GRI (3-3) At Celsia, we ensure the security and integrity of all our assets, which is why we go to great lengths in the field of cybersecurity, in order to guarantee the continuity of the service.
GRI (3-3) In line with our corporate strategy, we strive to minimize the possibility of cyber-attacks on our operations at Celsia. Moreover, we prevent the filtration, adulteration of and unauthorized access to personal data, while ensuring the uninterrupted availability of critical cyber assets through a strategy that integrates information security, personal data protection and cybersecurity. In this way, we guarantee the safe and reliable delivery of electricity services.
Our Management
We execute our strategy through a management model built based on good practices in the sector:
- ISO 27000 standard, NIST Cyber Security Framework standard, IEC 62443 and NERC CIP.
- The Demonstrated Responsibility Guide for processing personal data, issued by the Superintendence of Industry and Commerce.
- The Cybersecurity Guide issued by the National Operation Council for the Colombian electricity sector through Agreement 1502.
- The government model for cybersecurity management: Interdisciplinary committee coordinated by the Cybersecurity Director, which ensures compliance with information security policies and guidelines, personal data processing and cybersecurity.
We have a Security Operations Center, a Cybersecurity Committee and a Technology Risk Committee.
We monitor the databases that contain personal information 7x24x365 from the Security Operations Center, as well as critical cyber assets and TIC (for the Spanish original) infrastructure.
Through ethical hacking and with the support of cybersecurity tools, we carry out permanent vulnerability management, which is reported by the Security Operations Center. Its results, scope and associated corrective actions are reviewed monthly.
We participate in different interinstitutional spaces led from Colombia:
- The Cybersecurity Committee of the National Operation Council.
- The Cybersecurity Committee of the Regional Integration Commission (CIER, for the Spanish original).
- The Computer Security Incident Response Team (CSIRT).
- The Forum for Incident Response and Security Teams (FIRST).
- Colombia Inteligente.
- The Critical Infrastructure Committee of the Ministry of TIC (for the Spanish original).
- The Mining and Energy Planning Unit.
- The Grupo Argos Risk Committee.
- The ICONTEC standardization worktables for the NTC 6079 Standard.
We manage the risk of a cyber-attack by:
- Supporting projects, applying the principle of cybersecurity by design.
- 7x24x365 monitoring from the Security Operations Center.
- Cybersecurity plans for wind, photovoltaic and hydroelectric plants in Central America.
- Key projects and automatic inventory of critical cyber assets, identifying their vulnerabilities, threats and risk level.
- Access control to Intelligent Electronic Devices (IED).
- Perimeter security to protect critical cyber assets.
- Social engineering campaigns to identify employees’ posture regarding cyber risk.
- An incident response plan for critical cyber assets.
- A Business System Disaster Recovery Plan, Measurement Management Center, and Advanced Distribution Management System.
Cybersecurity governance
GRI (2-13) The Board of Directors and Steering Committee are actively involved in defining the cybersecurity strategy, its monitoring and review. In accordance with the Code of Good Governance, the Board of Directors has defined an Audit, Finance and Risk Committee, whose functions are to review and evaluate risk management and propose the improvements it considers necessary, seeking to promote the configuration of a risk profile that is aligned with the company’s strategic objectives.
This committee meets quarterly or when needed. The members of the Board of Directors who participate in the committee are Eduardo Pizano, José Manuel Restrepo and Andrés Escobar.
In this framework, and taking into account that cybersecurity is one of the main risks Celsia faces, the committee supervises management’s efforts to implement the strategy formulated by the Cybersecurity Director. When it comes to the Steering Committee, the person in charge of showing the cybersecurity program and its respective progress is the Technology Director.
The members of the Board of Directors and Steering Committee who are part of this committee have been certified in the course on Cybersecurity for Executives from Universidad de Los Andes, in which various leaders of the teams that manage the topic also participated.
Main Results
GRI (3-3)
We apply the concept of cybersecurity by design and accompany the Red Digital, ADMS phase II, AMI and Apolo projects.
We executed the ethical hacking program in 35 critical assets (substations and plants).
In 2023, two supply chain risk events were identified. They were detected, contained and no reputational or economic incident materialized for the company.
We managed the automatic inventory of critical cyber assets, identifying their vulnerabilities, threats and risk levels.
We executed the project for managing the cyber assets of 59 substations in Tolima.
We managed the access control of critical cyber assets of substations and plants.
We had compliance with Agreement 1502 of the National Operation Council externally audited and closed the identified gaps.
1,970 employees took the E-learning course on cybersecurity in SSFF.
We executed social engineering campaigns to identify employees’ posture regarding cyber risk.
We executed the cybercrisis drill for each primary business group and the Steering Committee.
We executed the recovery plans for technology, generation cyber assets, transmission and distribution cyber assets, and NOVA.
We quantify cyber risks.
Monitoring internet assets from the Security Operations Center (SOC).
We were the first Security Operations Center for the electricity sector in Colombia to become a member of the Incident Response and Security Team (FIRST) Global Forum.
Topic / Indicator | Own indicators | CSA S&P Indicator | SASB indicator | GRI indicator | TCFD | External assurance |
|---|---|---|---|---|---|---|
Substantiated complaints concerning breaches of customer privacy and losses of customer data | – | – | – | 418-1 | – | |
Number of incidents of noncompliance with physical and/or cyber security standards or regulations. | Cybersecurity violations or incidents | – | IF-EU-550a.1 | – | – |
We are the first Security Operations Center for the electric sector in Colombia.
To be a member of the Forum for Incident Response and Security Team (FIRTS).
Information security/cybersecurity: Protecting computer infrastructure, especially information.
Cyber-attack: An attempt to expose, alter, destabilize, destroy, or gain unauthorized access to a computer asset.
Ethical hacking: Tests carried out on networks by people with computer and security knowledge to find vulnerabilities, then report them and take corrective measures.
Social engineering campaigns: Campaigns to raise awareness among employees about the most frequent manipulations to obtain access to information improperly.
Intelligent Electronic Devices (IED): Electronic regulation equipment immersed in electrical systems and used in switches, transformers, and others.
Maturity level: Evolutionary plateau towards achieving a mature software process. Each maturity level provides a layer on the foundation for continuous process improvement. In this frame:
- Defined maturity level indicates that there is a policy and procedures published in the quality system, and employees and people of interest know them.
- Managed maturity level indicates that, in addition to having the characteristics of the Defined maturity level, there are also indicators with monitoring and continuous improvement plans.
ADMS (Advanced Distribution Management System): Advanced Distribution Management System.
Smart Meters (AMI): advanced metering infrastructure, which allows the company to have a more accurate record of customer consumption and drives the development of new products and services to take full advantage of the information collected through these new devices.
APOLO: Application for the integral management of electrical protection of field equipment (relays and reclosers).
