Lack of Cybersecurity Laws Puts Mexico’s Energy Sector at Risk

Mexico’s energy sector faces significant cybersecurity challenges due to the absence of a unified legislation and clear regulatory guidelines. The lack of legal certainty, combined with the elimination of regulatory bodies such as the National Hydrocarbons Commission (CNH) and the Energy Regulatory Commission (CRE), has made it increasingly difficult to protect critical infrastructure from cyber threats, said industry experts during the II Cybersecurity Congress of Critical Infrastructures and Essential Services of Mexico (CIBER2CMX). 

Enrique Poceros, Chief Technology Officer, Roue, emphasized the urgency of updating Mexico’s National Cybersecurity Strategy, which was published in 2017 but it is currently outdated. During his participation at the round table, Cybersecurity in Construction: Legislative Diagnosis in Mexico and Latin America, Poceros pointed out that while various regulations exist for industries that produce energy, water, gas, and oil, there is no unified framework to standardize incident response and operational security. This regulatory fragmentation complicates decision-making in the event of cyber incidents affecting essential industrial systems.

Poceros explained the need for a sector-specific approach to cybersecurity regulation, especially for energy, hydrocarbons, and manufacturing. While it may not be feasible to create a separate law for each sector, cybersecurity regulations should identify and prioritize critical infrastructure within existing regulatory frameworks, emphasized Poceros. These measures would help to ensure a coordinated response to cyber threats and facilitate the enforcement of security breaches. 

During his participation, Poceros highlighted examples from other Latin American countries, such as Chile’s Framework Law and Colombia’s Decree 338, which establish cybersecurity guidelines aimed at  specific sectors. These regulatory frameworks provide clear security requirements and response strategies to protect essential services, including electricity, gas pipelines, and refineries.

Luis Espejel, Senior Manager of OT Cybersecurity, Sempra Infrastructure, echoed Poceros’ concerns, stressing that regulation alone is not enough. He underscored the importance of cultural change in how cybersecurity laws are implemented, noting that in Mexico, existing regulations often lack enforcement mechanisms that hold entities accountable. According to Espejel, regulations serve as fundamental guidelines, but their effectiveness depends on proper enforcement and adherence by all industry stakeholders.

Beyond legislation, Poceros called for greater regional and international collaboration to address cyber threats, emphasizing the need for immediate reporting and coordinated responses to incidents. He also underscored the role of education in raising awareness among government officials and industry leaders about the risks associated with cyber-physical and technological systems.

As cyber threats continue to evolve, the protection of Mexico’s critical infrastructure remains a pressing issue. Experts agree that without updated regulations, clearer responsibilities for both public and private entities, and a cultural shift in cybersecurity practices, the country’s industrial sectors will remain vulnerable to digital threats that could disrupt essential services.

Mexico’s Latent Cyber Risk

Recently, MBN reported that Mexico is one of the most vulnerable countries to cyber threats and attacks. According to recent estimates by ConsejoSI, damages from cyberattacks could increase fiftyfold in the coming year, pressing the urgent need for proactive and effective cybersecurity measures.

Nevertheless, Mexico has a significant opportunity to enhance its standards and align with international best practices, since it is projected that global cybersecurity spending is projected to surpass US$1 trillion by 2025. Investing in skilled professionals and advanced prevention technologies is essential to mitigate the financial and operational impact of potentially devastating cyberattacks, reported MBN.