The cyber risk scenario is increasingly complex and intricate. In addition to the traditional threats that affect every ICT project, there has been a sharp rise in the number of threats relating to the current digital transformation process at highly innovative companies and the increase in interconnections between the various operators.
The entry into force of new European regulations, above all the General Data Protection Regulation (GDPR) and the Network & Information Security (NIS) directive means companies are having to rethink some of their information and cyber security processes, in order to ensure full compliance.
For some time, Terna has used an Information Security Governance Model, based on policies and procedures combined with a coordinated Information Risk Management (“IRM”) operating programme. This is coordinated by the Group's CISO (Chief Information Security Officer).
The Model takes into account all the risk factors (organisational, technical and technological, physical, environmental and cyber, etc.) to which the Group's ICT ecosystem is exposed, including compliance with data protection legislation and efforts to combat cyber-crime, with the aim of countering their impact (disruption to computer networks or services critical to the operation of the electricity system and/or resulting in potential damage to the National Transmission Grid (NTG); loss of confidentiality; and the theft or alteration of sensitive, strategic and confidential data held by Terna relating to the electricity market and/or third parties).
Finally, via the operational safeguards put in place by the Security and Service department’s cyber security unit, Terna promptly identifies and contains security incidents, thereby minimising information loss and facilitating restoration of the services involved.
Cyber security training
An extensive awareness-raising campaign on cyber security issues, aimed at senior managers, middle managers and roles with particular responsibilities, as well as newly recruited staff, has been completed. Terna also took part in a special competition (red team versus blue team type) under the patronage of ENTSO-E and SANS, in which over 100 European TSOs and DSOs took part. Terna performed well during the competition to rank among the top five.
Strengthening of the Information Security Framework
The Information Security Framework and, above all, the set of countermeasures that Terna puts in place to combat cyber risk was updated in line with the latest version of the NIST standard, adopting additional security measures relating to critical areas such as GDPR, IoT and SCADA/ICS systems. During 2018, Terna began the process of assessing and testing solutions for transferring cyber risk to third parties, entering into insurance policies to cover the risks posed by ransomware, phishing and the theft of personal data for which Terna is the data owner or manager. The process was completed once the Company had obtained cover and the policy will be extended to cover additional risks in the three-year period 2019-2021.
Consolidation of the capabilities of the Cyber Security Operations & Data Protection Centre
The process of strengthening and refining corrective actions and new initiatives designed to prevent cyber risk continued within the Security and Service department. Terna’s Computer Emergency Readiness Team (CERT) redesigned its Real Time Security Monitoring, Incident Handling, Threat Intelligence and Security Content Engineering & Threat Hunting processes on a 24h/365d basis. Info Sharing with public bodies, other essential service providers and the CERT’s Threat Intelligence partners was further developed as regards tailored intelligence. The Cyber Security Engineering centre was used to set up important working groups aimed at reducing the cyber risk associated with the Industrial Automation and Control Systems (IACS) that support Terna’s core business. These new departments complement and integrate with the Cyber Security Assessment department, which carried out periodic assessments of the vulnerabilities in Terna’s IT systems and checks on the related recovery plans.
Consolidation of GDPR compliance
An audit of GDPR compliance was completed, with the adoption and initial implementation of numerous initiatives necessary in order to ensure full compliance and the rollout of a data protection model across the Group. This included training and internal communication initiatives, including specific workshops for senior management and online courses and training pills for all staff, with the aim of creating a Group-wide privacy and data protection culture.
Identity and Access Management (IAM)
The Identity and Access Management (IAM) process regarding the management of access authorisations to critical IT resources has been strengthened. This has involved the implementation of first use case monitoring (identity governance) in order to extend visibility (and governance) for applications supporting Terna’s operational activities and financial reporting.
Monitoring and cyber defence capabilities
During the year, the extension and update of security monitoring services for systems and networks of platforms incorporated within Information Security and Event Management (ISEM) system continued. With regard to the detection of cyber threats, a technological solution based on machine learning and artificial intelligence using non-formal logic was adopted. There was also continuous analysis and threat hunting using Indicators of Compromise (IOC) reports, especially those deriving from public bodies (e.g. the Italian Computer Emergency Response Team, the National Anti-Cyber Crime Centre for the Protection of Critical Infrastructure, etc.) and the entry into operation of an advanced anti-malware solution for all workstations, involving monitoring, analysis and continuous recording of all executable and non-executable file activities, regardless of whether they are already known to be malware. Work on the protection of SCADA systems using a whitelisting solution and on the logical segregation of networks is continuing.