At Celsia, we take cybersecurity seriously, which is why we work to mitigate the risk of attacks on operations.
GRI (3-3) Aligned with our Corporate Strategy, we prevent the leak, adulteration and unauthorized access to personal data. We also prevented the unavailability of critical cyber assets through a strategy that covers information security, personal data and cybersecurity, by guaranteeing the delivery of electric-power service in a safe, reliable manner.
GRI (3-3) (2-23) (2-24) (2-25) (2-29) At Celsia, we have elements that structure the Management Framework, of which we highlight the following practices, processes, instances and procedures:
- The ISO 27000, NIST Cybersecurity Framework standard, IEC 62443 and NERC CIP Standards;
- The Responsibility Guide, issued by the Superintendency of Industry and Commerce; and
- The Cybersecurity Guide, issued by the National Operation Council for the Colombian Electricity Sector with Agreement 1502. We have a Governance Model for Cybersecurity Management, made up of an interdisciplinary Cybersecurity Committee and coordinated by the Cybersecurity Leader, who ensures compliance with information security policies and guidelines, personal-data processing and cybersecurity.
- Cybersecurity Committee of the National Operation Council;
- Cybersecurity Committee of the Regional Integration Commission (CIER, in Spanish);
- Computer Security Incident Response Team (CSIRT);
- Smart Colombia;
- Critical Infrastructure Committee of the ICT Ministry;
- The Colombian Institute of Technical Standards (ICONTEC, in Spanish) AMI Table for interoperability and cybersecurity;
- Energy Mining-Planning Unit (UPME, in Spanish);
- The Grupo Argos Risk Committee; and
- The ICONTEC Standardization Work Tables for NTC 6079 standard.
- A Disaster-Recovery Plan for the Commercial System, Measurement Management Center, Advanced-Distribution Management System;
- Key projects and automatic inventory of critical cyber assets, identification of their vulnerabilities, threats and risk level;
- Control of access to intelligent electronic devices (IEDs):
- Perimeter security for the protection of critical cyber assets.
- Social-engineering campaigns to identify the position of employees regarding cyber risk; and
- Cybersecurity plans for wind, photovoltaic and hydraulic plants in Central America.
Principal Results in 2022
GRI (418-1) DJSI (1.8.4) (2-27) SASB IF-EU-550a.1. Our Own Indicator (Cybersecurity Gaps and Incidents). In the last four years, we have maintained an Indicator of zero (0) incidents on the IT Infrastructure, so we have not had to pay fines nor have we lost income.