At Celsia, we take cybersecurity seriously, which is why we work to mitigate the risk of attacks on operations.
GRI (3-3) Aligned with our Corporate Strategy, we prevent the leak, adulteration and unauthorized access to personal data. We also prevented the unavailability of critical cyber assets through a strategy that covers information security, personal data and cybersecurity, by guaranteeing the delivery of electric-power service in a safe, reliable manner.
Our Management
GRI (3-3) (2-23) (2-24) (2-25) (2-29) At Celsia, we have elements that structure the Management Framework, of which we highlight the following practices, processes, instances and procedures:
- We execute our Strategy through a management model that we build, based on good practices in the sector, such as:
- The ISO 27000, NIST Cybersecurity Framework standard, IEC 62443 and NERC CIP Standards;
- The Responsibility Guide, issued by the Superintendency of Industry and Commerce; and
- The Cybersecurity Guide, issued by the National Operation Council for the Colombian Electricity Sector with Agreement 1502. We have a Governance Model for Cybersecurity Management, made up of an interdisciplinary Cybersecurity Committee and coordinated by the Cybersecurity Leader, who ensures compliance with information security policies and guidelines, personal-data processing and cybersecurity.
- We have a Security Operations Center, a Cybersecurity Committee and a Technology-Risk Committee.
- We carry out 24x7x365 monitoring from the Security Operations Center to the databases that contain personal data, to critical cyber assets and to the Information and Communication Technologies (ICT) infrastructure.
- Through ethical hacking and with the support of cybersecurity tools, we carry out permanent vulnerability management, which are reported by the Security Operations Center. Its results and scope are reviewed monthly through the associated corrective actions.
- We participate in different inter-institutional spaces led from Colombia, such as:
- Cybersecurity Committee of the National Operation Council;
- Cybersecurity Committee of the Regional Integration Commission (CIER, in Spanish);
- Computer Security Incident Response Team (CSIRT);
- Smart Colombia;
- Critical Infrastructure Committee of the ICT Ministry;
- The Colombian Institute of Technical Standards (ICONTEC, in Spanish) AMI Table for interoperability and cybersecurity;
- Energy Mining-Planning Unit (UPME, in Spanish);
- The Grupo Argos Risk Committee; and
- The ICONTEC Standardization Work Tables for NTC 6079 standard.
- We manage the risk of a cyberattack through:
- A Disaster-Recovery Plan for the Commercial System, Measurement Management Center, Advanced-Distribution Management System;
- Key projects and automatic inventory of critical cyber assets, identification of their vulnerabilities, threats and risk level;
- Control of access to intelligent electronic devices (IEDs):
- Perimeter security for the protection of critical cyber assets.
- Social-engineering campaigns to identify the position of employees regarding cyber risk; and
- Cybersecurity plans for wind, photovoltaic and hydraulic plants in Central America.
Cybersecurity Governance
Principal Results in 2022
GRI (3-3)
We applied the concept of Cybersecurity by Design, accompanying different company projects, for example:
- Digital Network: The digitalization of our network to incorporate benefits, such as real-time monitoring and faster identification and attention to interruptions.
- Automatic Data Master Server (ADMS) Phase II: The integration of ADMS with Corporate and Business Systems.
- Advanced Metering Infrastructure (AMI): Smart meters.
We conducted ethical hacking of the Salvajina, Alto and Bajo Anchicayá, Hidroprado, Comayagua Solar Plants and the Comuneros 250 kV, Juanchito 230 kV, Valledupar, Cartago 230/115 kV, Sahagún, Termoyumbo 115 kV and Lanceros 115 kV substations, Internet Tolima and EnerBit.
We carried out an automatic inventory of critical cyber assets, identifying their vulnerabilities, threats and risk levels.
We developed access control to Intelligent Electronic Devices (IEDs).
We documented the records required by Agreement 1502 of the National Operation Council.
We ran social-engineering campaigns to identify the position of employees in the face of cyber risk.
We elaborated a cyber-crisis playbook and simulation for managers.
We documented the Recovery Plans for technology, generation, transmission and distribution cyber assets.
We tested the recovery plans for Sphere and CGM.
In Central America, we included the monitoring of the Security Operations Center (SOC) to the Comayagua plant cyber asset.
We developed the methodology to quantify cyber risks.
We implemented the Cybersecurity Dashboard (Balanced Score Card)
We incorporated cyber-intelligence capabilities to the SOC.
We prepared the application for Forum of Incident Response and Security Teams (FIRST) membership.
GRI (418-1) DJSI (1.8.4) (2-27) SASB IF-EU-550a.1. Our Own Indicator (Cybersecurity Gaps and Incidents). In the last four years, we have maintained an Indicator of zero (0) incidents on the IT Infrastructure, so we have not had to pay fines nor have we lost income.
GRI (3-3) Short-, Medium- and Long-Term Objectives:
Short Term(0 to 2 years)
- Go from the Defined to Managed Maturity Level.
- Close the gaps reported by Audit for the implementation of the National Operations Council (CNO, in Spanish) Cybersecurity Guide.
- Calibrate cybersecurity controls in the SOC.
- Implement the good practices of ISO 27000 for the Measurement Management Center (CGM, in Spanish) processes.
- Apply for Forum of Incident Response and Security Teams (FIRST) membership.
- Carry out a cyber-crisis drill with the Steering Committee and primary groups by business.
- Advance in the risk management of Tolima’s cyber assets through automatic inventory, identification of vulnerabilities, threats and risk level.
- Develop social-engineering campaigns to identify the position of employees towards cyber risk.
- Strengthen the analytical, intelligence and automation capabilities of the Security Operations Center (SOC).
- Continue with cyber-intelligence training.
- Acquire security orchestration, automation, and response (SOAR) capabilities in the SOC.
- Cerrar brechas de equidad de género.
Medium Term(3 to 5 years)
- Maintain the Managed Maturity Level.
- Acquire capabilities from Deception Technologies to learn the attacker’s techniques, tactics and procedures.
Long Term(6 or more years)
- Maintain a Managed level of cybersecurity maturity, with good practices, such as: ISO27000, National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC) 62443, 62351 and FIRST membership for the SOC, in compliance with the Cybersecurity Agreements from the National Operations Council (CNO, in Spanish).
Information Security / Cybersecurity: The protection of the computer infrastructure and everything related to it, especially information.
Cyberattack: An attempt to expose, alter, destabilize, destroy or gain unauthorized access to a computer asset.
Ethical Hacking: The tests carried out on networks by people with computer and security knowledge to find vulnerabilities, report them and take corrective measures.
Social-Engineering Campaigns: They seek to make employees aware of the manipulations used to gain access to information improperly.
Intelligent Electronic Devices (IEDs): The electronic-regulation equipment immersed in electrical systems and used in switches, transformers, among others.
Cybersecurity by Design: This introduces agile security controls that can adapt to changing digital environments; it is based on an understanding of the threat landscape, people, scalability, and speed.
Maturity Level: An evolutionary plateau toward the achievement of a mature software process; each maturity level provides a layer on the foundation for continuous process improvement. Under this framework:
- Defined Maturity Level: This is when there is a policy and procedures published in the Quality System and the employees and persons of interest know them.
- Managed Maturity Level: This is when, in addition to having the characteristics of the Defined Maturity Level, there are also indicators with monitoring and continuous Improvement Plans.
