CNO 1960 Agreement: Practical Compliance Guide for the Colombian Electricity Sector

How to prepare for new critical infrastructure cybersecurity requirements

On September 2, 2024, Air-e, the main energy marketer in the Colombian Caribbean, faced a ransomware-type cyberattack that compromised its critical systems. Thousands of users were left unable to pay their bills online. Most worrying: the attack managed to breach Kaspersky's advanced protection tools using a previously unidentified ransomware. [10]

This incident is not isolated. Colombia faced 36 billion attempted cyberattacks in 2024, ranking as the fourth most attacked country in Latin America. The energy sector represents 10% of these attacks, evidencing a critical vulnerability in the country's infrastructure.

In response to this growing threat, the National Operation Council (CNO) issued Agreement 1960 on April 3, 2025, which updates the cybersecurity requirements for all companies in the National Interconnected System (SIN). This article provides a practical and objective guide to understand what the new regulations require and how to prepare for compliance.

1. The Threat Landscape that Motivated the 1960 Agreement

1.1 Statistics on Cyberattacks in Colombia

The numbers are overwhelming:

• 36 billion attempted cyber-attacks in 2024 (Fortinet, IBM X-Force).
• 77,866 reports of cybercrime to the National Police (+23% vs. 2023)
• 22,086 vulnerabilities identified in critical systems (ColCert)
• 10% of attacks specifically target the energy sector

Colombia is currently the fourth most attacked country in Latin America, demonstrating the urgency of strengthening digital defenses, especially in critical infrastructures such as the electricity sector.

1.2 The Air-e Case: Anatomy of a Critical Infrastructure Attack

The Air-e attack illustrates the sophistication of today's threats:

• Date: September 2, 2024
• Victim: Air-e (main energy distributor in the Colombian Caribbean)
• Attack Type: Previously unidentified ransomware
• Impact: Disruption of critical services, inability to make online payments.
• Sophistication: Managed to evade advanced Kaspersky tools.

This incident demonstrates that even with enterprise-grade cybersecurity solutions, threats evolve faster than traditional defenses.

1.3 International Precedents Justifying the Agreement

The 1960 Agreement responds to a global trend. Recital 7 of the CRO is explicit: "The likelihood of high-impact cyber-attacks has increased. Cases such as the blackouts recorded in Ukraine in 2015, 2016, 2022 and 2024 produced by cyber-attacks, as well as attacks on electricity infrastructures in the United Kingdom, Ireland, the United States, Israel, India, among others have shown that cyber-attacks on these infrastructures are an active part of the current and future risk landscape."

Flagship cases:

• Ukraine (2015-2024): The first blackout caused by cyberattack affected 225,000 people in December 2015. A year later, the Industroyer malware knocked out power to one-fifth of Kiev. Attacks continued in 2022 and 2024, demonstrating that these threats are persistent and evolving.
• Stuxnet (2010): The first cyber-weapon designed for critical infrastructure destroyed approximately 1,000 nuclear centrifuges in Iran, proving that malware can cause actual physical destruction.
• Colonial Pipeline, USA (2021): The largest attack on U.S. oil infrastructure disrupted the supply of 45% of the East Coast's fuel for six days, causing shortages and panic among the population.
• Lesson for Colombia: These cases share a disturbing pattern: infrastructure considered secure was compromised, traditional defenses proved insufficient, and the impacts transcended the digital to cause real blackouts and economic losses. The 1960 Agreement translates these international lessons into concrete requirements for the National Interconnected System.

What is the CNO 1960 Agreement?

The 1960 Agreement is the most recent update of the Cybersecurity Guide for the Colombian electricity sector, issued by the National Operation Council on April 3, 2025.

2.1 Scope and Applicability

The agreement applies to all agents of the National Interconnected System (SIN):

• System Operator (XM)
• Power generators
• Transmitters
• Distributors

This includes both major and minor plants, with requirements differentiated according to the criticality of the assets.

2.2 Change of Focus: From Regulatory Compliance to Risk Management

One of the most significant innovations of the 1960 Agreement is the paradigm shift:

Previously (1502 Agreement): Regulatory compliance approach with standardized controls for all.

Now (1960 Agreement): Risk-based approach that allows each agent to tailor their controls according to their specific risk profile.

This change allows optimizing investments in cybersecurity, prioritizing resources towards the protection of those assets with the greatest potential impact on the operation of the SIN.

3. Structure and Controls of the 1960 Agreement

The 1960 Agreement establishes 58 mandatory controls organized into 10 main categories. Each control has specific deadlines for implementation and periodic review.

3.1 The 10 Categories of Controls

3.2 Critical Implementation Timelines

The Agreement establishes different deadlines according to the criticality of each control:

Urgent Controls (6 months or less):

• Verification of authorization records
• Access lists to critical cyber assets.

Medium Term Controls (12 months):

• Identification and updating of critical assets
• Personnel risk assessment
• Access management procedures
• Recovery and resiliency plan

Long Term Controls (24 months):

• Internal cybersecurity audits
• Change control procedures
• Validation of configuration changes

4. How to Prepare for Compliance

Compliance with the 1960 Agreement requires a structured and planned approach. The following is a practical implementation roadmap.

4.1 Phase 1: Initial Diagnosis (Months 1-2)

Objective: Assess the current state of cybersecurity and identify gaps.

Key Actions:

• Conduct comprehensive inventory of critical assets and cyber assets.
• Evaluate existing controls against the 58 requirements of the 1960 Agreement
• Identify critical gaps requiring immediate attention
• Estimate resources needed (budget, personnel, technology)

4.2 Phase 2: Strengthening Governance (Months 3-4)

Objective: Establish organizational structure and base policies.

Key actions:

• Designate and notify the CNO of the cybersecurity officer (deadline: 6 months).
• Update cybersecuritypolicies aligned with the 1960 Agreement.
• Implement awareness program for all personnel
• Establish access management and revocationprocedures

4.3 Phase 3: Implementation of Technical Controls (Months 5-12)

Objective: Deploy priority technical controls.

Key Actions:

• Implement 24/7 monitoring of critical systems.
• Deploy threat detectiontools (SIEM, EDR)
• Establish vulnerability management and continuous patching
• Set up backup and recovery of critical information
• Perform penetration testing on critical assets

4.4 Phase 4: Risk Analysis and Optimization (Months 13-18)

Objective: Perform comprehensive risk analysis and adjust controls.

Key actions:

• Execute internal and supplierrisk analysis (deadline: April 2026).
• Evaluate technologicalsupply chain
• Adjust controls according to specific risk profile
• Document evidence of compliance for audits

5. Strategic Decisions: Build or Contract?

One of the most critical decisions INS operators will face is how to implement the monitoring, detection and response capabilities required by the 1960 Agreement.

5.1 Option 1: In-house Security Operations Center (SOC)

Advantages:

• Full control over infrastructure and processes
• In-depth knowledge of in-house OT/SCADA systems
• No dependence on third parties for operation

Disadvantages:

• High initial investment: SIEM, EDR, SOAR platforms can cost between USD 200.000 - 500.000
• Talent shortage: difficult to recruit and retain specialized OT analysts
• Implementation time: 12-18 months for effective operation
• Limited coverage: difficult to maintain 24/7/365 operation with internal resources

5.2 Option 2: SOC-as-a-Service (SOC-as-a-Service)

Advantages:

• Rapid implementation: operational in 30-60 days
• Predictable cost: monthly subscription model
• Access to expertise: specialized and up-to-date threat analysts
• Complete coverage: 24/7/365 monitoring guaranteed
• Up-to-date technology: access to latest tools without additional investment

Disadvantages:

• Vendor dependency for critical operation
• Need to select vendor with OT/SCADA expertise
• Long-term recurring cost

5.3 Option 3: Hybrid Model

Many organizations are opting for a hybrid model that combines:

• Small internal team for business knowledge and coordination
• External SOC for 24/7 monitoring, threat analysis and initial response
• Specialized consultants for risk analysis, audits and penetration testing

This model allows for efficient compliance with the 1960 Agreement while progressively building internal capabilities.

6. Recommendations for Successful Implementation

Based on international best practices and the Colombian context, the following actions are recommended:

6.1 Start with a Rigorous Diagnosis.

Do not assume the current level of cybersecurity. Conduct a professional diagnostic that evaluates:

• Current compliance status vs. the 58 controls in the 1960 Agreement.
• Existing cybersecurity process maturity
• Available technical and staffing capabilities
• Investment gap required

6.2 Prioritize by Actual Risk

The risk-based approach of the 1960 Agreement allows for prioritization. Focus first on:

• Highest criticality assets: systems that, if they fail, impact INS operation.
• Closest time-bound controls: meet 6-12 month requirements first
• Highest risk gaps: critical vulnerabilities identified in diagnosis

6.3 Invest in Staff Training

Human error remains the leading cause of security breaches. It is critical:

• Implement continuous awareness program for all staff.
• Train technical teams in OT/SCADA security
• Train leaders in security incident management
• Certify the cybersecurity manager in relevant standards (CISSP, CISM, IEC 62443).

6.4 Establish Clear Governance

Cybersecurity is not just a technical issue. It requires:

• Executive sponsorship: senior management must prioritize and approve resources.
• Clear accountabilities: define who does what and with what authority
• Documented policies: formalize procedures and formally approve them
• Periodic reporting: inform the board of directors on cybersecurity status

6.5 Document Everything

The 1960 Agreement requires documentary evidence of compliance. From inception:

• Keep records of all cybersecurity activities.
• Document risk analysis decisions and compensating controls.
• File evidence of audits, evaluations and tests.
• Prepare periodic reports for the CRO

6.6 Consider Strategic Alliances

Given the scope of the 1960 Agreement, evaluate alliances with:

• Specialized SOC providers that understand the operation of the electricity sector.
• OT cybersecurity consultants with expertise in NERC CIP and IEC 62443
• Other NIS operators to share best practices and lessons learned
• Sectorguilds and associations to keep up to date

7. Conclusion: A Challenge Transformed into an Opportunity

The CNO 1960 Agreement represents a fundamental change in how the Colombian electricity sector approaches cybersecurity. Far from being a regulatory burden, it should be understood as an opportunity to:

• Modernize the technological infrastructure with international standards.
• Reduce operational risk in the face of increasingly sophisticated threats.
• Strengthen the resilience of the SIN, guaranteeing the national electricity supply.
• Position itself competitively with world-class cybersecurity capabilities.

The Air-e case demonstrated that no organization is immune to cyber-attacks, no matter what tools it has in place. What makes the difference is:

• A comprehensive approach that combines technology, processes and people.
• Rapid detection and response capabilities
• Dedicated continuous monitoring in OT/SCADA environments
• Proven resilience and recovery plans

The timeline for meeting the 1960 Agreement may seem challenging, but with structured planning and the right partnerships, it is entirely achievable. Organizations that proactively address this challenge will not only be compliant, but will build a sustainable competitive advantage in an increasingly digital environment.

InterNexa, part of the ISA Group, offers SOC services as a Service specialized in critical infrastructure, with more than 25 years of experience in the Colombian energy sector. For inquiries about cybersecurity solutions aligned to the 1960 Agreement, you can contact us through our website.

• SHARE

Jhon Jairo Mira Duque

Passionate about how data is captured and the stories it tells that drive business outcomes. I work as Market Manager at InterNexa Colombia, where I leverage strong relationships with clients, manufacturers, and industry suppliers, combined with sharp negotiation skills to deliver on business objectives.