Cybersecurity - Integrated Report 2019

At Celsia, we have a security strategy that covers:

Information security.
Cybersecurity.
Personal data protection.

Thus, we mitigate the risk of a cyber attack on operations; we avoid the leak, adulteration of and unauthorized access to personal data, and guarantee entries, preventing the unavailability of cyber assets.

Our Management

We implement our strategy through a Management Model that we have built, based on good practices in the sector.

ISO 27.000; the National Institute of Standards and Technology (NIST), 62443 and the North American Electric Reliability Corporation (NERC).
The Responsibility Guide issued by the Superintendency of Industry and Commerce of Colombia in May 2015, in accordance with Law 1581 of 2012 Protection of Personal Data.
The Cybersecurity Guide issued by the National Operation Council (NOC) for the Colombian electricity sector with Agreement 1241.

Cybersecurity Governance

Learn about the Information Security Policy

(C-CI1) We have a Governance Model to manage cybersecurity, composed by an interdisciplinary cybersecurity committee and coordinated by the Cybersecurity Leader, who ensures compliance of the policy and information security guidelines, the treatment of personal data and cybersecurity.

We also participate in different inter-institutional spaces:

Cybersecurity Committee of the National Operation Council (NOC).
Critical Infrastructure Committee, led by the Joint Cyber Command (CCOC) of the Ministry of Defense.
ICONTEC Advanced Measurement Infrastructure (AMI) Committee.
Energy Mining Planning Unit (UPME).
Grupo Argos Risk Committee.

All these initiatives are led from Colombia.

Management Framework

(C-CI2)

We have a Security Operations Center (SOC) and a Technology Risk Committee.

We monitor databases that contain personal and security data through ethical hacking 24 hours a day, seven days a week, 365 days a year.

We carry out permanent vulnerability management, which is reported by the SOC, and their results and scope are reviewed monthly through associated corrective actions.

Procedures

(C-CI3)

Key Projects

Automatic inventory and identification of vulnerabilities of critical cyber-assets.
Access control to Intelligent Electronic Devices (IED).
Intrusion Detection System for substations and plants.
Implementation of the SOC.

Principal Results

We approve the Cybersecurity Policy and Guidelines.

We intervene in projects manages from our Operations Center, applying the concept of Cybersecurity by Design.

NOVA. Modernizing the Operating Systems to monitor, supervise and control all the electrical networks and new businesses.
AMI. Modernization of the Advanced-Measurement infrastructure.
ESFERA. Modernization of the Commercial-Information System.
GEMA. Strategic-Management Project for Asset Management.
E-Commerce. Web portal for the Celsia store.
Contractors: Service to verify compliance of affiliations, payments to Social Security and Occupational Health and Safety requirements of our contractors and their employees.
Wind plants.
SCADA. Supervision, Control and Data Acquisition.
Solar roofs and farms.
Office 365. Collaborative office tools available in the Microsoft cloud.

We implemented the control of access to IEDs for the 34.5 kV Tuluá; San Marcos; Alférez II (115 kV); Pance; Guacar; Dovio; Tabor; Paraíso; and Bolívar substations; as well as in the Alto Anchicayá, Amaime and Calima (Valle del Cauca), Cucuana (Tolima), Río Piedras (Antioquia) and Salvajina (Cauca) hydroelectric plants.

We implemented the Intrusion Detection System for the Alto Anchicayá and Amaime hydroelectric plants, and in the Candelaria, Yumbo, Pance and Recreo substations.

We carry out social engineering campaigns focused on the Commercial, Transmission and Distribution, Generation and Technology Areas, and on the Company’s Steering Committee.

We approve the implementation of our Security Operations Center (SOC) with our own resources (tools, processes and people).

We carry out ethical hacking at the Alto Anchicayá and Amaime hydroelectric plants, and at the Salado substation in Tolima.

We carry out a cybersecurity diagnosis in Panama for the Prudencia and Gualaca hydroelectric power plants.

We assess the vulnerabilities to the systems that the Company manages to track its assets and manage its Stakeholders, such as Meteoro, Konecta, LuZia, Web Tolima, Tienda Celsia, Ultra Digital and Meter Data Management (MDM).

New Challenges

Short Term
0 to 2 years
Medium Term
3 to 5 years
Long Term
6 years or more

Mitigate the risks of a cyber attack:

Automatic inventory and identification of vulnerabilities of the critical cyber-assets.
Access control to IED.
Intrusion Detection System for substations and generation plants.
Implementation of the SOC.
Implementation of firewalls in the hydroelectric power plants.

Implement 57 documentary records required to demonstrate the implementation of the Cybersecurity Guidelines, in compliance with Agreement 1241, from the National Operation Council (CNO, in Spanish).

Carry out a gap analysis of compliance with the Cybersecurity Policy and Guidelines in the hydroelectric, photovoltaic and wind-power plants in Central America.

Implement cybersecurity controls in the Tolima substations.

Continue the five-year plan that includes compliance with Agreement 1241 from the National Operation Council (CNO) and move from the “defined” level or maturity to the “managed” level, in accordance with the categories of the Agreement, and execute the following projects:

Automatic inventory and identification of vulnerabilities of the critical cyber-assets.
Access control to IED.
Intrusion Detection System for substations and generation plants.
Implementation of the SOC.
Implementation of firewalls in the hydroelectric power plants.

Maintain and update the 57 documentary records required by Agreement 1241, from the National Operation Council (CNO), to demonstrate the implementation of the Cybersecurity Guidelines.

Include cybersecurity as a service within Celsia’s commercial offer.

Glossary

Ethical Hacking
Tests carried out on networks by people with computer and security knowledge to find vulnerabilities, then report them and take corrective measures.

Intelligent Electronic Devices (IEDs)
Electronic regulation equipment embedded in electrical systems and used in switches, transformers, etc.

Cybersecurity by Design
Introduces agile security controls that can adapt to changing digital environments; it is based on an understanding of the threat landscape, people, scalability, and speed.

Level of Maturity
An evolutionary plateau towards the achievement of a mature software process. Each level of maturity provides a layer in the base for continuous process improvement.