Cotesa

Transmitters and power generators must comply with cybersecurity standards by January 8

Energy transmission and generation companies have until January 8 to be adapted to the minimum cybersecurity controls for the Cyber Regulated Environment, established by the National Electric System Operator (ONS). The standards have been in effect since July 9, 2021, and the assets will also be inspected by Aneel.

With the measure, the agency requires that the agents' operations centers and facilities of the SIN operation network adopt the tools to prevent hacker invasions, as in January 2021, when more than 220 million Brazilian data from federal agencies, such as the Unified Health System (SUS), were leaked. Brazil, in fact, was the 1st country with more leaks of personal information in the world in 2021.

The adjustments in the operation centers must be implemented with a security consultancy, which will conduct an analysis of the internal environments, identify vulnerabilities, follow the concepts described by ONS in the standard, and train the operators and IT teams.

CEO of COTESA Engenharia, Adriano Vignoli warns that those who have not yet begun implementation will not be suitable in the correct timeframe, generating a possible agent exposure. "The entire adequacy process is studied and customized for each operation center and each asset, but there is especially a lack of equipment in the market, which ends up delaying the conclusion of the work," explains Vignoli.

The cybersecurity standards

Check out, below, the main standards required by ONS for the Cyber Regulated Environment (ARCiber).

1 - Technological architecture

Networks shall be segregated into security zones, according to their function, and ARCiber shall not be directly accessible via the internet even if protected by one or more firewalls. Access to ARCiber from networks external to the organization shall only be permitted for the performance of authorized activities and must be via Virtual Private Network (VPN), or similar technology, through a gateway or service that provides security controls. Anti-malware solutions must be implemented in ARCiber and kept up to date.

2 - Information Security Governance

At least one manager and one alternate should be appointed, responsible for ARCiber's cyber security and act as an external point of contact, with roles and responsibilities defined.

3 - Asset Inventory

All assets, software, and hardware connected to ARCiber must be inventoried at least every 24 months, with access restricted to people who need the information to perform their jobs.

4 - Vulnerability management

The security policy of the organization shall include the management of security patches for all technologies connected to ARCiber. New assets should also only be connected to ARCiber after all available patches have been applied.

5 - Access management

5 - ManagementAccess credentials must be individual and approved by the competent authority, with strict password creation and exchange policies.

6 - Monitoring and incident response

ARCiber assets must be configured to generate appropriate security logs to support investigations and reconstruction of potential security incidents. These logs must be stored for the period defined in the organization's cybersecurity policies.

Skip to content