The threat of a cyber-attack is one of the greatest risks a business faces today. From financial loss to reputational damage, the dangers are huge but when hackers target an energy company, the stakes are even higher. A large-scale energy black-out has ramifications for the whole of society, impacting individuals, businesses and vital institutions, and triggering potentially devastating spill-over effects.
by Carlo Bozzoli, Head of Global Digital Solutions, Enel
We operate in over 30 countries, and on a daily basis our team of analysts block over two million risky emails, stop an average of 300 attacks on our web portals, and prevent 300 viruses from infecting our systems, while also barring 740,000 connections to risky websites.
To this can be added the detection of 13 hostile initiatives each month by our cyber Intelligence system, and the identification every year of over 600 Internet domains that use our brand illegally.
As Francesco Starace, CEO of the Enel Group, repeatedly highlights: “We are present throughout the world with a complex, organized structure of people and machines that are constantly exchanging sensitive data, and this is the reason we have created a team of experts who work to provide the highest level of protection from cyber-attacks.”
A cyber-attack is a malicious and deliberate attempt by an individual or organization to breach information systems, leading to the loss, theft or corruption of data. They can lead to substantial financial costs, disruption to trading and the loss of business, while there could be further expenditure associated with repairing affected networks and devices. Add in service failure and data breaches, and cyber-attacks can also have a damaging effect on a business’s reputation, eroding customer trust.
There are legal consequences too, with data protection and privacy laws requiring companies to manage the security of all the personal information they hold on staff or customers. If this data is compromised, and the company has failed to deploy appropriate security measures, fines and regulatory sanctions can be considerable. Attacks can even pose a threat to the environment.
Enel’s Cyber Security Framework is a company-wide strategy of risk management. It takes a risk-based approach, ensuring that decisions and activities are based on business priorities, and that security measures are an integral part of applications, processes and services, establishing standards of security before rather than after situations arise.
While the framework also establishes the need to use top-market cyber security technologies, we are aware that in a continuously evolving and constantly connected world, IT security doesn’t just depend on new tech, but also on an awareness of digital risks. This is why we have adopted a cyber risk management model based on a ‘systemic’ vision that integrates traditional IT, with new Operational Technology and the Internet of Things.
This is “cyber security by design,” an approach that allows those managing new projects to focus on cyber security topics from the very start of a system’s design, increasing the Group’s resilience to cyber attacks.
Enel has also created its own Cyber Emergency Readiness Team (CERT), an international pool of analysts and country “focal points”, working at both a national and international level, who continuously monitor the status of our systems and coordinate all activities to anticipate and respond to a cyber incident or attack.
Of course, all companies, even more so in the case of energy sector, are part of a much wider, complex and interconnected ecosystem, where organizations exchange information and use common critical services, components and systems. Regulations and laws supplying common guidelines must keep pace with the evolving menace of continuous cyber risks, making cooperation around cyber issues between stakeholders paramount.
Defending the assets of the global electricity industry from IT attacks was one of the key themes at the last World Economic Forum in Davos. Our work in this area, was praised in the report: ‘Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards’ produced in collaboration with the Boston Consulting Group.
We were also part of the Forum’s working group on new guidelines for board members that are designed to provide organizational cyber governance that will help to advance ecosystem-wide cyber resilience.
It acts as a center of study and research, supporting the fight against cyber crime, with guidelines for the public and private sectors to promote cyber security, resilience, business continuity and vigilance for the security of electrical critical infrastructures.
Enel cyber security experts are also working on international standards to support more comprehensive monitoring of power systems to make them more dependable and resilient and have been active pushing manufacturers and vendors, encouraging them to align their products and components to new cyber security standards.
We continue to work with academia too, identifying talented students interested in advancing cyber security, as well as scouting the latest start-ups working in this area. And among our many international collaborations is our work with cyber security task force for the energy sector of the Conseil de Cooperation Economique, which provides information and recommendations on cyber security for the European Commission.
Together, this systemic and holistic model to cyber security is helping us increase the resilience of all our assets. But even more importantly, it is part of a vision that supports the new requirements of the energy industrial sector.