Annual Report 2020

Cyber-security

GRI 103: Management approach (103-1, 103-2, 103-3)

Relevance

The global rise in cyberattacks and the professional nature of the hacks launched by cyber-criminal organisations are presenting enterprises with the challenge of developing, implementing and constantly reviewing security strategies. Operators of critical infrastructures need to implement a cybersecurity strategy that ensures comprehensive protection for their production facilities and critical IT systems. The great majority of Alpiq power plants play an important role in the reliable supply of electricity in the respective countries. Unfortunately, the constantly evolving cyber threats pose a real risk for all energy suppliers. Protection against specific cyber-attacks is therefore an important part of the security standards of our power plants.

Management approach and assessment

Guidelines for management and the organisation of corporate security are developed within the company. Business continuity management (BCM) ensures that all critical business processes can be continued or promptly restored in case of internal or external incidents. The cyber-security of the power plants and critical IT systems is part of this BCM approach.

In case of significant cyber-security incidents, Alpiq is able to deploy emergency and crisis teams. The company takes all necessary organisational measures to ensure that all incidents that could have a negative impact on the IT environment are dealt with in a timely manner. Cybersecurity incidents are managed and documented according to precisely defined incident and response plans. Security monitoring takes place at various levels. For example, the implementation of business applications in the cloud is checked in terms of compliance with security architecture rules, and applications are subjected to active monitoring while they are running. Established vulnerability management ensures that, once identified, vulnerabilities are remedied swiftly and do not return. Efficient vulnerability management also includes ongoing updates with the latest security software for all critical IT systems at both server and user level.

Crisis management plans contain a minimum number of scenarios. For example, for hydropower plants, risk management guidelines are used to assess the cyber-security risks each year and take appropriate measures.

To maintain a high level of expertise, Alpiq holds regular training and simulation exercises that are based on realistic scenarios. The simulation exercises allow Alpiq to review its processes by deploying its emergency and crisis teams and activating the relevant systems for dealing with cyber-attacks in a real-life situation, for example, penetration tests or the failure of critical systems. Regular internal audits make it possible to determine the maturity of the security.

The maturity of the cyber-security guidelines is also periodically assessed based on the Swiss minimum standards in all areas of cyber-security.

As a member of the energy sector, Alpiq is informed of the latest threats to the energy industry by the National Cyber Security Centre of Switzerland. Alpiq implements the recommendations and is involved in various working groups.