Cyber Security in Enel 4° Conferenza Nazionale Cyber Security Energia Roma, 15 novembre 2017
Yuri Rassega
Head of Cyber Security - Group CISO Global ICT
62 Mln Customers 426 TWh energy distributed 2.1 Mn Km lines 44 Mln Smart Meters
Over 30 Countries
82.7 GW Installed Capacity
62000 human resources
15.2 bln € EBITDA
of which 37 GW from Renewables
#1 in Italy, Spain, Chile, Peru
#2 in Argentina, Colombia
Just to help you to realize the actual magnitude these figures... …with 2.1 Mln Km lines you could connect the Earth to the Moon 5 times!
6.6 €bn 43%
3.6 €bn 24%
5
Enel today1
Italy
Latin America
3.6 €bn 23%
North & Central America Iberia
15.2 €bn
2016 Group ordinary EBITDA
∼75% regulated / quasi-regulated
Networks Renewables Thermal generation Retail
1. As of 2016. Breakdown excludes -0.1 €bn from holding and services 2. Presence with operating assets
0.8 €bn 5%
0.8 €bn 5%
100%
39%
15% 46%
Countries of presence2
50%
22%
10%
18%
47%
10% 26%
17%
Europe
30%
49%
18%
3%
54%
-2% 15%
29%
Digitalization Strategy Key levers for navigating the digital future
Driving efficiency and best in class services
People
Asset
Cyber security
Platform
Cloud
Customer
2017-19 digitalization capex Key levers of digitalization
• Efficiency through full digitalization of back office processes and systems
• Enrich products and services
• Deepen customer relationship and information processing
• Enhance infrastructure performance
80%
15% 5%
Customer People Asset
4.7 €bn
The Utility is changing its role The digitalization to capture opportunities along the value chain
Platform paradigm to supports the orchestration of the new Utility Model
Back-office automation and data-driven decision making
Smart grid and smart pipes to improve network resiliency, safety and efficiency
Customer interactions governed by analysis of customer journeys
Field workforce with full mobile access and real-time expertise
Awareness to enable energy balancing
Data-driven asset strategies including predictive outages
Distributed energy sources enabled by big data-driven alignment of supply and demand
Distributed energy sources and marketplaces enabled by platform Distributed
generation
E-mobility
Smart-home Efficiency products
Public Lighting
Efficiency solutions
New Business enabled
IoT Solutions
Efficiency
Infrastructure Micro-Grids
Data
New Commercial Offers Partnerships Platform Systems Innovation Projects
20
NEW CUSTOMER JOURNEY
ATTRACT NEW CUSTOMERS
NEW PRODUCTS & SERVICES
50B objetcs by
2020
+40% y/y e-home
growth2
1. Data refers to Italy; 2. Data refers to USA - Source: A.T. Kearney, Consumer barometer by Google, Digital, Social & Mobile 2015 di We Are Social
Customers To serve better and faster our customers
e-Mobility
E-Home
B2B
RE-ENGAGE EXISTING CUSTOMERS
IoT/Big Data
IoT on materials, vehicles, warehouses, …
Automation of warehouse management
Grid sensors / Smart Grid Monitoring of grid Assets protection
IoT sensors, robots, drones, AR/VR
Risk based maintenance Prioritize maintenance
O&M
Logistics
Network
SAFETY ON WORK
PERFORMANCE OPTIMIZATION
O&M PREDICTIVE MAINTENANCE
NEW SERVICES
Benefits
Assets Exploiting the benefits of IoT and Big Data technologies
Wearable, smart cameras, geo-location, geo-fencing
Emergency management Safety and security
People
Platforms Creating value through collaboration
Cost efficiency thanks to internal global scale
Time-to-market thanks to configuration versus customization and self-provisioning logic
-
+
Innovation thanks to Open internal and external ecosystem
+ “An IT platform is an open, global and company-wide
standard environment, supporting and driving
current and new businesses:
Consumer Industrial
Energy Management System
Platform solutions are global and have been already defined
Commodity New Services Energy management services
Engagement Platform
Business logic
IoT Platform
Cloud
Salesforce
Communication
Devices
MPLS / MVNO / 4G / PLC /
AWS IoT
IoT IoT
Industry specific (EMS, , …)
New Business
HANA IS-U
HANA R/3
Smart meter
Digital is changing the role of ICT
Technology Business
…to ICT key business Driver
Digital Technologies driving
transformation and innovation
From ICT as key business Enabler…
Technology enabling business requirements
Adopting an Agile model to adapt to different Application domains…
• New business opportunities • Enabling new services /
microservices / tailored offering
• Standard or tailor-made applications
• Processing core transactions and master data
• New channels or competitive capabilities
• Enhancing Cx/Ux
Apps of record
Apps of engagement
Apps of innovation
Apps of insight
(ERP, Billing, Asset, …) (e-Home, e-mobility, EMS …)
(Sales, Workforce Mgmt, Service Portal, …)
(BI, cognitive …)
• Unlocking the business value of digital assets by opening to ecosystem 1
• Enabling sophisticated / predictive analyses and automatized decision making
Efficiency Differentiation Disruption
…different Multi-Modal approaches
Workforce
Approach
Outsource Insource
Apps of record
(ERP, Billing, Asset, …)
Apps of innovation
(Smart Home, E-mobility, …)
Apps of engagement
(Sales, Workforce Mgmt, Service Portal, …)
Apps of insight (Adv. analytics, BI, …)
Waterfall Agile
Value
Water-Agile-Fall
Cyber Security in a Global Energy Company Cyber threats risk perception is increasing in insurance sector
n Cyber security is rising the top 10 Global Business Risk on the Allianz Risk Barometer
n More than 53% of Cyber Attacks are conducted on Country Critical Infrastructure like Electricity, Water and Oil and Gas. 75% on Industrial companies
n Most of those infrastructures were designed for Resilience but never designed with Cyber Security in mind
For the Power plants and energy sector the medieval castle paradigm (the good guys in, the bad guys out) is no more efficient
Electric systems completely interconnected and able to provide add value services to customers and improve QoS/reliability of the electric system (balance of the grid, optimization of energy flow etc)
Towards Smart Grid/City
The mutation of Energy “paradigm” from: few big power plant and a grid with clear boundaries to distributed generation…
The change of paradigm
2010 2016 2015 2014 2013 2011 2011 2012 2012 2017
Security Incidents: most significant cases
Stuxnet First important attack targeted to Industrial Control System (SCADA) 38K infected machines (22K resided in Iran)
Worm
Data Breach
9$Mln of IDs compromised
2011 2011 2012 2012
Data Breach
9$Mln of IDs compromised
Data Breach
1Bln di account compromised
Data Breach
Data Breach that affected over 40Mln credit cards
3$Mln stolen through spear
phishing
APT
Cut off power to hundreds of thousands of homes for several hours in Ukraine
Trojan
Infected 900K end users routers for
several hours
Botnet
10 Mln of compromised IoT devices
DDoS Data Breach
83 Mln accounts compromised
Ransomware
15$Mln remediation cost
Ransomware
200k of encrypted
devices in 150 countries
WANNACRY
Ransomware
PETYA
20k of encrypted devices (hitted
Chernobyl)
Malware toolkit
Attack on Ukraine’s power grid that deprived part of Kiev of power for an hour
Data Breach
145M users pontentially
impacted
3 YEARS
EXPONENTIAL
GROWTH
3 WEEKS
1ST IOT ATTACK
1ST OT (INDUSTRIAL) ATTACK
1ST ATTACK WITH ELECTRIC DISRUPTION
BIGGEST THREAT TO INDUSTRIAL CONTROL
SYSTEMS SINCE STUXNET
Nowadays, an attacker doesn’t need to be a skillful hacker. He can easily buy hacking capabilities ‘as a Service’ on the dark web.
37
2,8Mln incoming e- mail, because of spam or malware
More than 113 hostile attacks from cyberactivists was detected and managed
750.000 malevolent outcome events managed by IPS
+150 attacks to Company Web Sites
In 2017, every day, the protection systems of Enel Group blocked on average:
800-900 virus
More then 500 fake internet domains detected and reported to the authorities
About 400 secutity test (“Ethical Hacking”) on our own systems carried out
Furthermore, in 2017:
A Cyber-day in Enel…
Different existing and emerging Regulations and Laws in force in 42 Countries Worldwide (e.g. Acuerdo 788 in
Colombia)
Different existing and emerging Regulations and Laws in force in 42 Countries Worldwide (e.g. Acuerdo 788 in Colombia)
New General Data Protection Regulation (GDPR), that updates the dlgs 196/03 about data privacy.
• Improve the cooperation between Nation inside EU • Risk management and incident notification
NIS Regulation (Network and Information Security) released in 2016 that defines the requirements to guarantee a high
security level for network and data inside European Union
• Protect the personal data confidentiality • Guarantee data security from non authorized or malicious access
Standards for the Protection of Critical Infrastructure released by North American Electric
Reliability Corp
• Improve the reliability and security of the bulk power system
• Protection of Critical Cyber Assets
Different existing and emerging Regulations and Laws in force in 42 Countries Worldwide (e.g. Acuerdo 788 in
Colombia, Ley 8/2011 in Spain) • Critical Infrastructure Protection, Data protection and
Privacy, Incident Notification and more over
Direttiva NIS 2016 2009/140/CE
Regolamento GDPR EU 679 2016
NERC CIP v5
Laws and Regulations represent a key driver for Cyber Security
All processes are managed using computers
IT
OT
Credits: ENISA https://www.enisa.europa.eu/publications/challenges-of-security-certification-in-emerging-ict-environments
Simplified infrastructure of the Energy Sector
IT, OT and IoT technologies need an olistic management strategy paying attention to the specific needs
Confidentiality
Integrity
Availability
IT Priority OT Priority
Top objective: Confidentiality Top objective: Availability (=Safe Operation)
IT and OT integration allow benefits, but it increases the cyber risk too. The right management model has to deal with shared issues garanting different objecives.
IT OT
IoT Consumer & Industrial (Industry 4.0)
Availability
Integrity
Confidentiality
Security by design
Global CERT
IT/OT/IoT integration Innovative Tools & Technologies
Organization, Business Lines Involvement
Risk Based Strategy
Awareness improvement
We are building our Cyber Security shield on seven main pillars
Enel Cyber Security Risk Management Framework
Cyber Security Framework Processes
1
4 Cyber Security Risk Assessment
Cyber Security Risk Treatment
2
6
5
8 Cyber Security Awareness and Training
7
I P
I R R
P R I
D R P
P
P
Cyber Security Strategy
Cyber Security Design & Implementation
Cyber Security Assurance
Cyber Emergency Readiness
Identity Mgmt and Access Control
I P
1. Cyber Security Strategy Definition of cyber security objectives and priorities,
reporting and monitoring of the cyber security on-going initiatives.
3. Cyber Security Risk Assessement
Identification, analysis and evaluation of cyber security risks
within Enel Group
6. Cyber Emergency Readiness Monitoring, tracking and
reporting risks exposures
5. Cyber Security Assurance Analysis, verify and test the
effectiveness of the implemented risk response measures.
4. Cyber Security Risk Treatment Definition and implementation of
the most appropriate risk treatment options to face the
cyber security risks
2. Cyber Security Design and Implementation
Guarantee the adoption of cyber security principles
8. Cyber Security Awareness and Training
Driving and running Enel Group-wide Cyber Security Awareness
and Training initiatives
7. Identity Mgmt and Access Control
Management of the full lifecycle of digital identities and performing
security controls on access privileges
3
RECOVER DETECT RESPOND NIST Area: IDENTIFY PROTECT
ENEL Cyber Security Framework structure Processes and Roles Overview
(*) The Responsible of the Treatment is the unit who will have to carry out the treatment action, according to applicable cyber security policies, procedures, guidelines and technical prescriptions
1
4 3 Cyber Security Risk Assessment Cyber Security Risk Treatment
2
6
5
8 Cyber Security Awareness and Training
7
I P
I R R
P R I
D R P
P
P
Cyber Security Strategy
Cyber Security Design & Implementation
• Cyber Security Units • Cyber Security Risk Managers • Risks and Security Committee
Main Actors involved
• Cyber Security Units • Cyber Security Respone Manager • Project Manager
• Cyber Security Units • Cyber Security Response Manager • Responsible of the Treatment (*)
• Cyber Security Units • Cyber Security Risk Manager • Cyber Risks Operating Committee
• Cyber Security Units
• Cyber Security Units (and CERT)
• Cyber Security Units
• Cyber Security Units
Cyber Security Assurance
Cyber Emergency Readiness
Identity Mgmt and Access Control
RECOVER DETECT RESPOND NIST Area: IDENTIFY PROTECT
I P
Focus on Cyber Security organization
Chief Information Security Officer
Governance
Assurance
Detection Response
Identity Mgmt
Security by Design
IT
Security by Design
OT
Units of Cyber Security Operational
Technology Cyber Security
Engineering
CERT
Awareness
Cyber Security Strategy,
Assurance and Reporting
Business Lines
IT/OT Solutions Platforms and Infrastructure Management Units
Information Systems Cyber
Security Engineering
Cyber Security Risk Monitoring and Respond
Risk Managers Response Managers
Chief Information
Officer
Business Areas
Solution developement
Areas
Cyber Security Risk Committee (ENEL Group Top Management Team)
Integration with Business Lines
Integration with developers
Enel CERT Implementation Project The Enel project involves different internal stakeholders and manages the activities of Enel CERT worldwide with an inclusive approach
External Stakeholders
Internal Stakeholders
Other CERTs
ENISA
FIRST TF-CSIRT
Enel Countries with today CERT representative
Enel CERT Implementation
Project
National CERTs
Carnegie Mellon
Spain
Romania
Colombia
Perù
Brasil
Chile
Italy
Argentina
>50
>20 Organizational Units involved (Global/ Country)
>20
Enel colleagues involved in the project
Interviews performed
>45 Hours of interviews
Internal Stakeholders
Process to harvest privileged information related to cyber threats and attacking actors from multiple open, closed and commercial sources. Key aspects: • Create actionable information, relevant for Enel
context • Early detection of cyber threats with potential
impact to Enel Constituency
Enel CERT provides 3 main processes
Preparedness and Prevention
1
CYBER INCIDENT
RESPONSE
3
CERT INFORMATION
SHARING
Recovery
2
CYBER THREAT
SURVEILLANCE
process Key process to Prevent, Detect and Respond to Cyber Incidents. Key aspects: • 14 services from Service Activation to
Recovery & Lessons Learned • Inclusive of all multi disciplinary Enel roles and
capabilities • Full integration with existing Enel policies (i.e.
Emergency and Crisis Policy)
Trusted communication process among all involved Internal Stakeholders and related External Counterparts. Key aspects: • CERT Communication Workflow and
Information Dissemination • Confidentiality management (Traffic Light
Protocol)
Cyber Incident Response 1 3Cyber Threat Surveillance 2 CERT Information Sharing
Enel CERT provides processes to the Constituency in order to Prevent and Respond to Cyber Incidents and Threats
Internal Stakeholders
External Counterparties Internat.
Organiz.
Gov. Agencies
Other CERTs
Other Private Companies
Legal
HRO
Security
Local Security
Law Enforcement
Agencies
National CERTs
Global ICT
Risk Manager
Enel CERT
Response Manager
Employees
CERT Information Sharing
Employees Communication Media
Cascade & Communication Events
Enel Alert
Focus On (Newsletter)
Intranet / Internet
Enel Radio / TV / Magazine
Techbar
Yammer y
FIRST TF-CSIRT
Communication
Media
The information sharing is enabled by Communication Strategy
Technical commissions Enel contributes to many boards in order to define the guidelines for many critical infrastructures at national and international levels, including the National Observatory for Cyber Security, Business
Continuity and Resiliency on the Electrical Grids
Government and research authorities Enel collaborates constantly with several bodies e.g. ISA, ISO, NERC, NIST, EPRI and ENISA
EE-ISAC (European Energy Information Sharing & Analysis Center) Enel participated to the DENSEK project and is one of the founding members of EE-ISAC.
IEC (International Electrical Commission) Cyber security standard definition for Electrical Systems. Smart Grid Security rely on several IEC 62351 standard Family documents, in charge of WG15 (Data and Communication Security) that is one of the several working groups in which Enel is active.
The future: new threats and cooperation opportunities How Enel sets its bases for the future Enel takes active part to many institutional groups devoted to defining technical and normative
standards to which all producers will be bound to adhere
Top Related