With the rise of the Internet, Taipower has also caught up with this trend. To prevent and avoid potential network security threats, Taipower has implemented firewalls, proxy servers, DMZs (Demilitarized Zones), IDS, IPS (Intrusion Prevention System), antivirus software, and the WAF (Web Application Firewall).
Taipower’s application security is improved by using not only white-box testing in the software development process but black-box testing before applications go live. In addition to Defense-in-Breadth, Taipower also uses Defense-in-Depth as part of the company’s security architecture to keep the network safer.
With the rapid development and popularization of information and communication technology and the Internet, Cybersecurity has become a critical issue related to public safety and national security. Therefore, the Government promulgated the “Information Security Management Essentials of the Executive Yuan and its Organs” on September 15, 1999, and “Management specification of Information Security of the Executive Yuan and its Organs” on November 16, 1999. It is the starting point that the government leads its organizations to establish a general awareness of security and carries out security protection mechanisms together.
Taipower issued the “Information and Communication Security Promotes System” and “Directions for Operations of Information and Communication Security” as the regulation when developing and applying information technology on November 14, 2001. Furthermore, Taipower established the task force that implements information and communication security plans and assists major departments to obtain the ISO 27001/ BS7799 security certification. Moreover, all departments have established the corresponding task force. Since 2004, the security certification has been obtained by related departments, and they are devoted to the validity of the certification.
In order to strengthen the security and resilience of critical infrastructure, U.S. President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in 2013. After that, the generally accepted term “Information and Communication Security” is replaced with “Cybersecurity”.
Many years ago Taipower set up the SOC to effectively prevent hacker’s attacks and intrusions. The G-ISAC (Government Information Sharing and Analysis Center) was officially launched in November 2009.
Beginning with information exchange from G-ISAC platform, early warnings and solutions of Cybersecurity are developed. The N-ISAC (National Information Sharing and Analysis Center) has officially operated since January 2018 to effectively manage and deliver interdisciplinary security information and achieve the goal horizontal collaboration on the joint defense of Cybersecurity. Taipower is a member of them.
Cybersecurity covers a wide range of topics including IT and OT. And OT is about power generation, transmission, and distribution facilities, which are kept operating normally by automation and computerization. Because Taipower is an essential part of National Critical Infrastructure, the principle using physical isolation between IT and OT operation is strictly required to comply with guaranteeing stable electricity supply.
Taipower’s cybersecurity activities include establishing and maintaining appropriate protection facilities, scheduled disaster recovery, and incident response drills, and regular audits. With the development of information and communication technology and changes in Taiwan regulatory requirements, such as applications of the smart grid and smart meters, the promulgation of the “Personal Information Protection Act” on December 30, 2015, and the promulgation of the “Cybersecurity Management Act” on December 21, 2011, the relevant practices of Cybersecurity are adjusted simultaneously.
Recently, the Ministry of Economic Affairs issued “Regulations of Cybersecurity Management of specific non-public organizations under the Ministry of Economic Affairs”. Based on it, the participants of National Critical Infrastructure are required to submit “Cybersecurity Maintenance Plan” every year and execution results in the following year. Taipower’s “Cybersecurity Maintenance Plan” is being drawn up right now. Ministry of Economic Affairs plans to select the providers of National Critical Infrastructure to conduct on- site audit yearly. They audit the execution results of the provider’s “Cybersecurity Maintenance Plan”.
In February 10, 2020, Taipowr company issued “Cyber Security Maintenance Plan” after cross-section discussion and meeting for several times, and its content not only estimate the risk of company’s core business in detail but also plan the cyber security event reporting mechanism and how to manage the performance of its execution process. In the cyber security of OT area, Taipower company will follow regulation law issued by Ministry of Economic Affairs, and which will become the baseline of ICT system cyber security regulation rule in Taipower company. According to the regulation rule, Taipower company keeps on focusing the cyber security defense mission of infrastructure in power line system and smart grid development.
In 2020 by estimated, local smart grid distribution center maintained by power supply department and new equipment of power generator in power plant will be prompted their cyber security level with the increasing of its important role. With the following cyber security regulation law requirement, Taipower company has plan to fulfill it, for example, by applying for ISMS in 2 years after cyber security level assigned and acquiring for ISO 27001 validation in 3 years.Currently, the power substation department (Taichung) and department of telecommunications have passed ISO 27001 validation in 2019.
All of Taipower’s protection practices aim to make sure that the information and communication facilities can operate safely and make personal privacy better protected. The most important thing is that the customers are satisfied with the services of Taipower and give positive feedback.