Cyber Security nel Sistema Elettrico - AIIC · Infrastructure released by North American Electric...
Transcript of Cyber Security nel Sistema Elettrico - AIIC · Infrastructure released by North American Electric...
Cyber Security nel Sistema Elettrico
AIIC - Associazione Italiana esperti in Infrastrutture Critiche
Workshop: PROTEZIONE INFRASTRUTTURE CRITICHE: Dove guardare & Dove investire
Roma, 30 Marzo 2017 – Università Roma Tre
Yuri RassegaHead of Cyber Security (CISO)
Enel Group - Global ICT
2
3
4
Market liberalization of
energy production and sale,
with subsequent competitive
scenario change, Web Portals,
Social Networks, etc…
Globalization of the
production
and sale of energyInterconnection with
public networks of the
power distribution and
production control
networks
Protection of Critical
Infrastructure and Operation
Technology for a resilient
Energy Systems.
CERT creation is recommended.
Forthcoming of the new
intelligent electrical
networks smart-grids
IoT world both industrial
and consumer: sensors,
appliances, cars,
buildings
Technological environments
complexity with different needs
IT: priority on Confidentiality
OT: priority on Availability
Enel challenges in facing Cyber SecurityA quickly evolving scenario in the world have determined a wider exposure to security risks
L’habitat di una multinazionale: tecnologie e regolamenti in continua evoluzione
Definizione e ingegnerizzazione dei processi di Cyber Security: approccio ‘risk based’ e implementazione ‘by design’
Cloud
Computing
Big Data
Internet of
Things
Social
Network
Production
facilities
Distribution
plants
Smart Grid
Mobile and
BYOD
Access Point
Transmission
Systems
Datacenter
NERC
NIS
Acuerdo 788
GDPR
7
For the Power plants and energy sector the
medieval castle paradigm (the good guys in, the
bad guys out) is no more efficient
Electric systems completely interconnected and
able to provide add value services to customers
and improve QoS/reliability of the electric system
(balance of the grid, optimization of energy flow
etc)
Towards Smart Grid/City
The mutation of Energy “paradigm” from:
few big power plant to distributed generation…
The change of paradigm
150.000 of compromised IoTdevices
DDoS
StuxnetFirst important attack targeted to Industrial Control System (SCADA
Worm
Vermont electric grid - Worm
infection (under investigation)
Data Breach
9Mln of IDs compromised
Data Breach
1 Bln di accountcompromised
Data Breach
Data Breach that affected over 40Mln credit cards
3Mln$ stolen through spear phishing
APT
Cut off power to 275 thousands of homes for several hours in Ukraine
Trojan
Infected 900.000 end users routers for several hours
Botnet Worm
10 Mln of compromised IoT devices
DDoS
2010 2016201520142013
Data Breach
83 Mln accounts compromised
Ransomware
15Mln$ remediation cost
2011 2012
1ST OT (INDUSTRIAL)
ATTACK
1ST IOT ATTACK
2011 2012
1ST ATTACK WITH
ELECTRIC DISRUPTION
3 YEARS
8
Security Incidents: most significant cases
Different existing and emerging Regulations and Laws in
force in 42 Countries Worldwide (e.g. Acuerdo 788 in
Colombia)
Different existing and emerging Regulations and Laws in force
in 42 Countries Worldwide (e.g. Acuerdo 788 in Colombia)
New General Data Protection Regulation (GDPR),
that updates the dlgs 196/03 about data privacy.
• Improve the cooperation between Nation inside EU
• Risk management and incident notification
NIS Regulation (Network and Information Security)
released in 2016 that defines the requirements to
guarantee a high security level for network and data
inside European Union
• Protect the personal data confidentiality
• Guarantee data security from non authorized or
malicious access
Standards for the Protection of Critical
Infrastructure released by North American Electric
Reliability Corp
• Improve the reliability and security of the bulk power
system
• Protection of Critical Cyber Assets
Different existing and emerging Regulations and Laws
in force in 42 Countries Worldwide (e.g. Acuerdo 788
in Colombia, Ley 8/2011 in Spain)
• Critical Infrastructure Protection, Data protection and
Privacy, Incident Notification and more over
Direttiva NIS 2016
2009/140/CE
Regolamento GDPR
EU 679 2016
NERC CIP v5
4
Laws and Regulations represent a key driver for Cyber Security
Digitalization has been stated by Enel CEO as a new strategic pillar during Capital Markets Day…
10
Our vision: Customers crucial source of competitive advantage, digital key to increase generated value
11
Digital Basics:Digitalization of customers relationship and Backoffice processes
• > 62 mln customers
• Omni-channel interaction
• All Operations and Backoffice process
Big Data:
Extraction of value from
customers data
• Data science for:
• Tailored commercial propositionand service levels
• Leverage automatic decision making (where appropriate)
IoT:Development of high-value services
• New IoT platform based products/services(eg. e-mobility, e-home…)
Customer
Customer
Our Vision: Digitalization, connectivity and predictive analytics to increase assets productivity
12
Assets
Digital Basics:Asset digitalization
• Valorization of available data and adoption of digital technologies for an efficient assets management
IoT: Assets connectivity
• Connection of digitalized assets through IoTtechnologies for further automation
Big data: Use of data in a predictive logic
• Advanced data analytics to improve productivity, availability, etc..
Assets
Enabling organization and development of digital cultureand workplace are key for succeeding in the transformation
13
People
Development of a digital organization
• New Digital Enabler unit and Digital manager positions to foster digital fertilization within the company
People
Development of digital
workplace
• Workplace digitalization to improve productivity, facilitate collaboration and increase service level
Development of Digital competences and culture
• Internal digital skills assessment
• Initiatives favoring the diffusion of digital capabilities and culture, leveraging internal existing skills
…we are also implementing a coherent strategy to manage the associated, unfortunately inevitable, cyber security risk, because this is today everywhere. We need to protect our information, industrial assets and emergent technologies.
Our sustainability plan outlines our strong focus on this area where we believe we are today the front runners…
Francesco Starace – Capital Markets Day – 22 November 2016
Cybersecurity related
targets/commitmentsFramework
Highlights
“
“Single strategy approach based on business
risk management
Business Lines involved in key processes:
risk assessment, response and recovery
criteria definition and prioritization of actions
Integrated information systems (IT),
industiral systems (OT) and Internet of
things (IoT) assessment and management
«Cyber-security by design» to define and
spread secure system development
standards
100% of internet web applications protected
through advanced cybersecurity solutions
Set-up of Enel’s CERT
Acknowledgement by CERTs of current mai
countries of presence idividual level
15 cyber security knowledge sharing events
on average by 2020
… and Cyber Security is a key lever
Cyber security
PeopleCustomer
Platform
Cloud
Asset
15
Security by design
Global CERT
IT/OT/IoT integration
Innovative Tools &
Technologies
Organization,
Business Lines
Involvement
Risk Based Strategy
Awareness improvement
We are building our Cyber Security shield on seven main pillars
IT, OT and IoT technologies need an olistic management strategy paying attention to the specific needs
Confidentiality
Integrity
Availability
IT Priority OT Priority
Top objective: Confidentiality Top objective: Availability
IT and OT integration allow benefits, but it increases the cyber risk too.
The right management model has to deal with shared issues garanting different objecives.
IT OT
IoTConsumer & Industrial (Industry 4.0)
16
Availability
Integrity
Confidentiality
Cyber Security Response Managers within Solution Centers and Cyber Security Risk Managers within Business Lines will
report also to Head of Cyber Security (CISO) to coordinate activities, plans, countermeasures and emergency responses
Enel has recently reorganized the entire Cyber Security
Cyber Security Committee(ENEL Group Top Management Team)
Cyber Security
Risk Monitoring
and Respond
Information Systems
Cyber Security
Engineering
Operational
Technology Cyber
Security Engineering
Detection
Response
Security by Design
IT
Security by Design
OT
Governance
Assurance
- CYBER SECURITY ORGANIZATION-
Chief Information
Security Officer
Identity
Mgmt
Chief
Information Officer
CERT
Awareness
Cyber Security
Strategy, Assurance
and Reporting
Risk
Managers
Response
Managers
Integration with
Business LinesIntegration with
developers
Business
Areas
Solution
devepolment
Areas
17
The new model is based on a Risk-based approach and on the principle of Security by Design
Cyber Security unit has been designed to support effectively the activities considering the specific business and the tech. context
18
Cyber Security Strategy,
Assurance and Reporting
Cyber Security Risk
Monitoring and Respond
Information Systems Cyber
Security Engineering
Operational Technology
Cyber Security Engineering
DetectionResponse
Security by Design
IT
Security by Design
OT
Governance
Assurance
Identity
MgmtCERT
• Definition of Group's Cyber security
strategy;
• Ownership of the issuing of
documentation, policies,
procedures, guidelines and
processes, overseeing regulatory
compliance;
• Management of Group’s Cyber
security Assurance Processes
• Management of Cyber security
Education, Training & Awareness
• Supervision and scouting of Cyber
security solutions and services for
monitoring and respond;
• Management of Group's CERT carrying
out related investigations, coordinating
the decision process, ensuring the
communication with stakeholders;
• Management of CSOC and coordination
with Network Operation Centers;
• Supervision of Identity Management &
Access Control process.
• Representation of Security by design protection model working in
close contact with relevant Business process Owners and GICT
Solution Centers, also assessing compliance of new technologies,
assets, systems proposed by other Global ICT units;
• Setting of prescriptions in order to establish, according to the Cyber
security program and plan, a continuous improvement of the resilience
to cyber-threats in every stage of the lifecycle of the IT, OT solutions in
all group’s industries, and emerging technology assets such as IoT
devices;
• Definition and updating of technical documentation, procedures,
instructions developing and configuring guidelines and processes;
Awareness
Risk Managers
5 Global Business Lines
9 Country Business Lines
GenerationTrading and
upstream
Gas
Infrastructure
and NetworkRenewables Holding
Business Lines
• Cyber Security Risk Manager ensures integration of Cyber Security within Business Lines. At
organizational level, in addition to its own unit, he responds also to CISO.
• He participates to definition of cyber security strategy focusing on business drivers of his own
area
• This actor has a key relevance in the actualization of the Risk-Based Approach in decision
processes of his own area, both in the set-up phase of Cyber Security Response process and in the
continuous improvement of protection processes and tools against threat landscape evolution. His
mission is the identification of Business Risks connected to Cyber Risks:
• He is the first actor in the definition of Business processes Risk Assessment, ensuring and
managing the business impacts analysis considering the protection level of IT or OT systems.
• He prioritizes intervention areas planning Cyber Security Activities, considering business
risks, Risk Acceptance level and planning business costs
At least one Cyber Security Risk Manager is appointed in each Business Line
BU
SIN
ES
S
LIN
ES
Market
Brazil
Market
Chile
Market
ColombiaMarket Perù
Market
Argentina
Market
IberiaMarket Italy
Market
Romania
Market
Russia
7 Global Solution
Centers
5 Country Solution Centers
IT/OT Solution Centers,
Platforms and Infrastructure
Management Units
Response
Managers
• Cyber Security Response Manager ensures the integration among Cyber Security and the Units responsible of
development and management of applications and automation systems (IT, OT and IoT). At organizational level,
in addition to its own unit, he responds also to CISO.
• This actor has a key relevance in guaranteeing the Cyber Security in applications and systems already in
operation or to be realized
• In particular, the Cyber Security Response Manager has to ensure:
• The correct implementation of Security measures in compliance with Guidelines and Technical
Prescriptions of Cyber Security
• The support in Cyber Security Response Processes
• The definition, planning and implementation of Remediation initiatives sprung from Assurance activities
(penetration test, vulnerability assessment, ethical hacking)
• The participation to the Design activities of Cyber Security Engineering units in the definition of new
Security Standards
At least one Cyber Security Response Manager is appointedin each IT/OT Solution Center, Platform and Infrastructure Mgmt Unit
ICT Latam ICT IberiaICT ItalyICT
RomaniaICT Russia
SO
LU
TIO
N
CE
NT
ER
S
ICT Sol.
Center I&N ICT Sol. Center
Thermal Gener.,
Renew. and Trading
ICT Digital
Enabler
ICT Sol. Center
AFC, HR and
Procurement
ICT Infrastructure
and Technological
Services
Infrastructure
and NetworksHolding Web
IoT App Mobile
A Cyber Security Framework has been established to address and manage Cyber Security adopting a Risk-Based Approach
• Define a risk-based cyber security strategy, fostering new Group Pillar of Digitalization in terms of cyber security initiatives for the
entire Enel Group;
• Drive a “cyber security by design” protection model of business processes for applications and infrastructure, integrating cyber
security features starting from the very initial phases of their lifecycle, and optimizing overall cashout;
• Enable a reliable functioning of processes infrastructure and applications to face cyber threats and risks, boosting defense in
coherence with risk tolerance defined level and in line with continuous evolution of threats.
• Strong Top Management commitment through the CIO, to address and support cyber security strategy;
• Global steering of cyber security, guided by CISO and supported by Business Areas, to prioritize cyber security activities and make
decisions about cyber security expenditures taking into account both Business drivers and IT/OT/IoT systems specific considerations;
• Focus on cyber security in Business Areas to identify, assess and respond to cyber security risks and to deploy the cyber security
strategy in terms of Business initiatives and IT/OT initiatives.
Objectives
Key Aspects
100% Coverage of NIST Cyber
Security Framework
New Framework defines Cyber Security Processes, appointing Roles and Responsibilities within relevant ENEL Units
NIST Framework and Business Processes Taxonomy Coverage
Cyber Security Awareness and Training
Cyber Security Strategy, Monitoring and Reporting
Cyber Security Risk Assessment
Computer Emergency Respond and Management
Identity Access Management and Control
Cyber Security Design and Engineering
Cyber Security Risk Treatment
Cyber Security Assurance and Monitoring
IDENTIFY
IDENTIFY
PROTECT
PROTECT
PROTECT
PROTECT
RECOVER
DETECT
RESPOND
IDENTIFY PROTECT
DETECT
Develop the organizational
understanding to manage
cybersecurity risk to systems,
assets, data, and capabilities.
Develop and implement
the appropriate safeguards
to ensure delivery of critical
infrastructure services
Develop and implement
the appropriate activities
to identify the occurrence
of a cybersecurity event
Develop and implement
the appropriate activities
to take action regarding a
detected cybersecurity
event
Develop and implement the
appropriate activities to maintain
plans for resilience and to
restore any capabilities or
services that were impaired due
to a cybersecurity event
NIST Cyber Security Framework Enel Cyber Security Framework
1
2
3
4
5
6
7
8
RESPOND
RECOVER
PROTECT
IDENTIFY
PROTECT
23
Strategia, compliance, monitoraggio e reporting1 Risk Assessment2
Ingegneria delle soluzioni e standard3
. . . . .
Verifica del Rischio Cyber e monitoraggio delle attività di rimedio4
Cyber Security FrameworkDetailed process definition
Trattamento del rischio Cyber5
Gestione delle abilitazioni ai sistemi e controllo6
Computer Emergency Respond Team (CERT7
Sensibilizzazione e corsi di istruzione8
24
So…
KEEPCALM
AND
LET’S
CYBERRISKS
MANAGE