In a context in which managing cyber risks, which are continually growing, has become a global priority, for Enel cyber security is an essential element of the digital strategy.
The Company, as other key players in the electricity sector, uses digitalized systems to manage its own generation plants, distribution network and relationship with customers; business critical systems, smart grids, smart meters are increasingly digitalized and integrated into the hi-tech panorama. In addition, the use of the Internet of Things is spreading and this leads to the growing dissemination of devices in smart and interconnected environments and systems. Traditional IT is evolving towards mobile computing or cloud computing.
The cyber security strategy is aligned with that of the Enel Group and is based on a precise assessment of the possible risks and on the definition of the related cyber security initiatives at global level. It is defined with an iterative process which envisages the involvement of the various business areas, gradually consolidating aspects such as the forecast scenario for IT security, the objectives and strategic initiatives for security. The cyber security strategy is approved by the top management and then broken down into operating plans for implementation of the planned initiatives. The activities are implemented with a security by design approach which focuses on security aspects right from the first stages of the design of applications, systems and processes.
Cyber security in figures
Spending on cyber security during 2016 was over 10 million euro.
Dedicated people: 66 people (51 men and 15 women) in December 2016 (58 in 2015).
In 2016 the Enel Group’s protection systems each day blocked around:
- 600 thousand incoming emails, that were malware or spam;
- 800 viruses;
- 700 thousand incoming malware connection attempts.
During 2016 on average 150 cyber security incidents were handled every day of varying degrees of severity and over 400 suspect domains were identified and notified which use the Group’s brand illegally as well as around 80 hostile actions by hackers. In addition, 300 actions were undertaken for systematic checking (“Ethical Hacking”) of the protection level achieved by IT systems and applications.
In January 2016, the assessment was completed of the Group’s cyber security. The assessment, which was conducted in conformity with key international standards (NIST, NERC, etc.), regarded IT systems, industrial control systems, the organization, processes and the practices adopted. On the basis of the results of this work the necessary organizational and design actions were identified.
The new organizational model
In September 2016, the Enel Group redefined its organizational structure for the management of cyber security. A specific Cyber Security unit was created reporting directly to the Chief Information Officer (CIO) and whose head covers the role of Chief Information Security Officer (CISO) of the Enel Group. This has also made the decision-making chain more streamlined and flexible in a context in which the speed of response to events is essential. The unit is structured to manage the governance and assurance of cyber security, the definition and supervision of the architecture and systems of IT security in a range of contexts (Information Technology, Industrial Control Systems and emerging technologies, Internet of Things, etc.), solutions and services for the prevention, protection and response to any IT attacks and the definition and supervision of systems to manage IDs and access control. The new organizational structure envisages the involvement of the Business Lines in the activities connected to cyber security through the figures of the Risk Managers and Response Managers.
Main actions and projects
In 2016 Enel started the project to define the new Cyber Security Framework, which describes the processes for the management of cyber security in the Enel Group in line with Risk Based and Security by Design approaches.
2016 was also characterized by the launch of new and important projects for IT security:
- the introduction of the new system of Identity Access Management (CompAC) which enables the activation of security policies for access, verifying the compatibility of the assignment of each role with the rules dictated by the principle of the segregation of duties;
- the creation of Enel’s Cyber Emergency Readiness Team (CERT), which is based in Italy and with contact points in the main countries where Enel is present with its assets and infrastructure. During 2017 the project will lead to the official accreditation of the CERT in the various Group countries. The existence of the CERT allows supervision and monitoring of cyber security events on IT systems and on industrial control systems and allows centralized coordination of the management of cyber security incidents, as well as guaranteeing constant updating on the risks for IT security and close collaboration with national and international organizations which deal with cyber security and with other CERTs;
- the development and installation of a new generation of probes (Advanced Deep Packet Inspection Probes) aimed at improving the capacity to record cyber security events;
- the protection of web applications (Web Application Protection through Advanced Cyber Security Solutions), through advanced services which allow the protection of information exchanged with visitors to websites, improving performance in terms of response time and mitigating the effects of any attacks aimed at interrupting the service (DDoS attacks).
Information and awareness-raising
During the year the ICT Security Awareness program continued, a permanent and continuous initiative at Group level which proposes to create and constantly promote a cyber security culture, thus improving behavior in response to IT threats and attacks which seek to exploit the habits and expectations of users. The program envisages both campaigns on general themes and specific initiatives linked to specific risks.
The global Cyber Risks campaign (November 2015-December 2016) involved all the people who work in Enel and was divided into four themed modules: risks deriving from the ease of connection, security of data and information, use of secure technologies also outside of the workplace, and security in the use of mobile devices.
In 2016 the active participation in standardization groups continued, in particular in the International Electrotechnical Commission TC57/WG15 “Data and Communication Security” on the theme of the cyber security by design approach to cyber security.
In addition, the support of the National Observatory on Cyber Security, Resiliency and Business Continuity of Electrical Systems continued, a group of experts (of which Enel is a founding member) which represents a reference point for research initiatives in the field of critical electricity infrastructure.
In September 2016 Enel organized an international Hackathon, called Hackathon Cyber Security; a contest between the proposals of seven emerging companies to combat IT attacks in four areas: industrial control systems (Supervisory Control And Data Acquisition - SCADA), Internet of Things (IoT), data protection, and protection of mobile devices. The winning company of the Hackathon was involved in field testing of the proposed solution.
Collaboration was started with companies producing innovative IT security solutions, thus making it possible to influence their development with the goal of maximizing the benefit that can be obtained from their use in the Group’s industrial context.
Finally, Enel supported the Cyber Security for infrastructure of the Energy & Transport (CSET 2016) observatory which was held in Genoa in June 2016. 146
|Investments in digitalization (assets, customers, people)||4.7 billion euro in the 2017-2019 period – digitalizing assets, operations and Group processes and enhancing connectivity|
|Cover of web applications exposed to Internet with advanced cyber security application solutions||100% of web applications protected through advanced cyber security solutions by 2019|
|Establishment of Enel CERT* and accreditation with national CERTs||Accreditation in 8** countries by 2018|
|Dissemination of the culture of IT security and change in people’s conduct in order to reduce risks||15 cyber security knowledge sharing events provided in the year|
|Activities to reduce CO2 emissions||-17.2 million pages printed in the 2015-2019 period Development of Telepresence and video communication systems Launch of actions to reduce hours of non-use of PCs, laptops, and monitors in Italy|
* Computer Emergency Readiness Team.
** Italy, Spain, Romania, Argentina, Brazil, Peru, Colombia, Chile.