Introduction: The Invisible Threat to Critical Infrastructure

In an era where power grids have become the crown jewels of cyber adversaries, the energy sector now tops the charts as the most besieged critical infrastructure worldwide. According to reports from CERT Poland and other national cybersecurity centers, no other industry suffers a higher volume of sophisticated attacks. This threat is no longer creeping; it is surging at breakneck speed, fueled by the lightning-fast digital transformation of energy systems, the rise of decentralized grids, and the explosive growth of distributed energy resources (DERs): solar plants, wind farms, battery storage, and millions of electric vehicle charging stations weaving themselves into the fabric of the network. In this hyper-connected landscape, a single compromised device can trigger a domino effect, plunging entire regions into darkness and disrupting one of society’s most vital lifelines.

Regrettably, legacy Operational Technology (OT) security solutions, often repurposed from general industrial environments, are like bringing a knife to a gunfight. They were never designed to decipher the rich alphabet of proprietary and legacy communication protocols that pulse through substations and power plants. As a result, even the most advanced traditional defenses remain completely blind to stealthy, surgically precise attacks: malicious commands cunningly disguised within perfectly legitimate, standards-compliant protocol frames (think of an attacker quietly slipping a “trip the breaker” order into what looks, to the untrained eye, like routine traffic).

To address this critical vulnerability head-on, JPEmbedded is proud to present the first working demonstration (Minimum Viable Product) of its innovative Programmable Communication Platform purpose-built for tomorrow’s Intelligent Smart Energy networks (ISE). The platform seamlessly integrates two powerful pillars:

• a robust Communication Module that delivers future-proof, secure, and highly adaptable connectivity while fully embracing the IEC 62351 cybersecurity standard;
• a state-of-the-art Analytical Module powered by tailored artificial intelligence and machine-learning engines that continuously monitor network traffic, instantly spotting anomalies and zero-day threats in real time.

The Demo: Packet Deep-Dive and LLM Contextualization

At Enlit 2025 in Bilbao, JPEmbedded proudly unveiled the first public demonstration of its Intelligent Security Platform (ISP) – a powerful, interactive showcase of how cutting-edge Artificial Intelligence, fused with decades of deep OT protocol expertise, can unmask the stealthiest cyber threats that traditional solutions simply cannot see. Visitors experienced the full end-to-end journey in real time: from raw, cryptic network packets captured on the wire, through sophisticated AI-driven anomaly detection, all the way to crystal-clear, fully contextualised incident reports automatically generated by integrated Large Language Models (LLMs). What was once a hidden, highly technical process is now presented as an intuitive, actionable narrative – turning complex cyberattacks into stories that every operator, engineer, and manager can instantly understand and act upon.

Step 1: Initialization and Protocol Specialization

The demo begins with a protocol selection, immediately highlighting the platform’s core differentiator: its sole dedication to the energy sector. The user can select the specific communication protocol they wish to analyze, choosing from GOOSE, IEC 60870-5-104, and DNP3.

Next, the user selects one of three predefined, realistic threat scenarios. These scenarios are not generic; they were developed in collaboration with cybersecurity experts (pentesters) and accurately reflect known attack methods specific to the energy industry, such as simulating False Data Injection or an attempt at internal sabotage. This step instantly proves that the JPEmbedded Platform speaks the language of the operator’s network.

Step 2: Real-Time AI Analysis and Deep Packet Inspection (DPI)

The platform’s core innovation is showcased when the analysis (c) is initiated. The JPEmbedded Analytical Module does not rely on traditional L3/L4 packet inspection. Instead, it performs Deep Packet Inspection (DPI) dedicated to energy protocols.

This means the system unpacks, interprets, and analyzes the content of the frame – for instance, within a GOOSE message, it verifies not only the source address but also the specific command being transmitted and whether that command makes sense within the current operational context. This ability to analyze content is one of the most significant innovations of the project, preventing the “injection” of harmful information inside a valid protocol.

Powering this process are two specialised neural networks and advanced hybrid models (such as combinations of LSTM and CNN). These models were rigorously trained on unique datasets derived from real communication traffic in energy networks, ensuring a high detection rate and minimising false positives — a common weakness the solutions trained on generic industrial data. The system swiftly classifies traffic, isolating normal behavioural patterns from anomalies and malicious incidents.

To transform the opaque decisions of our deep-learning classifiers into something instantly graspable, the platform complements raw probability scores with powerful visual diagnostics based on Principal Component Analysis (PCA). By projecting high-dimensional feature representations extracted from the neural network onto a 2D or 3D space, PCA reveals the hidden structure of the analysed traffic in a single glance: legitimate protocol exchanges cluster tightly together, while even the most carefully crafted malicious injections appear as clear outliers, often forming their own distinct islands far from the benign cloud. This visualisation serves multiple critical purposes: it allows operators to instantly verify why a given packet was flagged, dramatically accelerates model validation and fine-tuning during deployment, builds trust through transparency, and provides forensic teams with an intuitive starting point for investigating incidents. In short, what might otherwise remain an inscrutable “black-box” verdict becomes a vivid, interpretable map of the network’s cyber health.

Step 3: Incident Contextualization by LLM – From Data to Actionable Intelligence

The most groundbreaking aspect of the demo is the interpretation of the identified anomaly using a Large Language Model (LLM).

When the ML/DL system classifies a sample as a threat, a translation occurs. The LLM receives the following data:

• information about identified anomaly,
• system prompt with description of the protocol in question, the role of LLM and expected output
• user prompt with instruction describing the task (anomaly analysis)

The LLM functions as a “digital security analyst.” Instead of presenting the operator with a technical log of a packet error, it generates a comprehensive, ready-to-act incident analysis. This report includes executive summary of the detected attack, detailed analysis of the log files and recommendation of immediate remedies as well as long term solutions. Example output of LLM is reads like this:

This combination of technical depth (DPI/ML) and analytical readability (LLM) drastically reduces the Mean Time To Respond (MTTR) for the operator, transforming a complex technical alert into actionable business intelligence.

Towards a Self-Learning Grid

Beyond delivering robust cybersecurity, the JPEmbedded Platform dramatically reduces the risk of cascading failures while boosting the overall resilience and reliability of the power grid. It grants operators an unprecedented level of real-time visibility and proactive protection, decisively shifting OT security from a firefighting mindset to genuine threat anticipation. At the same time, standardised and secure data access paves the way for streamlined processes, smarter decision-making, and tangible cost savings.

Looking ahead, our vision is a living, ever-evolving defence that grows stronger with every new challenge it encounters. A cornerstone of this future is Federated Learning (FL) – a brilliantly elegant approach perfectly suited to the distributed nature of modern energy networks. Instead of centralising sensitive operational data (which is often impossible due to privacy, regulatory, and bandwidth constraints), edge devices and gateways deployed across different Distribution System Operators (DSOs) collaboratively train and refine AI models locally. They then securely exchange only the refined model updates – never the raw data itself. This way, every node simultaneously learns the latest threat patterns, from stealthy protocol-level attacks to emerging anomaly signatures, while collectively sharpening the global detection capability. The result is a self-improving digital immune system: threats discovered in one corner of the grid instantly strengthen defences everywhere else, forging a truly collective, adaptive security shield that keeps pace with attackers – without ever compromising operational privacy or sovereignty.

Ready to strengthen your power system’s defenses? Contact us to see the demo in action.

The demo is part of a broader research and development initiative funded under the European Funds for a Modern Economy (FENG) program.

About JPEmbedded
JPEmbedded, headquartered in Kraków, Poland, delivers advanced communication and cybersecurity solutions for power systems and industrial networks. The company’s portfolio includes IEC 61850, DNP3, ICCP/TASE.2, and IEC 60870-5-10x protocol stacks; IEC 62351–compliant cybersecurity; secure communication gateways; and custom embedded software for smart grids and industrial automation. Since 2006, JPEmbedded has helped power and automation manufacturers improve interoperability, reliability, and security in critical infrastructure worldwide.