SECURITY
Regulatory Compliance & Governance
- PEA is classified as a Critical National Infrastructure (CNI) entity under Thailand’s Electronic Transactions Commission
- Adheres to:
- Cybersecurity Act B.E. 2562 (2019)
- Notification on Information Security Standards (2012)
- Code of Practice for CII Organizations (2021)
- Established key internal governance documents:
- Information Security Regulation (2017)
- Information Security Policy (2018, revised 2019)
- Asset Usage Guidelines (2020)
- Technical and procedural guidelines under the ISMS framework
Regulatory Compliance & Governance
- Developed an Information Security Management System (ISMS) aligned with ISO/IEC 27001, covering critical infrastructure, notably data center systems
- Key components include:
- Risk assessment methodology
- Defined stakeholder responsibilities
- Integration of organizational context in planning
- ISMS scope expanded (2021–2022) to:
- HQ and 12 regional offices
- ERP Phase 2 (Bill Printing and Payment Management – BPM)
Cybersecurity Tools & Operational Readiness
- Deployed monitoring and threat response technologies:
- Log Collection System (traffic data storage)
- Security Information and Event Management (SIEM)
- IT Service Management (ITSM) controls
- Established a 24/7 Security Operations Center (SOC) covering both IT and OT domains, equipped with real-time alert capabilities
Capacity Building & Awareness Programs
- Developed cybersecurity training aligned with global standards:
- LMS-based awareness training for all employees across 12 regions
- SDLC training for system developers
- NIST-based training for technical task forces (SCADA, AMR, GIS)
- ISMS Task Force Training
- Onboarding module on Information System Security (e-learning)
- Awareness initiatives via:
- Infographics, 2D animations, screen-lock prompts
- Internal communication channels (e.g., @PEAFriends, PEA newsletters)
2022 Training Outcomes
- Participation: 25,042 out of 28,112 employees (89.08%)
- Passed assessments: 24,248 employees (96.83% of participants)
2022 Training Outcomes
- No significant incidents in 2022; SOC enabled early threat detection
- Phishing simulation (Cyber Drill) tested staff responsiveness via email scenarios
ERP and BCP drills conducted using tabletop exercises with SCADA collaboration
Performance Monitoring & Certification
- Achieved ISO/IEC 27001:2013 certification for critical systems (HQ, 12 regions, BPM)
- Planned certification expansion to:
- ERP (Back Office)
- IS-U (Front Office Utilities System)
- Outage Management System (OMS)
- Integrated Key Performance Indicators (KPIs) into ISMS
- Underwent annual internal (IA) and certified external (CB) audits
- Participated in National Cybersecurity Capacity Building Program (Phase 1)
- Collaborated on the National Incident Response Plan with other CII organizations
Preventive Measures & Continuous Improvement
- Implemented:
- Threat detection tools and software patching protocols
- Enhanced incident response procedures
- Transition from reactive to proactive SOC operations
- Reinforced policy compliance through awareness training
