Governance

Cybersecurity

Why is this important?

The global rise in cyberattacks and the professional nature of the hacks launched by cyber-criminal organisations are presenting enterprises with the challenge of developing, implementing and constantly reviewing security strategies. Operators of critical infrastructures need to implement a cybersecurity strategy that ensures comprehensive protection of their production facilities and critical IT systems.

The great majority of Alpiq power plants play an important role in the reliable supply of electricity in the respective countries. Unfortunately, the constantly evolving cyber threats pose a real risk for all energy suppliers. Protection against specific cyberattacks is therefore an important part of the security standards at both the group companies and the power plants in which Alpiq holds shares.

What are we doing?

Guidelines for management and the organisation of corporate security are developed within the company and are constantly optimised and adapted to new hazard scenarios. Business continuity management (BCM) ensures that all critical business processes can be continued or promptly restored in case of internal or external incidents. The cybersecurity of the power plants and critical IT systems is part of this BCM approach.

In case of significant cybersecurity incidents, Alpiq is able to deploy emergency and crisis teams. The company takes all necessary organisational measures to ensure that all incidents that could have a negative impact on the IT environment are dealt with in a timely manner.

Cybersecurity incidents are managed and documented according to precisely defined incident and response plans. Security monitoring takes place at various levels. For example, the implementation of business applications in the cloud is checked in terms of compliance with security architecture rules, and applications are subjected to active monitoring while they are running.

Established vulnerability management ensures that, once identified, vulnerabilities are remedied swiftly and do not return. Efficient vulnerability management also includes ongoing updates with the latest security software for all critical IT systems at both server and user level.

Crisis management plans contain a required number of scenarios. For example, for hydropower plants, risk management guidelines are used to assess the cybersecurity risks periodically and take appropriate measures.

How do we track the effectiveness of our approach?

To maintain a high level of expertise, Alpiq holds regular training and simulation exercises that are based on realistic scenarios. The simulation exercises allow Alpiq to review its processes by deploying its emergency and crisis teams and activating the relevant systems for dealing with cyberattacks in a real-life situation, for example, the failure of critical systems. Moreover, we adhere to the guidelines of the NIST Cybersecurity Framework, which provides a high-level taxonomy of cybersecurity outcomes and a methodology for assessing and managing those outcomes.

Milestones 2022

Last year, internal and external penetration tests were carried out on IT systems and power plant facilities in Switzerland and abroad by an external, specialized cyber security company. In addition, regular internal audits make it possible to determine the maturity level of our security posture. The maturity of the cybersecurity guidelines is also periodically assessed based on the Swiss minimum standards in all areas of cybersecurity. To improve the detection of security incidents and threats, we plan to centralize security monitoring in a Security Operations Centre (SOC).

Frameworks/guidelines 

- NIST Cybersecurity Framework 

- Alpiq guidelines for management and the organisation of corporate security

GRIs 

- GRI 3-3: Management of material topics

Sustainable Development Goals 

- SDG 9