Changes in technology and the energy scenario, increasingly characterized by numerous small interconnected and geographically distributed renewable plants with data stored in the cloud, represent opportunities for system improvement, while at the same time entailing new risks. Cyber attacks have changed dramatically in recent years: the number has grown exponentially, as has their degree of sophistication and impact, and it is increasingly difficult to identify their source in a timely manner. The multiplicity and complexity of the environments in which Enel operates (data, industry, and people) and the technological components (for example, business-critical systems such as SCADA [Supervisory Control and Data Acquisition], smart grids and electronic meters) that are increasingly integrated into the Group’s digital life have made it necessary to define a structured system of cyber security. Hence, a new cyber defense model based on a system vision that integrates the IT sector (Information Technology, from the cloud to the data center and the cellular phone), the OT (Operational Technology, everything related to the industrial sector, such as the remote control of plants) and the IoT (Internet of Things, or the extension of communication and intelligence to the world of objects).
Every day Enel identifies and blocks many incoming emails (malicious or categorized as spam), viruses, or attempts of risky connections.
Reference regulatory framework
New laws and regulations direct companies towards adopting effective cyber security policies. The following are the main relevant documents:
- European Regulation no. 2016/679, known as the GDPR (General Data Protection Regulation), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also in response to the challenges posed by technological developments and new models of economic growth. The GDPR stems from precise requirements of legal certainty, harmonization and greater simplicity of the standards on the transfer of personal data. Beginning on May 25, 2018, it is directly applicable in all EU Member States;
- NIS1 Directive 2016 2009/140/ECon the security of network and information systems. It is the first unequivocal set of rules on IT security at the EU level and is based on three key elements:
- improve the cyber security capabilities of the individual member states;
- increase the level of cooperation between member states;
- establish the obligation to risk management and report incidents of a certain scale to the operators of essential services and digital service providers;
- NERC CIP v5, standards for critical infrastructure protection prepared by the North American Electric Reliability Corporation.
There are also local regulations and standards in the various countries where Enel operates, such as Ley 8, 2011 in Spain and Acuerdo 788 in Colombia.
1 NIS - Network and Information Security.
The new organizational and operational model
Since September 2016 there is a specific Cyber Security unit that reports directly to the Chief Information Officer (CIO), whose manager holds the role of Group Chief Information Security Officer (CISO).
During 2017, the organizational structure was further bolstered by the appointment of Cyber Security Risk and Response Managers, who guarantee the involvement of the Business Lines in activities related to IT security. This is a defining feature of the Enel model that allows daily involvement of each individual Division in the key processes of risk assessment and definition of the response criteria in case of attack and the priority of the actions to be taken. 2017 was also the year of the publication of the Cyber Security Framework, which allows IT security activities to be addressed and managed with a risk-based approach and according to the “secure by design” principle. The framework provides for the involvement of the business areas, the implementation of regulatory and legal standards, the use of the best available technologies, and increasing people’s awareness.
Definition of the cyber security strategy and risk management
In line with the provisions of the framework, the cyber security strategy is defined according to the identification of the possible risks and a shared iterative process in synergy with the business areas, whereby aspects such as the Group’s expected IT scenario, the relative objectives and the resulting initiatives are progressively reinforced. The strategy is approved by the Group Senior Management and subsequently expressed through specific implementation plans. The new Cyber Risk Management method was prepared and reinforced over the course of 2017. It applies both to IT and in the industrial environment (OT), including the IoT.
Protection of systems and networks
Safety analysis activities were carried out in accordance with the plan defined by the Audit Function, in order to maximize the level of system coverage. In 2017, more than 350 penetration tests (“Ethical Hacking”) were carried out to evaluate the level of protection achieved by IT and industrial systems and applications.
Based on an agreement with a startup, a pilot project was also launched to install probes to monitor safety in the industrial sector. The first probes were installed in Italy and the others will be progressively installed in South America and Spain over the course of 2018.
Finally, the activities to improve the protection of the Enel Group’s websites continued, using advanced technologies to make visitor information secure, to protect sites from hacking of applications, to make sites faster and to mitigate attacks. At the end of 2017, 280 Enel websites were protected, and the Strategic Plan includes coverage of all the relevant sites.
Cyber Emergency Readiness Team (CERT)
Given the continuous growth of cyber risks, in terms of numbers and critical issues, it has become increasingly important to prevent and deal with cyber security incidents in a coordinated manner, by sharing information and data on threats and vulnerabilities as soon as possible. For this purpose, Enel has equipped itself with a Cyber Emergency Readiness Team (CERT), which allows to:
- prevent, detect and respond to cyber security incidents;
- collect and manage privileged information regarding threats, actors and carriers;
- ensure exchanges of information and collaborations in a secure environment and between identified actors.
The CERT is already active in the international cyber security community, in which the actors recognize each other in line with official agreements. In 2017, memoranda of understanding were signed with 6 national CERTs2 (Romania, Italy, Chile, Argentina, Peru, Colombia). In Italy, Romania and Argentina, the formal accreditation process has already been completed.
2 At the international level this acronym stands for “Computer Emergency Response Team”.
Training and awareness
IT security training and information programs have become one of the Group’s permanent initiatives. It is important to create culture, awareness and skills in order to minimize the risk of attacks that exploit the human factor.
2017 saw the launch of a global awareness campaign, “Hackers Love Data. Save It”, aimed at all the people working in the Company. It was provided in three languages (Italian, English and Spanish) and broadcast over multiple channels. At the same time, another training program was also activated that includes the involvement of specific professional groups involved in OT and industrial control systems (ICS), in order to improve and refine the related skills.
In line with the Open Power approach, Enel promotes collaborations with private organizations, institutions, academies and universities in order to share best practices, operational models, develop potential channels for sharing information, and contribute to the creation of new standards, regulations and directives. In 2017, active participation in the standardization groups continued, specifically, for example, in the context of the International Electrotechnical Commission TC57/WG15, “Data and Communication Security”, on the subject of the “secure by design” approach to IT security. The standard was issued in July 2017 after four years of joint work.
The National Observatory for the Cyber Security, Resilience and Business Continuity for Electrical Systems continued to provide its support. This group of experts (of which Enel is a founding member) is also a point of reference for research initiatives in the field of critical electrical infrastructures.
Close cooperation also continued with:
- academia, through the organization of lectures and meetings to identify talents interested in researching cyber security issues;
- international initiatives such as the Horizon 2020 Work Programme, and specialized working groups for drafting contributions in support of institutional bodies responsible for issuing standards and regulations.
The commitment to scouting startups and technological partnerships continued in collaboration with Holding Innovation and Sustainability and Global ICT Digital Transformation.
Two pilot projects based on Cisco technologies for industrial safety and IoT have been developed and are underway, as part of the Memorandum of Understanding with Cisco, which was established with the objectives of Co-Education, Co-Innovation and Threat Intelligence.
Finally, Enel’s cyber security experts participated in numerous major national and international conferences, in order to maintain an active role in the industry’s international community and to share Enel’s model of cyber security.