Cybersecurity
Management approach
GRI 103
(103-1, 103-2, 103-3)
Relevance
The global rise in cyberattacks and the professional nature of the hacks launched by cyber-criminal organisations are presenting enterprises with the challenge of developing, implementing and constantly reviewing security strategies. Operators of critical infrastructures need to implement a cybersecurity strategy that ensures comprehensive protection of their production facilities and critical IT systems. The great majority of Alpiq power plants play an important role in the reliable supply of electricity in the respective countries. Unfortunately, the constantly evolving cyber threats pose a real risk for all energy suppliers. Protection against specific cyber-attacks is therefore an important part of the security standards at both the Group companies and the power plants in which Alpiq holds shares.
Management approach and assessment
Guidelines for management and the organisation of corporate security are developed within the company. Business continuity management (BCM) ensures that all critical business processes can be continued or promptly restored in case of internal or external incidents. The cybersecurity of the power plants and critical IT systems is part of this BCM approach.
In case of significant cybersecurity incidents, Alpiq is able to deploy emergency and crisis teams. The company takes all necessary organisational measures to ensure that all incidents that could have a negative impact on the IT environment are dealt with in a timely manner. Cybersecurity incidents are managed and documented according to precisely defined incident and response plans. Security monitoring takes place at various levels. For example, the implementation of business applications in the cloud is checked in terms of compliance with security architecture rules, and applications are subjected to active monitoring while they are running. Established vulnerability management ensures that, once identified, vulnerabilities are remedied swiftly and do not return. Efficient vulnerability management also includes ongoing updates with the latest security software for all critical IT systems at both server and user level.
Crisis management plans contain a minimum number of scenarios. For example, for hydropower plants, risk management guidelines are used to assess the cybersecurity risks each year and take appropriate measures.
To maintain a high level of expertise, Alpiq holds regular training and simulation exercises that are based on realistic scenarios. The simulation exercises allow Alpiq to review its processes by deploying its emergency and crisis teams and activating the relevant systems for dealing with cyberattacks in a real-life situation, for example, penetration tests or the failure of critical systems. Regular internal audits make it possible to determine the maturity of the security. Moreover, the business units D&C Technology (Business IT) and Intraday Trading are certified according to ISO 27001. This certification, which is reviewed annually, ensures that business processes are safeguarded by an established security organisation.
The maturity of the cybersecurity guidelines is also periodically assessed based on the Swiss minimum standards in all areas of cybersecurity.
As a member of the energy sector, Alpiq is informed of the latest threats to the energy industry by the National Cyber Security Centre of Switzerland. Alpiq implements the recommendations and participates in various working groups.