Information security

in

EU21

Due to its role in the electricity industry, Terna holds and conserves large quantities of business-sensitive information in its database, including data on the users of transmission and dispatching services, in particular electricity producers and traders. Such information includes, for example, data on plant specifications, with the related production capacity and injection plans presented to the Electricity Exchange.

Considering its significant commercial value, during its life cycle this information is subject to adequateclassification and management actions, in order to establish protection strategies capable of ensuring it does not become accessible to unauthorized third parties or subject to illegal breaches. An identical approach is also adopted for:

  • the data collected from industry companies for compiling industry statistics, a task performed by Terna within the framework of the National Statistical System;
  • the data made available to the industry Authority for monitoring the Electricity Market (as provided for in Resolution no. 115/08 of the AEEG).

Additionally, by virtue of a growing commitment to “Information & Communication Technology” (ICT) infrastructure and systems in support of operations on the electricity system, the Terna Group has for some time maintained high standards of operational continuity and effective processes and solutions for cyber-security.

To respond to constantly evolving security needs, and to the legal requirements on processing of personal data obtained from operators and other partners, Terna uses a risk-analysis process to determine threats to information and ICT assets, together with a significant expansion programme of technical and organizational protection instruments. In order to make the approach systematic, Terna has adopted its own Information Security Governance model, based on the major international standards, built around a structured framework ofpolicies (with related roles, responsibilities and methods of implementation), and on specific security processes.

The year 2012 saw a further stage of quantitative and qualitative growth in the range of cyber-threats against the ICT networks and systems of companies and organizations, recorded in detail by many international institutional or technical-scientific bodies. Also in terms of critical infrastructure, Terna paid great attention to this evolving scenario, made all the more relevant by its business areas’ need to expand interconnections and digital exchanges with external partners and stakeholders, above all via the Internet. Therefore, in the face of increased ICT risk, Terna strengthened its mechanisms for ICT system security, focusing in particular on fine-tuning tools and processes for controlling and monitoring.

Among the most significant initiatives and projects in 2012 we can note:

  • perfecting the advanced corporate platform forvulnerability management, which makes Terna autonomous in performing systematic ICT vulnerability analysis activities. The platform – which has reached a high degree of “coverage” of the Group's ICT assets (workstations, server farms, networks, etc.) – is now also capable of providing, together with detailed vulnerability elements, indications regarding the associated risk, thus taking account of the real “exploitability” of such risks by attackers. This facilitates the work of the ICT structures responsible for “remediation” actions;
  • a further stage of extension of the real-time monitoring services provided by the Security Operations Center (SOC), allowing more effective control of the physical and logical security of electrical plants and systems and computer networks; the positive result being both a reduction in adverse event detection times, and improved rapid response procedures, with the common purpose of minimizing impacts on the Group's resources;
  • confirmation of theISO/IEC 27001:2005 certification of the TIMM service (Testo Integrato per il Monitoraggio del Mercato Elettrico - Integrated Rules for Electricity Market Monitoring) achieved during 2011. A year on, this confirmation represents an important test, an acknowledgement that Terna continues to correctly apply the security principles and practices valid at the international level, not only in the area of TIMM certification, but also more generally - owing to the nature of many controls implemented – for the entire management of the Group's ICT services and infrastructures;
  • the review of oversight of the Privacy rules, to update them in view of both the Group's new organizational framework and the changes introduced on the subject by Parliament between the end of 2011 and the beginning of 2012.

PR8

In the field of personal data protection, as in previous years, no complaints were received regarding breaches of privacy or illicit use by unauthorized users of personal data entrusted to Terna, either via the specific mailbox for such notifications (privacy@terna.it) or via any other reporting or survey channel.