Cyber Security nel Sistema Elettrico

AIIC - Associazione Italiana esperti in Infrastrutture Critiche

Workshop: PROTEZIONE INFRASTRUTTURE CRITICHE: Dove guardare & Dove investire

Roma, 30 Marzo 2017 – Università Roma Tre

Yuri RassegaHead of Cyber Security (CISO)

Enel Group - Global ICT

2

3

4

Market liberalization of

energy production and sale,

with subsequent competitive

scenario change, Web Portals,

Social Networks, etc…

Globalization of the

production

and sale of energyInterconnection with

public networks of the

power distribution and

production control

networks

Protection of Critical

Infrastructure and Operation

Technology for a resilient

Energy Systems.

CERT creation is recommended.

Forthcoming of the new

intelligent electrical

networks smart-grids

IoT world both industrial

and consumer: sensors,

appliances, cars,

buildings

Technological environments

complexity with different needs

IT: priority on Confidentiality

OT: priority on Availability

Enel challenges in facing Cyber SecurityA quickly evolving scenario in the world have determined a wider exposure to security risks

L’habitat di una multinazionale: tecnologie e regolamenti in continua evoluzione

Definizione e ingegnerizzazione dei processi di Cyber Security: approccio ‘risk based’ e implementazione ‘by design’

Cloud

Computing

Big Data

Internet of

Things

Social

Network

Production

facilities

Distribution

plants

Smart Grid

Mobile and

BYOD

Access Point

Transmission

Systems

Datacenter

NERC

NIS

Acuerdo 788

GDPR

7

For the Power plants and energy sector the

medieval castle paradigm (the good guys in, the

bad guys out) is no more efficient

Electric systems completely interconnected and

able to provide add value services to customers

and improve QoS/reliability of the electric system

(balance of the grid, optimization of energy flow

etc)

Towards Smart Grid/City

The mutation of Energy “paradigm” from:

few big power plant to distributed generation…

The change of paradigm

150.000 of compromised IoTdevices

DDoS

StuxnetFirst important attack targeted to Industrial Control System (SCADA

Worm

Vermont electric grid - Worm

infection (under investigation)

Data Breach

9Mln of IDs compromised

Data Breach

1 Bln di accountcompromised

Data Breach

Data Breach that affected over 40Mln credit cards

3Mln$ stolen through spear phishing

APT

Cut off power to 275 thousands of homes for several hours in Ukraine

Trojan

Infected 900.000 end users routers for several hours

Botnet Worm

10 Mln of compromised IoT devices

DDoS

2010 2016201520142013

Data Breach

83 Mln accounts compromised

Ransomware

15Mln$ remediation cost

2011 2012

1ST OT (INDUSTRIAL)

ATTACK

1ST IOT ATTACK

2011 2012

1ST ATTACK WITH

ELECTRIC DISRUPTION

3 YEARS

8

Security Incidents: most significant cases

Different existing and emerging Regulations and Laws in

force in 42 Countries Worldwide (e.g. Acuerdo 788 in

Colombia)

Different existing and emerging Regulations and Laws in force

in 42 Countries Worldwide (e.g. Acuerdo 788 in Colombia)

New General Data Protection Regulation (GDPR),

that updates the dlgs 196/03 about data privacy.

• Improve the cooperation between Nation inside EU

• Risk management and incident notification

NIS Regulation (Network and Information Security)

released in 2016 that defines the requirements to

guarantee a high security level for network and data

inside European Union

• Protect the personal data confidentiality

• Guarantee data security from non authorized or

malicious access

Standards for the Protection of Critical

Infrastructure released by North American Electric

Reliability Corp

• Improve the reliability and security of the bulk power

system

• Protection of Critical Cyber Assets

Different existing and emerging Regulations and Laws

in force in 42 Countries Worldwide (e.g. Acuerdo 788

in Colombia, Ley 8/2011 in Spain)

• Critical Infrastructure Protection, Data protection and

Privacy, Incident Notification and more over

Direttiva NIS 2016

2009/140/CE

Regolamento GDPR

EU 679 2016

NERC CIP v5

4

Laws and Regulations represent a key driver for Cyber Security

Digitalization has been stated by Enel CEO as a new strategic pillar during Capital Markets Day…

10

Our vision: Customers crucial source of competitive advantage, digital key to increase generated value

11

Digital Basics:Digitalization of customers relationship and Backoffice processes

• > 62 mln customers

• Omni-channel interaction

• All Operations and Backoffice process

Big Data:

Extraction of value from

customers data

• Data science for:

• Tailored commercial propositionand service levels

• Leverage automatic decision making (where appropriate)

IoT:Development of high-value services

• New IoT platform based products/services(eg. e-mobility, e-home…)

Customer

Customer

Our Vision: Digitalization, connectivity and predictive analytics to increase assets productivity

12

Assets

Digital Basics:Asset digitalization

• Valorization of available data and adoption of digital technologies for an efficient assets management

IoT: Assets connectivity

• Connection of digitalized assets through IoTtechnologies for further automation

Big data: Use of data in a predictive logic

• Advanced data analytics to improve productivity, availability, etc..

Assets

Enabling organization and development of digital cultureand workplace are key for succeeding in the transformation

13

People

Development of a digital organization

• New Digital Enabler unit and Digital manager positions to foster digital fertilization within the company

People

Development of digital

workplace

• Workplace digitalization to improve productivity, facilitate collaboration and increase service level

Development of Digital competences and culture

• Internal digital skills assessment

• Initiatives favoring the diffusion of digital capabilities and culture, leveraging internal existing skills

…we are also implementing a coherent strategy to manage the associated, unfortunately inevitable, cyber security risk, because this is today everywhere. We need to protect our information, industrial assets and emergent technologies.

Our sustainability plan outlines our strong focus on this area where we believe we are today the front runners…

Francesco Starace – Capital Markets Day – 22 November 2016

Cybersecurity related

targets/commitmentsFramework

Highlights

“

“Single strategy approach based on business

risk management

Business Lines involved in key processes:

risk assessment, response and recovery

criteria definition and prioritization of actions

Integrated information systems (IT),

industiral systems (OT) and Internet of

things (IoT) assessment and management

«Cyber-security by design» to define and

spread secure system development

standards

100% of internet web applications protected

through advanced cybersecurity solutions

Set-up of Enel’s CERT

Acknowledgement by CERTs of current mai

countries of presence idividual level

15 cyber security knowledge sharing events

on average by 2020

… and Cyber Security is a key lever

Cyber security

PeopleCustomer

Platform

Cloud

Asset

15

Security by design

Global CERT

IT/OT/IoT integration

Innovative Tools &

Technologies

Organization,

Business Lines

Involvement

Risk Based Strategy

Awareness improvement

We are building our Cyber Security shield on seven main pillars

IT, OT and IoT technologies need an olistic management strategy paying attention to the specific needs

Confidentiality

Integrity

Availability

IT Priority OT Priority

Top objective: Confidentiality Top objective: Availability

IT and OT integration allow benefits, but it increases the cyber risk too.

The right management model has to deal with shared issues garanting different objecives.

IT OT

IoTConsumer & Industrial (Industry 4.0)

16

Availability

Integrity

Confidentiality

Cyber Security Response Managers within Solution Centers and Cyber Security Risk Managers within Business Lines will

report also to Head of Cyber Security (CISO) to coordinate activities, plans, countermeasures and emergency responses

Enel has recently reorganized the entire Cyber Security

Cyber Security Committee(ENEL Group Top Management Team)

Cyber Security

Risk Monitoring

and Respond

Information Systems

Cyber Security

Engineering

Operational

Technology Cyber

Security Engineering

Detection

Response

Security by Design

IT

Security by Design

OT

Governance

Assurance

- CYBER SECURITY ORGANIZATION-

Chief Information

Security Officer

Identity

Mgmt

Chief

Information Officer

CERT

Awareness

Cyber Security

Strategy, Assurance

and Reporting

Risk

Managers

Response

Managers

Integration with

Business LinesIntegration with

developers

Business

Areas

Solution

devepolment

Areas

17

The new model is based on a Risk-based approach and on the principle of Security by Design

Cyber Security unit has been designed to support effectively the activities considering the specific business and the tech. context

18

Cyber Security Strategy,

Assurance and Reporting

Cyber Security Risk

Monitoring and Respond

Information Systems Cyber

Security Engineering

Operational Technology

Cyber Security Engineering

DetectionResponse

Security by Design

IT

Security by Design

OT

Governance

Assurance

Identity

MgmtCERT

• Definition of Group's Cyber security

strategy;

• Ownership of the issuing of

documentation, policies,

procedures, guidelines and

processes, overseeing regulatory

compliance;

• Management of Group’s Cyber

security Assurance Processes

• Management of Cyber security

Education, Training & Awareness

• Supervision and scouting of Cyber

security solutions and services for

monitoring and respond;

• Management of Group's CERT carrying

out related investigations, coordinating

the decision process, ensuring the

communication with stakeholders;

• Management of CSOC and coordination

with Network Operation Centers;

• Supervision of Identity Management &

Access Control process.

• Representation of Security by design protection model working in

close contact with relevant Business process Owners and GICT

Solution Centers, also assessing compliance of new technologies,

assets, systems proposed by other Global ICT units;

• Setting of prescriptions in order to establish, according to the Cyber

security program and plan, a continuous improvement of the resilience

to cyber-threats in every stage of the lifecycle of the IT, OT solutions in

all group’s industries, and emerging technology assets such as IoT

devices;

• Definition and updating of technical documentation, procedures,

instructions developing and configuring guidelines and processes;

Awareness

Risk Managers

5 Global Business Lines

9 Country Business Lines

GenerationTrading and

upstream

Gas

Infrastructure

and NetworkRenewables Holding

Business Lines

• Cyber Security Risk Manager ensures integration of Cyber Security within Business Lines. At

organizational level, in addition to its own unit, he responds also to CISO.

• He participates to definition of cyber security strategy focusing on business drivers of his own

area

• This actor has a key relevance in the actualization of the Risk-Based Approach in decision

processes of his own area, both in the set-up phase of Cyber Security Response process and in the

continuous improvement of protection processes and tools against threat landscape evolution. His

mission is the identification of Business Risks connected to Cyber Risks:

• He is the first actor in the definition of Business processes Risk Assessment, ensuring and

managing the business impacts analysis considering the protection level of IT or OT systems.

• He prioritizes intervention areas planning Cyber Security Activities, considering business

risks, Risk Acceptance level and planning business costs

At least one Cyber Security Risk Manager is appointed in each Business Line

BU

SIN

ES

S

LIN

ES

Market

Brazil

Market

Chile

Market

ColombiaMarket Perù

Market

Argentina

Market

IberiaMarket Italy

Market

Romania

Market

Russia

7 Global Solution

Centers

5 Country Solution Centers

IT/OT Solution Centers,

Platforms and Infrastructure

Management Units

Response

Managers

• Cyber Security Response Manager ensures the integration among Cyber Security and the Units responsible of

development and management of applications and automation systems (IT, OT and IoT). At organizational level,

in addition to its own unit, he responds also to CISO.

• This actor has a key relevance in guaranteeing the Cyber Security in applications and systems already in

operation or to be realized

• In particular, the Cyber Security Response Manager has to ensure:

• The correct implementation of Security measures in compliance with Guidelines and Technical

Prescriptions of Cyber Security

• The support in Cyber Security Response Processes

• The definition, planning and implementation of Remediation initiatives sprung from Assurance activities

(penetration test, vulnerability assessment, ethical hacking)

• The participation to the Design activities of Cyber Security Engineering units in the definition of new

Security Standards

At least one Cyber Security Response Manager is appointedin each IT/OT Solution Center, Platform and Infrastructure Mgmt Unit

ICT Latam ICT IberiaICT ItalyICT

RomaniaICT Russia

SO

LU

TIO

N

CE

NT

ER

S

ICT Sol.

Center I&N ICT Sol. Center

Thermal Gener.,

Renew. and Trading

ICT Digital

Enabler

ICT Sol. Center

AFC, HR and

Procurement

ICT Infrastructure

and Technological

Services

Infrastructure

and NetworksHolding Web

IoT App Mobile

A Cyber Security Framework has been established to address and manage Cyber Security adopting a Risk-Based Approach

• Define a risk-based cyber security strategy, fostering new Group Pillar of Digitalization in terms of cyber security initiatives for the

entire Enel Group;

• Drive a “cyber security by design” protection model of business processes for applications and infrastructure, integrating cyber

security features starting from the very initial phases of their lifecycle, and optimizing overall cashout;

• Enable a reliable functioning of processes infrastructure and applications to face cyber threats and risks, boosting defense in

coherence with risk tolerance defined level and in line with continuous evolution of threats.

• Strong Top Management commitment through the CIO, to address and support cyber security strategy;

• Global steering of cyber security, guided by CISO and supported by Business Areas, to prioritize cyber security activities and make

decisions about cyber security expenditures taking into account both Business drivers and IT/OT/IoT systems specific considerations;

• Focus on cyber security in Business Areas to identify, assess and respond to cyber security risks and to deploy the cyber security

strategy in terms of Business initiatives and IT/OT initiatives.

Objectives

Key Aspects

100% Coverage of NIST Cyber

Security Framework

New Framework defines Cyber Security Processes, appointing Roles and Responsibilities within relevant ENEL Units

NIST Framework and Business Processes Taxonomy Coverage

Cyber Security Awareness and Training

Cyber Security Strategy, Monitoring and Reporting

Cyber Security Risk Assessment

Computer Emergency Respond and Management

Identity Access Management and Control

Cyber Security Design and Engineering

Cyber Security Risk Treatment

Cyber Security Assurance and Monitoring

IDENTIFY

IDENTIFY

PROTECT

PROTECT

PROTECT

PROTECT

RECOVER

DETECT

RESPOND

IDENTIFY PROTECT

DETECT

Develop the organizational

understanding to manage

cybersecurity risk to systems,

assets, data, and capabilities.

Develop and implement

the appropriate safeguards

to ensure delivery of critical

infrastructure services

Develop and implement

the appropriate activities

to identify the occurrence

of a cybersecurity event

Develop and implement

the appropriate activities

to take action regarding a

detected cybersecurity

event

Develop and implement the

appropriate activities to maintain

plans for resilience and to

restore any capabilities or

services that were impaired due

to a cybersecurity event

NIST Cyber Security Framework Enel Cyber Security Framework

1

2

3

4

5

6

7

8

RESPOND

RECOVER

PROTECT

IDENTIFY

PROTECT

23

Strategia, compliance, monitoraggio e reporting1 Risk Assessment2

Ingegneria delle soluzioni e standard3

. . . . .

Verifica del Rischio Cyber e monitoraggio delle attività di rimedio4

Cyber Security FrameworkDetailed process definition

Trattamento del rischio Cyber5

Gestione delle abilitazioni ai sistemi e controllo6

Computer Emergency Respond Team (CERT7

Sensibilizzazione e corsi di istruzione8

24

So…

KEEPCALM

AND

LET’S

CYBERRISKS

MANAGE