Cyber Security in Enel 4° Conferenza Nazionale Cyber Security Energia Roma, 15 novembre 2017

Yuri Rassega

Head of Cyber Security - Group CISO Global ICT

Enel figures

62 Mln Customers 426 TWh energy distributed 2.1 Mn Km lines 44 Mln Smart Meters

Over 30 Countries

82.7 GW Installed Capacity

62000 human resources

15.2 bln € EBITDA

of which 37 GW from Renewables

#1 in Italy, Spain, Chile, Peru

#2 in Argentina, Colombia

Just to help you to realize the actual magnitude these figures... …with 2.1 Mln Km lines you could connect the Earth to the Moon 5 times!

6.6 €bn 43%

3.6 €bn 24%

5

Enel today1

Italy

Latin America

3.6 €bn 23%

North & Central America Iberia

15.2 €bn

2016 Group ordinary EBITDA

∼75% regulated / quasi-regulated

Networks Renewables Thermal generation Retail

1.  As of 2016. Breakdown excludes -0.1 €bn from holding and services 2.  Presence with operating assets

0.8 €bn 5%

0.8 €bn 5%

100%

39%

15% 46%

Countries of presence2

50%

22%

10%

18%

47%

10% 26%

17%

Europe

30%

49%

18%

3%

54%

-2% 15%

29%

Digitalization Strategy Key levers for navigating the digital future

Driving efficiency and best in class services

People

Asset

Cyber security

Platform

Cloud

Customer

2017-19 digitalization capex Key levers of digitalization

•  Efficiency through full digitalization of back office processes and systems

•  Enrich products and services

•  Deepen customer relationship and information processing

•  Enhance infrastructure performance

80%

15% 5%

Customer People Asset

4.7 €bn

The Utility is changing its role The digitalization to capture opportunities along the value chain

Platform paradigm to supports the orchestration of the new Utility Model

Back-office automation and data-driven decision making

Smart grid and smart pipes to improve network resiliency, safety and efficiency

Customer interactions governed by analysis of customer journeys

Field workforce with full mobile access and real-time expertise

Awareness to enable energy balancing

Data-driven asset strategies including predictive outages

Distributed energy sources enabled by big data-driven alignment of supply and demand

Distributed energy sources and marketplaces enabled by platform Distributed

generation

E-mobility

Smart-home Efficiency products

Public Lighting

Efficiency solutions

New Business enabled

IoT Solutions

Efficiency

Infrastructure Micro-Grids

Data

New Commercial Offers Partnerships Platform Systems Innovation Projects

20

NEW CUSTOMER JOURNEY

ATTRACT NEW CUSTOMERS

NEW PRODUCTS & SERVICES

50B objetcs by

2020

+40% y/y e-home

growth2

1.  Data refers to Italy; 2. Data refers to USA - Source: A.T. Kearney, Consumer barometer by Google, Digital, Social & Mobile 2015 di We Are Social

Customers To serve better and faster our customers

e-Mobility

E-Home

B2B

RE-ENGAGE EXISTING CUSTOMERS

IoT/Big Data

IoT on materials, vehicles, warehouses, …

Automation of warehouse management

Grid sensors / Smart Grid Monitoring of grid Assets protection

IoT sensors, robots, drones, AR/VR

Risk based maintenance Prioritize maintenance

O&M

Logistics

Network

SAFETY ON WORK

PERFORMANCE OPTIMIZATION

O&M PREDICTIVE MAINTENANCE

NEW SERVICES

Benefits

Assets Exploiting the benefits of IoT and Big Data technologies

Wearable, smart cameras, geo-location, geo-fencing

Emergency management Safety and security

People

Platforms Creating value through collaboration

Cost efficiency thanks to internal global scale

Time-to-market thanks to configuration versus customization and self-provisioning logic

-

+

Innovation thanks to Open internal and external ecosystem

+ “An IT platform is an open, global and company-wide

standard environment, supporting and driving

current and new businesses:

Consumer Industrial

Energy Management System

Platform solutions are global and have been already defined

Commodity New Services Energy management services

Engagement Platform

Business logic

IoT Platform

Cloud

Salesforce

Communication

Devices

MPLS / MVNO / 4G / PLC /

AWS IoT

IoT IoT

Industry specific (EMS, , …)

New Business

HANA IS-U

HANA R/3

Smart meter

Enel Global ICT

Digital is changing the role of ICT

Technology Business

…to ICT key business Driver

Digital Technologies driving

transformation and innovation

From ICT as key business Enabler…

Technology enabling business requirements

Adopting an Agile model to adapt to different Application domains…

•  New business opportunities •  Enabling new services /

microservices / tailored offering

•  Standard or tailor-made applications

•  Processing core transactions and master data

•  New channels or competitive capabilities

•  Enhancing Cx/Ux

Apps of record

Apps of engagement

Apps of innovation

Apps of insight

(ERP, Billing, Asset, …) (e-Home, e-mobility, EMS …)

(Sales, Workforce Mgmt, Service Portal, …)

(BI, cognitive …)

•  Unlocking the business value of digital assets by opening to ecosystem 1

•  Enabling sophisticated / predictive analyses and automatized decision making

Efficiency Differentiation Disruption

…different Multi-Modal approaches

Workforce

Approach

Outsource Insource

Apps of record

(ERP, Billing, Asset, …)

Apps of innovation

(Smart Home, E-mobility, …)

Apps of engagement

(Sales, Workforce Mgmt, Service Portal, …)

Apps of insight (Adv. analytics, BI, …)

Waterfall Agile

Value

Water-Agile-Fall

Enel Cyber Security challenge

Cyber Security in a Global Energy Company Cyber threats risk perception is increasing in insurance sector

n  Cyber security is rising the top 10 Global Business Risk on the Allianz Risk Barometer

n  More than 53% of Cyber Attacks are conducted on Country Critical Infrastructure like Electricity, Water and Oil and Gas. 75% on Industrial companies

n  Most of those infrastructures were designed for Resilience but never designed with Cyber Security in mind

For the Power plants and energy sector the medieval castle paradigm (the good guys in, the bad guys out) is no more efficient

Electric systems completely interconnected and able to provide add value services to customers and improve QoS/reliability of the electric system (balance of the grid, optimization of energy flow etc)

Towards Smart Grid/City

The mutation of Energy “paradigm” from: few big power plant and a grid with clear boundaries to distributed generation…

The change of paradigm

2010 2016 2015 2014 2013 2011 2011 2012 2012 2017

Security Incidents: most significant cases

Stuxnet First important attack targeted to Industrial Control System (SCADA) 38K infected machines (22K resided in Iran)

Worm

Data Breach

9$Mln of IDs compromised

2011 2011 2012 2012

Data Breach

9$Mln of IDs compromised

Data Breach

1Bln di account compromised

Data Breach

Data Breach that affected over 40Mln credit cards

3$Mln stolen through spear

phishing

APT

Cut off power to hundreds of thousands of homes for several hours in Ukraine

Trojan

Infected 900K end users routers for

several hours

Botnet

10 Mln of compromised IoT devices

DDoS Data Breach

83 Mln accounts compromised

Ransomware

15$Mln remediation cost

Ransomware

200k of encrypted

devices in 150 countries

WANNACRY

Ransomware

PETYA

20k of encrypted devices (hitted

Chernobyl)

Malware toolkit

Attack on Ukraine’s power grid that deprived part of Kiev of power for an hour

Data Breach

145M users pontentially

impacted

3 YEARS

EXPONENTIAL

GROWTH

3 WEEKS

1ST IOT ATTACK

1ST OT (INDUSTRIAL) ATTACK

1ST ATTACK WITH ELECTRIC DISRUPTION

BIGGEST THREAT TO INDUSTRIAL CONTROL

SYSTEMS SINCE STUXNET

Hackers, How are them?

Today:

Nowadays, an attacker doesn’t need to be a skillful hacker. He can easily buy hacking capabilities ‘as a Service’ on the dark web.

Cyber Threats have no borders

Attack Map in real time

Cyber Security in Enel

37

2,8Mln incoming e- mail, because of spam or malware

More than 113 hostile attacks from cyberactivists was detected and managed

750.000 malevolent outcome events managed by IPS

+150 attacks to Company Web Sites

In 2017, every day, the protection systems of Enel Group blocked on average:

800-900 virus

More then 500 fake internet domains detected and reported to the authorities

About 400 secutity test (“Ethical Hacking”) on our own systems carried out

Furthermore, in 2017:

A Cyber-day in Enel…

Different existing and emerging Regulations and Laws in force in 42 Countries Worldwide (e.g. Acuerdo 788 in

Colombia)

Different existing and emerging Regulations and Laws in force in 42 Countries Worldwide (e.g. Acuerdo 788 in Colombia)

New General Data Protection Regulation (GDPR), that updates the dlgs 196/03 about data privacy.

•  Improve the cooperation between Nation inside EU •  Risk management and incident notification

NIS Regulation (Network and Information Security) released in 2016 that defines the requirements to guarantee a high

security level for network and data inside European Union

• Protect the personal data confidentiality • Guarantee data security from non authorized or malicious access

Standards for the Protection of Critical Infrastructure released by North American Electric

Reliability Corp

•  Improve the reliability and security of the bulk power system

•  Protection of Critical Cyber Assets

Different existing and emerging Regulations and Laws in force in 42 Countries Worldwide (e.g. Acuerdo 788 in

Colombia, Ley 8/2011 in Spain) •  Critical Infrastructure Protection, Data protection and

Privacy, Incident Notification and more over

Direttiva NIS 2016 2009/140/CE

Regolamento GDPR EU 679 2016

NERC CIP v5

Laws and Regulations represent a key driver for Cyber Security

All processes are managed using computers

IT

OT

Credits: ENISA https://www.enisa.europa.eu/publications/challenges-of-security-certification-in-emerging-ict-environments

Simplified infrastructure of the Energy Sector

IT, OT and IoT technologies need an olistic management strategy paying attention to the specific needs

Confidentiality

Integrity

Availability

IT Priority OT Priority

Top objective: Confidentiality Top objective: Availability (=Safe Operation)

IT and OT integration allow benefits, but it increases the cyber risk too. The right management model has to deal with shared issues garanting different objecives.

IT OT

IoT Consumer & Industrial (Industry 4.0)

Availability

Integrity

Confidentiality

Security by design

Global CERT

IT/OT/IoT integration Innovative Tools & Technologies

Organization, Business Lines Involvement

Risk Based Strategy

Awareness improvement

We are building our Cyber Security shield on seven main pillars

Enel Cyber Security Risk Management Framework

Cyber Security Framework Processes

1

4 Cyber Security Risk Assessment

Cyber Security Risk Treatment

2

6

5

8 Cyber Security Awareness and Training

7

I P

I R R

P R I

D R P

P

P

Cyber Security Strategy

Cyber Security Design & Implementation

Cyber Security Assurance

Cyber Emergency Readiness

Identity Mgmt and Access Control

I P

1.  Cyber Security Strategy Definition of cyber security objectives and priorities,

reporting and monitoring of the cyber security on-going initiatives.

3. Cyber Security Risk Assessement

Identification, analysis and evaluation of cyber security risks

within Enel Group

6. Cyber Emergency Readiness Monitoring, tracking and

reporting risks exposures

5. Cyber Security Assurance Analysis, verify and test the

effectiveness of the implemented risk response measures.

4. Cyber Security Risk Treatment Definition and implementation of

the most appropriate risk treatment options to face the

cyber security risks

2. Cyber Security Design and Implementation

Guarantee the adoption of cyber security principles

8. Cyber Security Awareness and Training

Driving and running Enel Group-wide Cyber Security Awareness

and Training initiatives

7. Identity Mgmt and Access Control

Management of the full lifecycle of digital identities and performing

security controls on access privileges

3

RECOVER DETECT RESPOND NIST Area: IDENTIFY PROTECT

ENEL Cyber Security Framework structure Processes and Roles Overview

(*) The Responsible of the Treatment is the unit who will have to carry out the treatment action, according to applicable cyber security policies, procedures, guidelines and technical prescriptions

1

4 3 Cyber Security Risk Assessment Cyber Security Risk Treatment

2

6

5

8 Cyber Security Awareness and Training

7

I P

I R R

P R I

D R P

P

P

Cyber Security Strategy

Cyber Security Design & Implementation

•  Cyber Security Units •  Cyber Security Risk Managers •  Risks and Security Committee

Main Actors involved

•  Cyber Security Units •  Cyber Security Respone Manager •  Project Manager

•  Cyber Security Units •  Cyber Security Response Manager •  Responsible of the Treatment (*)

•  Cyber Security Units •  Cyber Security Risk Manager •  Cyber Risks Operating Committee

•  Cyber Security Units

•  Cyber Security Units (and CERT)

•  Cyber Security Units

•  Cyber Security Units

Cyber Security Assurance

Cyber Emergency Readiness

Identity Mgmt and Access Control

RECOVER DETECT RESPOND NIST Area: IDENTIFY PROTECT

I P

Focus on Cyber Security organization

Chief Information Security Officer

Governance

Assurance

Detection Response

Identity Mgmt

Security by Design

IT

Security by Design

OT

Units of Cyber Security Operational

Technology Cyber Security

Engineering

CERT

Awareness

Cyber Security Strategy,

Assurance and Reporting

Business Lines

IT/OT Solutions Platforms and Infrastructure Management Units

Information Systems Cyber

Security Engineering

Cyber Security Risk Monitoring and Respond

Risk Managers Response Managers

Chief Information

Officer

Business Areas

Solution developement

Areas

Cyber Security Risk Committee (ENEL Group Top Management Team)

Integration with Business Lines

Integration with developers

Enel CERT Implementation Project The Enel project involves different internal stakeholders and manages the activities of Enel CERT worldwide with an inclusive approach

External Stakeholders

Internal Stakeholders

Other CERTs

ENISA

FIRST TF-CSIRT

Enel Countries with today CERT representative

Enel CERT Implementation

Project

National CERTs

Carnegie Mellon

Spain

Romania

Colombia

Perù

Brasil

Chile

Italy

Argentina

>50

>20 Organizational Units involved (Global/ Country)

>20

Enel colleagues involved in the project

Interviews performed

>45 Hours of interviews

Internal Stakeholders

Process to harvest privileged information related to cyber threats and attacking actors from multiple open, closed and commercial sources. Key aspects: •  Create actionable information, relevant for Enel

context •  Early detection of cyber threats with potential

impact to Enel Constituency

Enel CERT provides 3 main processes

Preparedness and Prevention

1

CYBER INCIDENT

RESPONSE

3

CERT INFORMATION

SHARING

Recovery

2

CYBER THREAT

SURVEILLANCE

process Key process to Prevent, Detect and Respond to Cyber Incidents. Key aspects: •  14 services from Service Activation to

Recovery & Lessons Learned •  Inclusive of all multi disciplinary Enel roles and

capabilities •  Full integration with existing Enel policies (i.e.

Emergency and Crisis Policy)

Trusted communication process among all involved Internal Stakeholders and related External Counterparts. Key aspects: •  CERT Communication Workflow and

Information Dissemination •  Confidentiality management (Traffic Light

Protocol)

Cyber Incident Response 1 3Cyber Threat Surveillance 2 CERT Information Sharing

Enel CERT provides processes to the Constituency in order to Prevent and Respond to Cyber Incidents and Threats

Internal Stakeholders

External Counterparties Internat.

Organiz.

Gov. Agencies

Other CERTs

Other Private Companies

Legal

HRO

Security

Local Security

Law Enforcement

Agencies

National CERTs

Global ICT

Risk Manager

Enel CERT

Response Manager

Employees

CERT Information Sharing

Employees Communication Media

Cascade & Communication Events

Enel Alert

Focus On (Newsletter)

Intranet / Internet

Enel Radio / TV / Magazine

Techbar

Yammer y

FIRST TF-CSIRT

Communication

Media

The information sharing is enabled by Communication Strategy

Technical commissions Enel contributes to many boards in order to define the guidelines for many critical infrastructures at national and international levels, including the National Observatory for Cyber Security, Business

Continuity and Resiliency on the Electrical Grids

Government and research authorities Enel collaborates constantly with several bodies e.g. ISA, ISO, NERC, NIST, EPRI and ENISA

EE-ISAC (European Energy Information Sharing & Analysis Center) Enel participated to the DENSEK project and is one of the founding members of EE-ISAC.

IEC (International Electrical Commission) Cyber security standard definition for Electrical Systems. Smart Grid Security rely on several IEC 62351 standard Family documents, in charge of WG15 (Data and Communication Security) that is one of the several working groups in which Enel is active.

The future: new threats and cooperation opportunities How Enel sets its bases for the future Enel takes active part to many institutional groups devoted to defining technical and normative

standards to which all producers will be bound to adhere

So…

KEEP CALM

AND

LET’S

CYBER RISKS

MANAGE

YR