Ciberseguridad en el Sector Energético | Anguita Osorio Abogados
Marco normativo, desafíos OT/IT y cumplimiento en infraestructura crítica eléctrica en Chile
Energy Sector Cybersecurity: Governance for Critical Infrastructure
The electrical sector faces Chile's most complex supervisory matrix, with SEC, CNE, CEN and the new ANCI. We analyze the strategic challenges to protect critical infrastructure (OT/IT) and ensure regulatory compliance in an environment of multiple regulators and systemic risks.
Explore the General Legal FrameworkThe Multi-Regulator Framework of the Electrical Sector
Energy sector companies operate in a highly complex regulatory ecosystem. Law 21.663 overlaps with the powers of sectoral regulators, creating a supervisory matrix with four key actors:
| Regulator | Oversight Scope | Primary Focus |
|---|---|---|
| ANCI | National cybersecurity and incident notification. | Law 21.663 compliance. |
| SEC | Installation security and supply continuity. | Service quality and safety. |
| CNE | Energy policy and sectoral technical standards. | Technical standards design. |
| CEN | System operational coordination and secure communications. | Operational stability and security. |
An incident at a power plant can simultaneously be a security failure (SEC), an operational disruption (CEN) and a cybersecurity incident (ANCI), triggering reports and oversight through multiple channels.
Critical Infrastructure by Legal Definition
The electrical sector is classified as an **Essential Service**. It is presumed that large generators, trunk transmission companies and main distributors will be qualified as **Operators of Vital Importance (OIV)** under the process initiated by ANCI Resolution No. 024/2025, subjecting them to the highest requirements of Law 21.663.
**Current status:** The first OIV qualification process is underway with 90-day deadlines for resolution.
The Strategic Challenge of OT/IT Convergence
Digitalization has dissolved the barrier between **Information Technologies (IT)** and **Operational Technologies (OT)**, which control physical processes (SCADA, ICS). This convergence is a central point of risk and regulatory scrutiny.
Risk Vectors in Critical Infrastructure:
- **IT to OT threat propagation:** An attack on the corporate network can impact control systems, with potential to cause physical damage and massive disruptions.
- **OT supply chain attacks:** Compromise of industrial equipment suppliers (PLC, RTU).
- **Industrial protocol exploitation:** Vulnerabilities in protocols such as Modbus, DNP3 or IEC 61850.
Regulation demands an integrated security vision. Lack of adequate segmentation between IT and OT is considered a serious deficiency that may constitute corporate liability.
Alignment with International Standards: NERC-CIP
The **NERC-CIP** standards are the global reference for electrical cybersecurity. CEN already requires their compliance. Law 21.663 and future technical standards will align with their principles.
Companies must integrate these technical controls into a **corporate governance** framework. NERC-CIP compliance becomes the technical evidence to demonstrate due diligence before ANCI and SEC.
Critical Obligations and the Double Reporting Challenge
The main operational complexity for the sector is managing incident notification to multiple authorities with different focuses and deadlines:
- **0-3 hours (ANCI):** Notification to the National CSIRT for cybersecurity incident.
- **Immediate / Variable (CEN):** Report to the Electrical CSIRT for operational unavailability.
- **Variable (SEC):** Report if it affects supply continuity or security.
Uncoordinated management of these reports increases the risk of inconsistencies and legal exposure.
Strategic Action Lines for the Energy Sector
To manage this scenario, sector companies should focus on the following analysis areas:
Design of an Integrated Regulatory Framework
Creating a compliance framework that unifies obligations before SEC, CNE, CEN and ANCI to respond to all regulators coherently and efficiently.
Risk Governance Analysis in OT/IT Environments
Reviewing the Board's responsibilities in supervising OT/IT convergence risks, aligning technical management with legal compliance strategy.
Multi-Agency Crisis Management Strategies
Developing incident management protocols that coordinate communication flows to all involved regulators.
Download the Cybersecurity in Energy Sector Report
Complete the form and subscribe to our newsletter to access the detailed report
Frequently asked questions
What regulates cybersecurity in Chile's energy sector?
Law 21.663 sets the general framework for critical infrastructure, complemented by SEC technical regulations and instructions from the National Electrical Coordinator. Generation, transmission and distribution companies are commonly qualified by ANCI as Essential Services or Operators of Vital Importance.
What obligations does an electricity company qualified as OIV have?
IT security management system, operational-continuity plan aligned with the Coordinator, reporting of cyber incidents to ANCI within short deadlines, appointment of a Cybersecurity Delegate and periodic audits. OT/IT requirements stack on top of sectoral SEC regulation.
How does Law 21.663 interact with SEC regulation and the Coordinator?
SEC retains technical competence over electrical facilities, including cybersecurity guidelines for industrial control systems. ANCI overlays transversal general obligations. The Coordinator applies operational protocols. Companies must comply with all three levels simultaneously.
What technical standards typically apply to electrical critical infrastructure?
NERC-CIP (international reference), ISA/IEC 62443 for industrial systems and NIST guides are the most commonly used reference frameworks. ANCI can issue binding technical guidelines and the Coordinator requires compliance with specific protocols in interconnected-system operations.
What happens during a cyber incident at an electrical facility?
Immediate activation of the continuity plan, reporting to ANCI under Law 21.663, notification to the Electrical Coordinator, communication to SEC if it affects public service and, where applicable, to the Data Protection Agency. If the incident compromises personal safety, the criminal and sectoral sanctioning regime is also triggered.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
