laptop, the IT team pushes software updates or quarantines the laptop. When we detect a similar vulnerability in OT assets, we cannot do that, or we risk shutting down power in an entire region."

Brazilian energy companies must comply with regulations from two government regulatory agencies: Agência Nacional de Energia Elétrica (ANEEL) and Operador Nacional do Sistema Elétrico (ONS). "Compliance is our biggest challenge," Cardoso remarks. "The regulations are always aimed at our operational environments, requiring an accurate inventory of devices at our substations."

Like many power grids, CPFL’s operational networks were deployed decades ago, and teams lacked visibility into what was connected in the substations. "Building a detailed inventory of connected devices in substations is another big challenge," says Cardoso. "We have hundreds of substations, some added through acquisitions. Every time I visited one to physically inspect devices and configurations, I had to get government approval that involved complex bureaucratic protocols."

Gaining visibility into OT assets and their security posture was crucial. CPFL also needed proactive security to mitigate vulnerabilities lurking in the OT networks as well as a plan to effectively contain and respond to cyber incidents. Cardoso explains, "The number of attacks on utility companies has increased in recent years. Improving operational resilience not only could ensure regulatory compliance but also could protect our OT environment for our customers, partners, employees, and the market."

Cardoso began looking for a solution to provide a granular view of CPFL’s substation sites, which are connected via low-bandwidth satellite links. "After evaluating multiple OT security vendors," he says, "we found Cisco’s solution to be the most suitable for securing distributed substations. Cisco’s OT visibility solution does not require sending massive volume of traffic over the WAN and is fully integrated with other security tools, making it simple to deploy an end-to-end solution."

Building a pragmatic OT security roadmap

With the Cisco team, Cardoso took a comprehensive approach to protect the CPFL infrastructure. "Our goal was to improve CPFL’s risk score numbers," says Cardoso. "As a first step, in each substation, we installed Cisco Catalyst IE3400 Rugged Series switches with Cisco Cyber Vision embedded in them."

"Cyber Vision automatically detects and profiles OT assets connected in our substations and identifies vulnerabilities and anomalies," says Cardoso. "Cyber Vision captures and decodes industrial application flows to build our asset inventory and inform us of our security posture. Since it’s embedded in the switch, there’s no need to source and install dedicated security appliances or to send industrial network flows to a central security platform using out-of-band networks."

An integral part of Cisco's security portfolio, Cyber Vision uses computing power offered by Cisco switches and routers to run deep packet inspection (DPI) of industrial traffic at the edge. Only the metadata (about 4% of all traffic processed) is sent to the Cyber Vision centers, which means CPFL could deploy Cyber Vision without adding capacity to the network connecting its substations together. Cardosa says, "Cisco Cyber Vision and Cisco industrial networking is the only solution on the market that allows power utilities to use their networks to drive cybersecurity compliance."

Cardosa adds, "When deploying the first set of Cyber Vision sensors, we noted a high volume of Server Message Block (SMB) traffic, which after further analysis pointed to infected devices in multiple substations, something we could immediately address."

A big challenge is that IT security tools do not decode OT protocols, making it difficult to manage security for OT assets. "Cyber Vision helped us overcome the challenge of integrating OT into our security operations center (SOC)," explains Cardoso. "Cyber Vision feeds our IT security tools and our security incident and event management (SIEM) platform with OT asset inventory and all OT security events. Our security analysts now have visibility across both IT and OT to act on the alerts, manage risks, and enforce security policies throughout our networks."

CPFL also implemented Cisco Secure Firewall to protect the OT environment from malicious IP traffic, restrict communications between sites, and avoid potential attacks to spread across the entire infrastructure. "We installed Cisco firewalls inside our MPLS network on the convergence point of presence (POPs) of our wireless radios to filter traffic from multiple substations," says Cardoso.

Benefiting from robust OT security

By deploying the Cisco industrial cybersecurity solution, CPFL was able to modernize and protect its grid network and reduce its attack surface. Cardoso remarks, "With Cyber Vision, we now have the visibility into our mission-critical OT networks as a first step to mitigate vulnerabilities and improve our security posture. Cyber Vision found more than 20 instances of malware in our substations and identified features and protocols that don’t need to be active."

Cisco Cyber Vision is also helping CPFL to drive OT security governance. It provides a risk score for each asset and an aggregated score per site or region. "Based on risk scores, we determine which assets need the most immediate attention so we can prioritize actions. With aggregated scores we can compare our regional sites and ensure we put resources where they are most needed," says Cardoso. "We carried out a study that shows proactively securing our environment helps us improve profitability and resilience. This is our ROI for adopting the Cisco industrial cybersecurity solution."

The Cisco solution gave CPFL not only the much-needed visibility for regulatory compliance but also an upgraded industrial network, with Cisco Catalyst IE3400 Rugged Series switches replacing CPFL’s outdated, unmanaged switches. Cardoso explains, "With Cisco’s security solution, while the IT team gained visibility into threats, the OT team gained insights into connected assets and operational issues. They can troubleshoot issues faster and improve operations resilience. Security is an enabler for us, not simply a cost."

Cardoso adds, "The Cisco industrial cybersecurity solution enables us to implement security governance in the OT environment and to have an incident response plan that we exercise periodically. And the greater visibility into our OT improved our threat response. All these outcomes made our services more resilient, reducing the risk of downtime while keeping us compliant with regulations."

In CPFL’s OT security journey, Cisco Cyber Vision and Cisco Secure Firewall along with threat intelligence from Talos have provided the initial foundation. To further mature its OT security practice, CPFL plans to implement Cisco Identity Services Engine (ISE) and Cisco XDR solutions. Cardoso says, "With ISE, we can implement micro-segmentation for better containment of threats in our industrial networks. With Cisco XDR, we can take more active defense measures. This will help us implement defense-in-depth security architecture, which is central to our OT security roadmap."

Cardoso concludes, "Our biggest challenge is remaining compliant while offering robust services with minimal downtime. We are confident Cisco is the ideal partner to help us reach this goal."