Strategic Framework
Cybersecurity
At Celsia, we have a strategy that integrates information security, personal-data protection and cybersecurity.
GRI (103-1) Aligned with our Corporate Objectives, at Celsia we permanently seek to guarantee the reliable, safe delivery of the electrical energy service. To achieve this, we have a strategy that integrates information security, personal-data protection and cybersecurity.
Our Management
GRI (103-2) To manage this issue, at Celsia we have different elements that structure the management framework. Within this, we highlight the following practices, processes, instances and procedures.
We executed our Strategy through a Management Model that we have built, based on good practices in the sector, such as:
- The ISO 27000 Standard, NIST Cyber Security Framework Standard, IEC 62443 Framework and NERC CIP Standards.
- The Responsibility Guide, issued by the Superintendency of Industry and Commerce.
- The Cybersecurity Guide issued by the National Operation Council for the Colombian electricity sector with Agreement 1502. We have a Governance Model for Cybersecurity Management, made up of an interdisciplinary Cybersecurity Committee and coordinated by the Cybersecurity Leader, who ensures compliance with information-security policies and guidelines, the processing of personal data and cybersecurity.
We have a Security Operations Center, a Cybersecurity Committee and a Technology-Risk Committee.
We carry out monitoring 7x24x365 from the Security Operations Center to the databases that contain personal data, critical cyber assets and ICT infrastructure.
Through ethical hacking and with the support of cybersecurity tools, we conduct permanent vulnerability management, which is reported by the Security Operations Center. Its results and scope are reviewed monthly through the associated corrective actions.
We participated in different inter-institutional spaces, led from Colombia, such as:
- The Cybersecurity Committee of the National Operation Council.
- The Critical Infrastructure Committee, led by the Joint Cyber Command of the Ministry of Defense.
- The ICONTEC AMI Table for inter-operability and cybersecurity.
- The Mining – Energy Planning Unit.
- The Grupo Argos Risk Committee.
We monitored information security through:
- The Disaster Recovery Plan of the Commercial System; Measurement Management Center, Advanced Distribution Management System.
- Key projects and automatic inventory of critical cyber assets, identification of their vulnerabilities, threats and risk level.
- Access control to Intelligent Electronic Devices (IEDs).
- Perimeter security for the protection of critical cyber assets.
- Social-engineering campaigns to identify the position of employees regarding cyber risk.
- Cybersecurity Plans for the wind, photovoltaic and hydraulic plants in Central America.
Cybersecurity Governance
DJSI (1.8.1) GRI (102-20, 102-19) The Board of Directors and the Steering Committee are actively involved in defining the Cybersecurity Strategy, its monitoring and review. In accordance with the Code of Good Governance, the Board of Directors has defined an Audit, Finance and Risk Committee, where members of the Board of Director, audit and Steering Committee members participate.
One of the functions of this Committee is to review and evaluate risk management and propose the improvements it deems necessary, seeking that it promotes the configuration of a risk profile, in accordance with the Company’s Strategic Objectives. It meets quarterly or when necessary. The people primarily responsible for supervising the Cybersecurity Strategy on the Board of Directors are María Fernanda Mejía, David Yanovich and Alejandro Piedrahíta.
Within this framework, and taking into account that cybersecurity is one of the main risks that Celsia faces, the Committee supervises the management developed by the Administration to implement the Cybersecurity Strategy, which is formulated by the Cybersecurity Leader. As for the Steering Committee, the person in charge of showing the cybersecurity program and its respective progress is the Technology Leader.
To strengthen the knowledge of the members of the Board of Directors and the Steering Committee, they took the Universidad de los Andes Cybersecurity for Executives certified course, where different leaders of the teams that manage the issue also participated.
Main results
GRI (103-3)
We applied the concept of cybersecurity by design, accompanying different Company projects, for example:
- • The Advanced Vision Operations Center (NOVA, in Spanish): Monitoring center, the monitoring and supervision center for the entire electrical network and new businesses.
- AMI: Advanced Metering Infrastructure (smart meters).
- • Digital Network: Digitalization of our network to incorporate benefits, such as real-time monitoring and faster identification of and attention to interruptions.
We carried out ethical hacking at the Alto Tuluá, Cucuana, Río Piedras, San André de Cuerquia and Hidromontañitas hydroelectric plants; at the Merielectrica thermal plant; at the ESFERA project; at Internet Hogar; at the Recrew, Palmira, Candelaria, Cerrito and Carmelo substations; and Enerbit.
We mitigated the risks of a cyberattack on critical cyber assets by implementing the Cybersecurity Guide of the National Operation Council, through the following controls:
- Automatic inventory of critical cyber assets; identification of their vulnerabilities, threats and risk level.
- Access control to Intelligent Electronic Devices (IEDs).
- Preparation for the certification of the Incident-Response Process of the Security Operations Center in ISO 27000 and FIRST membership.
- Implementation of firewalls in hydroelectric plant.
- Documentation of the records required to demonstrate the implementation of the National Operation Council’s Cybersecurity Guide.
- Implementation of cybersecurity controls in critical substations in Tolima.<
- Execution of social-engineering campaigns to identify the position of employees regarding cyber risk.
- Automation for the automatic detection and containment of attacks.
- Testing of the Cybersecurity Incident-Response Plans at the Merielectrica facilities and physical security at NOVA.
- Testing of the recovering plans in the ESFERA Commercial Information System Software, Alto Anchicayá, Telecommunications, among others.
For Central America, the inventory of cyber assets, social-engineering campaigns and ethical hacking were carried out at the Chiriqui, Prudencia Solar Plant and the Guanacaste Wind Plant.
GRI (418-1) DJSI (1.8.4) Our own Indicator: (Cybersecurity Breaches and Incidents). In the last four years, we have maintained zero (0) breaches in information security or other cybersecurity incidents related to our clients.
DJSI (1.8.5) GRI (103-2) SASB (IF-EU-550a.1.) In the last four years, we have maintained zero incidents on the IT infrastructure for which we have had to pay fines or with which we have suffered the loss of income.
New Challenges
GRI (103-2)
These are our challenges in the short, medium and long term:
(0 to 2 years)
Move from the maturity level DEFINED to MANAGED and complete the implementation of the National Operation Council’s Cybersecurity Guide to mitigate the risk of a cyber attach on critical cyber assets through the implementation of the following controls:
- Carry out an automatic inventory of critical cyber assets, and the identification of their vulnerabilities, threats and risk level.
- Control access to Intelligent Electronic Devices (IEDs).
- Implement the good practices of ISO 27000 for the Security Operations Center processes and FIRTS membership.
- Implement the playbooks required to improve the opportunity to respond to cyberattacks.
- Document the records required to demonstrate the implementation of the National Operation Council’s Cybersecurity Guide.
- Implement cybersecurity controls in the Tolima substations.
- Develop social-engineering campaigns to identify the position of employees regarding cyber risk.
(3 to 5 years)
Maintain the MANAGED level of maturity through the following activities, in addition to the previously mentioned controls which already exist:
- Strengthen the Analytical, Intelligence and Automation capabilities of the Security Operations Center.
- Mitigate the risk of a cyberattack for non-critical cyber assets through the implementation of perimeter security, automatic inventory, identification of vulnerabilities, threats and risk level.
(6 to more years)
Mitigate the risk of a cyberattack with a MANAGED level of cybersecurity maturity, maintaining good practices in cybersecurity, such as ISO27000, NIST, NERC, 62443 and the FIRTS membership for the Security Operations Center, in compliance with the cybersecurity agreements of the National Operation Council.
Glossary
Glosario
Cyberattack: Attempt to expose, alter, destabilize, destroy or gain unauthorized access to a computer asset.
Cybersecurity by Design: This introduces agile security controls that can adapt to changing digital environments; it is based on an understanding of the landscape of threats, people, scalability and speed.
Ethical Hacking: Tests carried out on networks by people with computer and security knowledge to find vulnerabilities, then report them and take corrective actions.
Information Security / Cybersecurity: Protection of the computer infrastructure and everything related to it, especially information.
Intelligent Electronic Devices (IEDs): Electronic-regulation equipment immersed in electrical systems and used in switches, transformers, among others.
Level of Maturity: An evolutionary plateau towards the achievement of a mature software process. Each level of maturity provides a layer in the base for continuous process improvement. Under this framework:
- The DEFINED maturity level is when there is a policy and procedures published in the quality system and the employees and persons of interest know them.
- The MANAGED maturity level is when – in addition to having the characteristics of the DEFINED maturity level – there are also monitoring indicators and continuous-improvement plans.
Social-Engineering Campaigns: Campaigns that seek to sensitize employees against the manipulations used to unduly gain access to information.
