Technological development is an increasingly everyday factor; besides bringing with its numerous advantages, it also exposes companies to the risk of cyber attacks. In the so-called critical national infrastructure (CNI), electricity plays a central role, since it is necessary to power everything else. For this reason cyber security protects at the same time both the corporate know-how and the security of citizens, guaranteeing the continuity of the national electricity service. In the past the implementation of security measures entailed the slowdown of business processes. Today, however, cyber security is an enabling factor for the digitalization of networks and the development of innovative services for citizens.
The Enel cyber security context is multidisciplinary, interconnected with characteristics linked to geographical distribution, to the value chain, to the presence of corporate and industrial systems and to external factors.
Every day Enel blocks:
- around 300 thousand spam emails;
- over 1,000 viruses;
- 300 thousand attacks on pages of websites and systems.
The Enel Group is organized in such a way as to guarantee the correct identification of roles and the assignment of responsibilities for the security of information, as well as the establishment of organizational processes that can guarantee the standard application of security policies. Some of the main processes regard risk analysis and business intelligence, in order to monitor the threats to the development of the Enel Group’s activities, the handling of fraud, the classification and protection of processed information, the control over access to ICT systems as well as the security of ICT networks, infrastructure and ICT applications and the security of personal IT devices.
In order to intercept threats before they show up on systems, it is necessary to have available cyber intelligence processes adopted from the concepts and methods of traditional intelligence. Enel is aware that the means of attack are becoming increasingly sophisticated and that they are developing very quickly, so it operates on three fronts: preventing, recording and combating. The use of a correlation engine (SIEM Security Information and Event Management Engine) which analyzes and cross checks over 600 thousand IT events every minute is the cornerstone of the entire cyber security infrastructure in Enel.
The Enel Group was among the first utilities to have available security measures for its own assets and for some years has been promoting the development of the issue nationally and internationally.
In 2015 it took part in a workshop, created in collaboration with the Italian Prime Minister’s Office and La Sapienza University in Rome, with the aim of creating in Italy a reference standard for the protection of IT systems, looking at the experience of other countries. It also took active part in national and international workshops, including those of the international electro-technical commission responsible for defining security standards for electric infrastructure (IEC TC57/WG15) and of the National Observatory for the Cyber Security, Resilience and Business Continuity of Electric Systems..
Enel takes part in the EE-ISAC consortiumIn February 2016 Enel signed up as a Founding Member to the EE-ISAC (European Energy Information Sharing and Analysis Center) industrial consortium. It is a European initiative which aims to provide prevention and support tools in regard to risks arising from terrorism and security threats, in particular cyber threats that are made against energy infrastructure. The aim is to create a community of partners who share cases of IT attacks and develop together best operating practices.
In addition, in 2015 Enel launched a project to define a new Framework for the Management of Cyber Security. In particular the 3 main areas were:
- Cyber Security Assessment: execution of an Assessment in order to identify the current level of development of processes, the organization and the IT and operational technologies of the Group;
- definition of a Framework for the Management of Cyber Security, to develop a proactive approach of security by design. The new Framework is applicable to all technological systems (IT and OT) and to all geographical areas;
- Gap Analysis and Remediation Plan: on the basis of the results of the above activities, the main areas for improvement were identified as well as the related actions to be taken, some short-term and others medium/ long-term.
This activity enabled full coverage of the areas envisaged by the Cyber Security Framework of the NIST (National Institute of Standards and Technology). These are guidelines urged by the US Presidency and which are a reference point for companies in the private sector at global level.
2015 saw the publication of: 4 Security Policies(5), 6 Security standards and Guidelines(6) and the preparation of 5 market research and analysis documents to identify new technologies and solutions for cyber security, including “Web application protection - WAF and anti-DoS services” for the protection of Cloud and on Premise services..
Enel uses sophisticated techniques to identify if there are vulnerabilities in the applications which may be used to put the corporate infrastructure or data at risk (ethical hacking and penetration testing) in order to test the robustness of its applications, in particular if they contain the personal data of customers or suppliers. The vulnerabilities identified are analyzed and eliminated through setting up appropriate remediation plans.
In 2015 there were 87 ethical hacks (in 2014 there were 45). This rising trend will continue in coming years given a more systematic analysis of the IT applications before they move into production and an extension to the industrial world (OT)
In addition, Enel uses specific techniques (“Digital Surveillance”) to “observe” what is happening online and to adopt a form of proactive security by acting on potential risks as they arise.
During the year over 250 suspect internet domains were identified, as well as over 100 illegal actions by cybernet activists (for example, Anonymous) including the illegal use of the Group’s brands.
Finally, Enel has equipped itself with a dashboard where the monthly trends in security measures are kept under observation and organized from different viewpoints: main risks, strategy, Sustainability, suppliers, NIST framework.
Awareness-raising and training
Attention, vigilance and awareness are the concepts underpinning the “Cyber Risks” campaign launched in 2015 and directed at all Enel’s employees. The awareness-raising campaign aims to create awareness of what the risks are and to provide basic notions to safeguard data, both in the company and outside.
In particular, the objectives of the campaign are: to create a cyber security culture, to change the conduct of colleagues in order to reduce risks, to develop technical skills in security, and to prevent the increase in attacks and threats.
On the Global ICT website there is a specific section dedicated to this issue in order to always have all the material relating to cyber security at hand.
(5) Policy no. 103 “Bring Your Own Device (BYOD) policy”, Policy no. 111 “Management of Logical Access to ICT Systems”, Policy no. 33 “Information Classification and Protection”, Policy no. 24 “Incident and Crisis Management”.
(6) Anti-Malware Software Standard on ICS/SCADA Windows platforms, CLOUD Security – IAAS, Tibco Platform: Security Guidelines, Security in Developing Mobile Apps, SAP Security Standard – v.2, Security for Workstations and Mobile Devices - Technical Report.