Digitization opens up new opportunities but brings with it various security challenges. The ability to cope with cyber attacks is particularly important in the electricity sector, where service continuity is of fundamental importance: a large-scale blackout could have an impact on individuals, businesses, institutions and essential services. Enel has adopted a systemic and holistic model that enables increased resilience and the ability to respond to possible attacks for all assets.
A dedicated cyber security unit was established in September 2016, reporting directly to the Chief Information Officer (CIO), whose manager is responsible for covering the role of Group Chief Information Security Officer (CISO). With support from the different Business Lines, the CISO is responsible for designing the cyber security strategy, directing and monitoring initiatives and coordinating the relative investment activities for the entire Group. The Cyber Security Risk and Response Managers support the cyber security unit, guaranteeing the constant involvement of the Business Lines in the key risk assessment processes, defining response criteria in the event of an attack and the actions to be taken. The CISO and the Cyber Security Risk Managers have set up the “Cyber Risk Operating Committee”, in order to evaluate IT risks and minimize their threat within the Group. The “Cyber Security Risks Committee” was also set up in 2018, chaired by Enel’s Chief Executive Officer, with the aim of addressing and approving the IT security strategy, as well as periodically checking the progress of its implementation. The cyber security strategy and initiatives are also the subject of periodic reporting to the Group’s Control and Risks Committee.
Enel set up the “Cyber Security Framework” in 2017; it accurately directs principles, organization and operational processes for global analysis, prevention and management of cyber attacks.
The model is based on a systemic vision, that integrates the traditional Information Technology (IT) sector with Operation Technology (OT), it is linked to the industrial world and with the Internet of Things (IoT). In order to protect complex, multinational assets, the framework identifies a single risk management strategy. This requires decisions and activities to be based on business priorities (risk-based approach) and security measures to be an integral part of application processes and services, setting “upstream” and not “downstream” security standards (cyber security by design). The involvement of the Business Lines, the implementation of regulatory and legal guidelines, the use of the best available technologies and increasing people’s awareness of the subject are all key in the execution of these processes. In this context, the new Cyber Security Risk Management methodology was also set in 2017, applicable to all IT, OT and IoT environments; it outlines all the steps necessary to perform a risk analysis and define a related mitigation plan, in line with the pre-set IT security targets.
For this purpose, Enel has set up a Cyber Emergency Readiness Team (CERT), in order to:
prevent, detect and respond to cyber security incidents;
collect and manage privileged information regarding threats, actors and carriers;
ensure exchanges of information and collaborations in a secure environment and between identified actors.
The team is already active in the international cyber security community, in which the actors recognize each other in line with official agreements. In 2018, agreements came into effect with 8 national CERTs (Romania, Italy, Chile, Argentina, Peru, Colombia, Brazil and Spain). In November 2018, the new Enel CERT Global Control Room was inaugurated in Turin, in a protected and dedicated setting.
The Control Room adheres to the best global practices and enables the processing of confidential data in a physically and logically protected environment, with computer security procedures and controlled access, using the most advanced technologies.
The Enel CERT is also part of Trusted Introducer, which includes over 300 CERT in more than 60 countries, and in September it joined FIRST (Forum of Incident Response and Security Teams), the largest and most wide-ranging community in the sector, with over 400 members in more than 80 countries.
Cyber security incident
The CERT collects more than 1 billion events from over 3,500 data sources every day, correlates them, generates about 30,000 event alerts and in the end creates about a hundred cyber incidents.
The incidents are classified according to a specific evaluation matrix (the Enel Cyber Impact Matrix), on a scale from 0 to 4, which takes their impact on company assets and the computer security tools in place into account. Most of the episodes identified do not have a significant impact on the Group’s systems and are generally blocked automatically or semi-automatically, or managed bythe company defenses (level 0/1).
Those classified at level 2/3/4 have a potential impact on the Group and are managed by involving the interested parties.
During 2018, CERT responded to 39 computer security incidents with impact level “2” and 1 incident with impact level “3”. In all the detected cases, all the procedures were activated and no damage was caused to the company assets. There were no computer security incidents with impact level “4”
If a cyber security incident posed a potential data breach, the necessary actions would be taken immediately in line with the Enel Group Policy on “Personal data management”. If, on the other hand, it produced a crisis situation that could affect business continuity, ownership, reputation and profitability of the Enel Group, the necessary actions would be taken immediately, in line with the policy on “Management of critical events”
Each day in 2018, the CERT enabled Enel to block: > 2.3 million incoming e-mails (malicious or spam); > 300 viruses; > 740,000 outgoing risk connections; > 340 attacks on Group portals.
Enel detects over 1,000 Internet domains for the illegal use of the brand and over 100 hostile interventions each year using threat intelligence services.
In 2018, approximately 500 systematic verification activities (“Ethical Hacking”) were carried out, on a protection level achieved by IT and industrial systems and applications.
In line with the Open Power approach, Enel promotes collaborations with private organizations, institutions, academies and universities to share best practices, operational models, develop potential channels for sharing information, and contribute to the creation of new standards, regulations and directives. Active participation in the standardization groups continued, specifically, in the context of the International Electrotechnical Commission TC57/WG15, “Data and Communication Security”. During the annual World Economic Forum in Davos, Enel presented as a Case Study of the “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards” report, produced in collaboration with the Boston Consulting Group. The document aims to provide the Boards of Directors with a series of general principles for organizational cyber-governance and additional strategies that will enable increased IT resilience on a Group level. As part of the activities carried out by the National Observatory for Cyber Security, Resilience and Business Continuity of Electricity Networks, Enel actively contributed to the drafting of the document “Principles, Guidelines and Good Practices for Management of Cyber Security, Resilience and Business Continuity of Electric Operators”.
Finally, there have also been many collaborations with institutional partners, and participation in relevant national and international conferences, in order to maintain an active role in the industry’s international community to share Enel’s cyber security model.
Training and awareness
Enel periodically organizes training and information campaigns on IT security. 15 training and information events were held in 2018. The awareness campaign on cyber security for hackers, which was launched in 2017 and aimed at all Enel Group people, continued.
In December, the online course “Cyber Security by Design” was made available to all those involved in the development and management of IT applications.
Information on computer security issues is shared via the company intranet in a timely manner and all the relevant policies, organizational and technical documents are available.