Brazil’s new grid security rules fueling tech investments by power firms

Bnamericas Published: Tuesday, July 26, 2022
Brazil’s new grid security rules fueling tech investments by power firms

New network security protocols imposed on generation and transmission companies by Brazil's national grid operator ONS are fueling an already growing market of cybersecurity and data protection supplying the power sector.

“In the last three or four years, with the expansion of industry 4.0, companies in the electricity sector have been modernizing their structures, especially regarding automation. But there is still much to be done. And with the new ONS requirements, that demand has increased even more,” Mario Lopes, commercial and alliance director at cybersecurity solutions integrator Secureway, told BNamericas.

The new ONS security protocols were established in April 2020, giving companies 18 to 27 months to adapt. The requirements include rules for virtual private networks (VPN), one-time passwords (OTP), software updates, among others.

ONS also determined that companies must establish a position to oversee cybersecurity, in addition to creating a specific industrial security policy. This policy must encompass rules for communication with customers and ONS.

“The proposal seeks to establish the cybersecurity controls to be implemented in the agents’ operation centers, in the infrastructure equipment [responsible] for exchanging data between ONS and agents, in addition to the operator’s [ONS] own control rooms,” ONS said.

Details can be seen here, in Portuguese.

“Internally, we are also working to adapt our portfolio so that it is more in line with these new requirements, in addition to specific staff training,” Lopes said.

Secureway is focused on IT project architecture, especially network infrastructure and information security, and develops projects for mission-critical sectors.

Its main technological partner is Fortinet, a leader in technological security solutions for the power sector. According to Lopes, half the firewalls sold in Latin America are from Fortinet. Among Fortinet’s reported Brazilian clients is Neoenergia. 

Other solutions in Secureway's portfolio include those from Kaspersky, Sophos, Trend Micro and Veritas.


The new ONS rules apply to around 740 companies and their operations centers, substations, as well as generating and transmitting units, according to estimates by TI Safe, another firm focused on cybersecurity for mission-critical infrastructure.

TI Safe claims to have doubled in size and staff in 2021 in part because it invested to respond to the demand coming from ONS’ requirements. As part of these investments, the company expanded its security operations center (ICS-SOC) in Rio de Janeiro. 

Although the expansion was planned previously, TI Safe sped it up as it sought to be better positioned to help companies adapt and implement the new security rules. 

TI Safe also developed a product tailored to the requirements dubbed ONS Ready.

Clients reported by TI Safe in the Brazilian power sector include Cemig, Copel, Chesf, CTG Brasil, Enel, Energisa, Eletrobras, Light, Norte Energia, and Taesa.

“For an attack on the information technology (IT) network to reach the automation network (AT), it is enough to have no security in the AT. This will happen soon in Brazil. Cyber criminals are getting more and more sophisticated,” TI Safe CEO Marcelo Branquinho said in a post on the company’s website.

The number of cyberattacks in Latin America grew 600% year-over-year in 2021, according to Fortinet, as they get more diversified and increasingly target industrial sectors.

“We're going to see more and more attacks on critical structures, like the case of the Colonial pipeline in the US,” Kaspersky Latin America director Claudio Martinelli told BNamericas in June, referring to a ransomware attack against the US company last year that forced it to shut down operations.

Early this month, Mexico’s state-owned electric power utility CFE and national oil company Pemex reported potential data breaches and activated security protocols for such cases. CFE later said no critical data had been leaked.

TI Safe's Branquinho said that most of the infrastructure in the electricity sector involves facilities built 30 years ago that are now being digitized. He said there is a lack of skilled labor in the electricity market to tackle the cybersecurity crisis and that few companies have contingency plans.

“A ransomware attack can jeopardize the entire operating network (OT), impacting industrial control systems and Scada [supervisory control and data acquisition systems].”

Developed in the 1960s, Scada is a standard technology platform used worldwide in critical infrastructure. Connected to an operation monitoring and control center, it controls and collects data from sensors and instruments in remote network locations.


If, on the one hand, artificial intelligence (AI), robotics, machine learning and the internet of things (IoT), among others, have led to advances in terms of automation, they also increased companies’ exposure to cyber threats and risks.

“We are witnessing a surge in cybersecurity incidents in the power sector, which can have a major impact on society, lead to regulatory fines and significantly damage the reputation of companies, due to possible partial or total outages of services,” consultancy PwC said in a 2021 report on the Brazilian power sector and its network security readiness.

PwC supported ONS in designing the new security guidelines, taking as basis cybersecurity projects it developed for the sector, knowledge of applicable frameworks and global benchmarking.

The company also has an advanced center for cybersecurity operations, which provides services for IT and OT environments supported by threat and vulnerability management capabilities and incident response. 

This site maintains alliance strategies and exchange of intelligence with other PwC centers that monitor critical aspects in the electricity sector in Israel, Canada and the US, PwC said.

The company recommends different cyber actions be implemented by power companies, including mapping critical assets, setting guidelines for mission-critical environments, and having access control, asset inventory, and programs for identification, analysis, treatment and mitigation of risks.

Subscribe to the most trusted business intelligence platform in Latin America. Let us show you our solutions for Suppliers, Contractors, Operators, Government, Legal, Financial and Insurance.

Subscribe to Latin America’s most trusted business intelligence platform.

Other projects in: ICT

Get critical information about thousands of ICT projects in Latin America: what stages they're in, capex, related companies, contacts and more.

Other companies in: ICT (Brazil)

Get critical information about thousands of ICT companies in Latin America: their projects, contacts, shareholders, related news and more.

  • Company: Net Service S.A.  (NetService)
  • The description contained in this profile was taken directly from an official source and has not been edited or modified by BNamericas researchers, but may have been automatical...
  • Company: Consórcio Fraganet
  • Consórcio Fraganet is a company formed by Fraga de Medeiros Projetos Ltda. and Net Service SA for the execution of the Espírito Santo Fiber Optic Network (ES-Digital) project, w...
  • Company: Telefônica Brasil S.A.  (Telefónica Brasil)
  • Telefônica Brasil S.A. is a publicly-traded Brazilian telecommunications company providing fixed and mobile voice, fixed and mobile broadband, ultra-broadband, data and digital ...
  • Company: Governo do Estado do Ceará
  • The Ceará state government covers 184 municipalities and 8.7mn residents in northeast Brazil. It develops policies and projects through its infrastructure, water resources, educ...
  • Company: Reason Tecnologia S.A.  (Reason)
  • Brazil's Reason Tecnologia S.A. develops measurement and substation automation network products for transmission and distribution operators. It offers fault and disturbance moni...