by Eric Thibodeau, Hydro Quebec, Quebec, Canada
This column begins with a brief thought experiment: Picture yourself as a Professional Engineer working at a utility company who also serves as the vice-chair of a working group that recently issued an important revision of its standard. Imagine a manufacturer presenting his latest products at your workplace. This manufacturer states that this standard has been deprecated in favor of another. This would sure be an awkward moment. I suspect you feel annoyed. You are tempted to argue with the manufacturer about the standard status. This has happened to me about IEEE Std 1686 – Standard for Intelligent Electronic Devices (IEDs) Cybersecurity Capabilities.
IEEE 1686 is a standard that defines the functions and features to be provided in IEDs to accommodate cybersecurity programs, like required for compliance to NERC-CIP for example. It enumerates essential cybersecurity features such as access control, and event logging. Using the Table of Conformance (ToC) provided by the standard, manufacturers can easily communicate the cybersecurity features supported by their products, and utilities can quickly benchmark the product and assess whether it meets their needs. This ToC proves to be particularly valuable during Requests for Quotations (RFQs). The standard’s clarity and practicality make it a powerful tool during procurement process for IEDs.
Given these strengths, IEEE 1686 is not only alive and well – It should be thriving! However, as the opening example shows, it is sometimes overlooked by manufacturers and utilities.
Numerous cybersecurity standards and frameworks exist, many of which provide detailed guidance on implementing and utilising cybersecurity features. In contrast, IEEE 1686 remains at a higher level, which may feed the perception that it is outdated.
Nevertheless, IEEE 1686 serves as a complement to these other standards. While other standards focus on implementation details, IEEE 1686 can facilitate communication between manufacturers and users.
One of the most compelling validations of the standard came to me recently from a PSCC member reporting an interaction he had in the field. During a customer meeting focused on cybersecurity requirements for protection devices, he had to meet a seasoned cybersecurity expert who was evaluating risks associated with remote access. Feeling “grossly underqualified” for this discussion according to his words, this member asked its customer team whether they were familiar with IEEE 1686 – They were not. But after reviewing their in-house requirements and seeing how closely they aligned with the standard, he shared the document on-screen.
The response was immediate: “This is perfect,” one participant said. “Exactly what we need.” Before the meeting ended, the utility had purchased the standard from IEEE and expressed interest in using it to guide their evaluations. This kind of real-world impact is exactly what we aim for when developing standards. It shows that IEEE 1686 is not just theory—it is helping utilities make smarter, safer decisions.
None of this would be possible without the leadership and dedication of all the PSCC S1 Working Group members. This year, the S1 working group reviewing IEEE 1686 was recognized with the 2025 IEEE PES Award for Outstanding Standard of Guide. This is a tremendous honor for all of us that participated in this important milestone. I want to especially congratulate Marc Lacroix, who chaired the group during the development of the latest revision. Marc’s steady guidance was instrumental in shaping a standard that is both rigorous and usable.
With the unstoppable digitization of the power systems, the role of cybersecurity standards like IEEE 1686 will only grow. It allows utilities to evaluate IEDs with confidence, supports compliance, and fosters a culture of security. For those of us involved in its development, it is gratifying to see it making a difference in the field. And as we look ahead, I am excited to see how IEEE 1686 will continue to evolve and support the industry’s cybersecurity journey.
Biography:
Eric Thibodeau is an Automation Engineer at Hydro-Québec, in the Protection Expertise team. His prior experiences include being Product Manager for Protection products at Gentec, and Software Developer specialized in communication protocols at Eaton. He is involved in the activities of the IEEE Power System Communications and Cybersecurity Committee (PSCCC) and IEEE Power System Relaying and Control Committee (PSRCC). Formerly, he obtained its B.Ing. in Computer Engineering, as well as M.Sc.A. and Ph.D. degrees from Universite de Sherbrooke. While a graduate student, he was also a lecturer in this same institution about network protocols specification and design, network components and architecture as well as electronic power supply design. His main areas of expertise are TCP/IP networking, SCADA communication and cybersecurity, and digital protective relaying. He is a registered professional engineer in the Province of Quebec.
