6164
Frontline 24/7

"Corporate security stress test"

Indications on how to improve processes and organisation arising from the critical issues of the coronavirus emergency: Terna, a case study.

In a stress test, you either sink or swim. It could put your business on the ropes, or breathe new life into it. The coronavirus put a sudden and unexpected stress test on Terna. But now that Italy has flattened the curve, the balance sheet is looking rather comforting. Terna’s complex corporate security apparatus has not only borne the impact but demonstrates its useful, even indispensable, ability to react in order to be stronger and more reactive. The instructions and experiences accumulated in this difficult period will be invaluable to face the “normal” critical issues of such a complex company which is so involved across the country and exposed to so many risk factors.

6166
Thermal cameras and staff social distancing signs at Terna’s head office in Rome (photo by Terna)

Game on. It was 31 January, almost a month before the first case of COVID-19 in Italy. An internal note sounded the first alarm bells for the convocation of the Operations Committee for the Italian Civil Protection Department, after the declaration of a national health emergency. And immediately, increased attention on the control of business-related travel flows from China. And then, constant monitoring of the situation. In fact, so much so that within the hours preceding the launch of the Italian Government’s first Prime Ministerial Decree on COVID on 23 February, Terna had already convened and logistically organised the Crisis Committee, the body established by the company’s guidelines for “top-level communication on critical events” which involves the first and second lines of command across key departments. The emergency machine, one which requires strategic vision (the CEO), clear guidance (the Head of Corporate Affairs) and effective coordination both physically and virtually. This last is the bread and butter of the Corporate Protection team: Terna’s security.

All the required strategic functions and capabilities, as well as the tactical-operational ones put in place via the Security Operations Center (SOC): convened every day, Saturday and Sunday included. And every day, constant sharing with key external institutions: the Italian MISE and Energy Authority, with sensitive information on the electricity system; the Prefectures, with over 250 notices on the coordination and mobility of employees, ready to intervene for any emergency (even attempted theft), on power lines and substations across Italy; the Civil Protection Department, with around 85 meetings held at the Operations Committee.

Coordination across the entire company, making information flows more fluid. Each of us was called upon to do their part. The response, it should be said, was really positive. Access control devices were strengthened, thermal imaging cameras were installed, extending the procedures not only to Terna employees but also to its suppliers.

Meanwhile, the two security control rooms (the Security Operations Center or SOC and the CERT - Computer Emergency Readiness Team) provided support to ensure the physical and informational security of assets and personnel. Just as the SOC never ceased watching over the grid systems (to prevent intrusions by malicious criminals, despite the mobility limits imposed by local decrees and ordinances), also through the support from colleagues and law enforcement authorities over daily control activities, so the CERT, which is in constant liaison with its counterparts outside the company, has provided - in coordination with and for the protection of ICT - the safe operation of about 4,000 employees working from home and all the electricity transmission grid operator’s core systems, with the relevant effect on business continuity, but also with all the possible critical issues in terms of security and spread of risk.

6165
Terna’s Security Operations Centre (photo by Terna)

New cyber challenges. It was no surprise, at this stage, that the increase in intrusive attempts to access company systems have inevitably expanded their “doorways” to the outside world. Even the most aggressive attempts, such as DDOS cyberattacks aimed at flooding connection capabilities and internal data streams, did not come as a surprise. Well-faced attacks, thanks to joint operations with the ICT department to strengthen countermeasures and the rapid response time to even the slightest problems. All this is thanks in no small part to practices that are proving more than useful for a future with greater use of “smartworking”.

Countermeasures. Maximum attention with reminders via internal communication to the entire population of the company to avoid the classic Internet pitfalls of phishing attempts, with the utmost attention to the origin of e-mails received and the now well-recognised warning signs about this phenomenon. But this is also an opportunity, for example, to choose web conference applications carefully, especially if they involve entities outside the company, treating session details (links and “meeting ID”) with the strictest confidence. Video or audio recordings of sessions should be avoided unless absolutely necessary, and in any case should require the full consent of everyone involved. The relevant audio notifications must be enabled for when new participants access the meeting. Take care not to display sensitive data when sharing your screen. And never enable remote control of your device (this includes not only your PC but also your mobile phone) except to qualified company technicians. Close attention was also focused on privacy issues, which Terna monitors via an ad hoc structure and which, in the current emergency, has demonstrated how to reconcile security and respect for privacy.

It’s relevant for today, and for Terna’s future. This extremely difficult experience has already provided not only incredible insight into the definition of a new concept of “crisis management”, but also suggestions to utilise some of the emergency countermeasures applied in this period for permanent applications. One example: apps that ensure distancing and thermal cameras can be used to develop new, extremely effective intrusion detection systems. And why not use tablets with traditional thermal and optical cameras to set up new sophisticated authentication systems, for example via facial recognition? Crises very often teach - and reveal - the future.