TI Safe

Class | Support & Admin | DL | Hub |

Home Blog Aneel determines the implementation of cyber security policy for all agents in the electricity sector


Aneel determines the implementation of cyber security policy for all agents in the electricity sector

Resolution brings guidelines and minimum parameters to be adopted and guidelines on best practices

The hacker attack on the Ministry of Health, which brought down ConectSus, and on the Federal Highway Police, among other agencies, were warning signs for mission-critical sectors in Brazil. Proof of this is that the National Electric Energy Agency (Aneel) accelerated the publication of the cyber security policy for the electric sector, that is, for all energy generators, distributors and transmitters in the country.

The National Electric Energy Council (CNPE) had already approved the guidelines for the cyber security policy, but these rules still depended on an Aneel regulation to come into effect. The new resolution brings the guidelines and minimum parameters to be adopted, as well as guidelines on best practices for the sector.

According to a document published on Aneel's website, each agent and entity must describe in its policy the management, assessment and treatment of cybersecurity risks, including rapid response procedures to contain incidents. In addition, employee awareness of cyber risks should be promoted through cyber exercises. Among the established requirements are:

• Obligation to inform Aneel of cases of cybersecurity crisis;
• Mandatory sharing of relevant cyber incidents between agents and between agents and Aneel;
• The company's obligation to choose and periodically apply a regulatory maturity assessment methodology;
• Segmentation of IT and Internet operation (OT) networks;
• Rapid response procedures for incident containment;
• Implementation of cybersecurity risk management, assessment and treatment processes.

For Marcelo Branquinho, CEO of TI Safe, the implementation of the policy determined by Aneel is another important step towards regulating cyber protection for the energy sector, which is added to the Operational Routine on Cyber ​​Security (RO.CB.BR. 01), published by the National Electric System Operator (ONS). “We are increasingly connecting systems. IT and OT networks, initially separate, are now converging. IT has become accustomed to dealing with data security issues on a daily basis. However, automation also inherited this problem. Remotely assisted stations need to be protected from cyber attacks and this is the right time to adjust budgets with a focus on prevention”, details the executive.

In Marcelo's assessment, the latest attacks on Brazilian public bodies are not isolated cases. In 2021, the world witnessed cases of ransomware incidents that not only made headlines in the world's leading newspapers, but also became a watershed in defense strategies, putting the CISO as a protagonist in problem solving. A study released by KPMG indicated that 41% of organizations worldwide reported an increase in the number of incidents and also showed changes in the strategies of cyber criminals, who put pressure on as much as possible to obtain a ransom payment, even harassing employees as additional extortion measures. .

Learn more: Aneel Normative Resolution Draft