The purpose of this article is to present the practical implications of the new Cybersecurity Framework Law in the energy sector. Particularly relevant are the provisions that Will affect the institutional governance of the sector and the imposition of new obligations of its actors.
I.- The need for sectorial regulation in the matter of cybersecurity
The imperative need to regulate cybersecurity in the electricity sector arises in response to the growing vulnerability to cyber-attacks. The interconnection between information technologies and operational systems in the electricity infrastructure requires specific regulation to avoid significant risks, such as the interruption of electricity supply, the disclosure of sensitive information and the potential loss of operational control in system facilities.
In the event that any of these risks materialize, the consequences are enormous. According to IBM Security’s 2023 Cost of a Data Breach Report, the cost of losses due to the unavailability of services in the electricity sector in 2023 amounted to US$4,780,000, or approximately $4,351,090,599 Chilean pesos.
However, the consequences are not purely economic, the threat to the stability of critical services has a direct impact on the general population. The energy sector plays an essential role in the delivery of critical services, from lighting to the operation of key infrastructure. Therefore, strengthening cybersecurity measures is imperative in order to preserve the functionality of the society that relies on the continuity and security of energy supply.
II.- Current regulatory context in the electricity sector in the field of cybersecurity
In the current regulatory scenario of the electricity sector, cybersecurity has become crucially important. In July 2020, the National Electric Coordinator (hereinafter, “CEN”) introduced the “Information Security Standard” (“Estándar de Ciberseguridad de la Información”) (hereinafter, the “Cibersecurity Standard”), establishing international standard requirements to safeguard the integrity of electricity systems. In 2021, in response to the growing importance of cybersecurity, the Cybersecurity and Critical Infrastructure Unit (“Unidad de Ciberseguridad e Infraestructura Crítica”) was created at the CEN, headed by a CIP Officer and Security Officer. In August 2022, another significant step was taken with the formulation of a “Comprehensive Information Security, Cybersecurity and Critical Infrastructure Policy” (“Política Integral de Seguridad de la Información, Ciberseguridad e Infraestructura Crítica”) by CEN (hereinafter, the “CEN Cybersecurity Policy”).
In addition, the National Energy Commission (hereinafter, “CNE”) is currently processing the “Technical Standard on Cybersecurity and Information Security” (“Norma Técnica de Ciberseguridad y Seguridad de la Información”) (hereinafter, the “Technical Standard”), which elaboration is among the CNE’s Annual Regulatory Plan for 2024.
III.- The Bill
On December 12, 2023, the National Congress approved the bill that “Establishes a Framework Law on Cybersecurity and Critical Information Infrastructure” (hereinafter, the “Bill”). This seeks to create a new institutional framework and establish principles and regulations to coordinate and regulate cybersecurity initiatives both in state agencies and in their interaction with private actors, as well as to establish the requirements to prevent, contain, respond and resolve the different cybersecurity incidents and cyber-attacks that may occur.
IV.- Scope and Application of the Current Regulatory Framework
The Bill will be applicable to institutions that provide services considered “essential” and to those designated as “operators of vital importance”. It defines essential services as those provided by State Administration Bodies, the CEN, those provided under a public service concession and those provided by private institutions that perform various activities, among which are the generation, transmission or distribution of electricity.
The qualification of essential service providers as vital operators will be made by means of founded resolution of the National Cybersecurity Agency (hereinafter, the “ANCI”), based on the following criteria: (i) dependence on computer networks; and (ii) the significant impact on public safety, the continuous provision of essential services, the execution of state functions or services that it must provide or guarantee.
In terms of sector regulations, the requirements established in the Cybersecurity Standard are binding on the CEN and the Coordinated Companies, applying specifically to facilities or assets that fall within the impact qualification categories defined in the Cybersecurity Standard.
As for the CEN’s Cybersecurity Policy, it covers the entire CEN organization, all data and information assets and all critical infrastructure of CEN.
V.- Practical Implication of the Bill in Energy Matters
The Bill contains a series of provisions that will affect the institutional governance of the electricity sector in matters of cybersecurity, as well as the obligations to which the different entities will be subject. The following is a brief description of the most important aspects of the Bill and its implications on energy matters, as well as its relationship with regulations already in force.
V.1. Institutional matters:
The Bill contemplates the creation of institutions in cybersecurity establishing guidelines for their interaction with sectoral agencies. Some relevant issues of participation of sectoral bodies are:
- Qualification of operators of vital importance: According to the Bill, the ANCI will require a well-founded report from the public agencies with competence in energy matters so that they pronounce themselves on those public and private institutions that should be qualified as operators of vital importance.
- Regulatory coordination: When the ANCI must issue regulations that impact energy areas, it will previously send the relevant information to the respective entities, requesting a report. Likewise, when an authority with energy competence must issue general administrative acts with an impact on ANCI’s areas of competence, it must send the information to ANCI and request a report.
- CSIRT of State Administration agencies: The National CSIRT will collaborate or provide technical advice to CSIRTs belonging to State Administration agencies in the implementation of policies and actions related to cybersecurity.
V.2. Regarding obligations for providers of essential services and operators of vital importance:
The Bill establishes a series of general requirements to be complied with by the obligated parties. These are briefly detailed below and are related to already existing obligations in the sector:
V.2.i. General duties for providers of essential services and operators of vital importance:
- Reporting obligation: The Bill establishes that all essential services and operators of vital importance will have the obligation to report to the National CSIRT cyber-attacks and cybersecurity incidents that may have significant effects in accordance with the criteria set forth in the Bill, within a maximum of 3 hours.
In this respect, the Cybersecurity Standard establishes that all Reportable Cybersecurity Incidents must be notified, through the CIP Manager, to the CEN and the Superintendency of Electricity and Fuels (“Superintendencia de Electricidad y Combustibles”) (hereinafter, the “SEC”) within an even more demanding period, of 1 hour from its detection.
As for the CEN, the CEN Cybersecurity Policy establishes the obligation of personnel to notify the Security Officer of any activity or situation that, to their knowledge, may be affecting the security of information assets or resources.
The Technical Standard is expected to regulate incident reporting requirements at the electric utility and electric sector CSIRT level. - Measures to prevent, report and resolve cybersecurity incidents: The Bill requires that the obligated institutions comply with the protocols and standards established by the ANCI, as well as the cybersecurity standards required by the sectorial regulation, to prevent risks, as well as to contain and mitigate the impact of incidents.
Although the precise content of these obligations is not fully determined in the Bill, in the energy area, the Cybersecurity Standard established Critical Infrastructure Protection (“CIP”) standards of the North American Electric Reliability Corporation (“NERC”), known as NERC-CIP, which are enforceable for the sector. In particular, the required standards are CIP-002, CIP-003, CIP-004, CIP-005, CIP-006, CIP-007, CIP-008, CIP-009, CIP-010, CIP-011, CIP-012, CIP-013 and CIP-014.
Specifically regarding the CEN, the CEN Cybersecurity Policy is also based on the Cybersecurity Standard, but also includes as complementary references the ISO/IEC 27000 and NIST and ISO 22301 family of standards.
V.2.ii. Specific duties for operators of vital importance
The Bill establishes a series of specific obligations to be fulfilled by operators of vital importance. These are briefly detailed below and are related to already existing obligations in the sector:
- Obligation to implement a continuous information security system: The Cybersecurity Standard requires the CIP-003 standard. This is intended to specify consistent and sustainable security management controls to protect SEN cyber system against events that may lead to their malfunction or instability.
- Obligation to keep records: The Bill establishes as a duty for the operators of vital importance to keep a record of the actions carried out that are part of the information security management system, in accordance with the Bill’s regulations.
The above is aligned with the provisions of the Cybersecurity Standard, which requires the Responsible Entities to maintain records of evidence and control measures for a period of at least 3 years, a period that may be extended as required by the SEC in case there is an ongoing audit investigation. - Obligation to develop and implement business continuity and cybersecurity plans: These plans must be certified in accordance with the Bill and will be subject to periodic reviews by the regulated entities, with a minimum frequency of 2 years.
In electrical matters, the Cybersecurity Standard requires the CIP-009 standard for recovery plans. This establishes specific requirements for recovery plans in support of the continued stability, operability and reliability of the SEN.
In accordance with Cybersecurity Policy of the CEN, the CEN will be responsible for monitoring the action plans of the Coordinates in information security matters, in accordance with the requirements of the Cybersecurity Standard. - Monitoring and reporting obligation: The Bill requires operators of vital importance to conduct periodic reviews of their systems to detect cyber threats and report the information to the National CSIRT, as required by the regulation.
The Cybersecurity Standard establishes that the Responsible Entities must monitor and report to the SEC the level of compliance with the control measures of each requirement on an annual basis within the first quarter of each year and in the format defined by the SEC. - Obligation to adopt impact and propagation mitigation measures: The Cybersecurity Standard imposes the requirements of the CIP-008 standard. The purpose of this standard is to mitigate risks to the safe and reliable operation of the SEN that are consequence of a cybersecurity incident, specifying incident response requirements.
- Obligation to comply with the cybersecurity certifications of the Bill and those determined by the ANCI by regulation: The Cybersecurity Standard complements the above, establishing that the SEC may instruct compliance and/or certification audits by certified third parties in order to verify compliance with the standard.
- Obligation to provide information to potentially affected parties: The Bill requires informing potentially affected parties about incidents or cyber-attacks that could seriously compromise their data or computer networks and systems in certain cases.
- Obligation to have continuous training, qualification and education programs: The same requirement is contained in the Cybersecurity Standard, which requires the CIP-002 standard for the electricity sector. In general terms, the requirements of this standard are related to: training in cybersecurity policies, physical Access control, electronic access control, visitor control program, among others.
- Obligation to appoint a cybersecurity delegate: The CIP-003 standard, required by the Cybersecurity Standard, requires each Responsible Entity to identify a CIP Officer by name, and to document in writing any changes thereto within 30 calendar days of the change.
V.2.iii. Infringements and penalties
The Bill establishes a series of penalties in case of infringement of the provisions of the future law. The Bill classifies them as minor (“leves”), serious (“graves”) and very serious (“gravísimas”), in addition to establishing specific infringements for operators of vital importance.
The sectorial authority will be competent to audit, hear and sanction infringements, as well as to enforce sanctions, in accordance with its regulations on cybersecurity when their effects are at least equivalent to those of the regulations issued by the ANCI. The ANCI, as well, will be able to supervise, hear and sanction infringements, as well as execute sanctions, in accordance with the Bill.