Information Technology

In 2012, significant benefits were obtained as a result of projects and innovations introduced by IT and attributable to an increase in the safety of the national grid, and to improvements in overall management.

1. Increase in the safety and efficiency of the National Electricity System (SEN)

Significant changes have taken place in the Defence systems, particularly in the South. The need had arisen as a result of the high level of photovoltaic energy generation that took place during 2011, leading to a reduction in load in the South, with a consequent increase of the flows on the 380 kV grid exported from Puglia. In order to limit the impact of grid incidents in the zone, and the economic effects associated with the control of emerging congestion, the local defence systems were reviewed. The "Telescatto Area Sud” perimeter was extended along the Adriatic coast, to the connections between the Adriatic backbone and the Tyrrhenian backbone, to the two new phase shift transformers in Foggia and Villanova.

In 2012, the new system of control and conduction was also launched, as regards the remote conduction functionalities, on certain Terna installations. This was the first phase in the overall commissioning of the system, which will be completed in 2013. It will bring many benefits in terms of simplifying the architecture for data acquisition and exchange with the 3,600 SEN installations, and therefore an improvement in the quality and reliability of the related flows. It will also lead to the rationalisation and optimisation of the functionalities available to users of the CR, CTI and CNC rooms.

2. Improvements to overall management

In 2012 the GAUDÌ platform was the object of a series of installation qualification measures, which require an increased use of automated procedures and elaborations designed to rationalise and speed up the updating/alignment with external systems, also to support the integration of all the external operators into the qualification process.

With reference to the market systems, 2012 saw the introduction of new procedures for the calculation of binding programmes, in line with the contents of the A25 annex to the Network Code. The technology platform and infrastructure supporting the supply of Dispatching resources has been further integrated with the Market Operator systems and the IT systems managing the transport capacity to and from foreign TSOs.

A series of software upgrades have also been implemented, to support the process for the allocation of the shipping service and allocation and contractual management of the interruptibility service.

The reinforcements to the ICT Governance projects have improved efficiency and effectiveness of operations, by introducing new tools to automate the technological upgrade of the Market area systems in order to safeguard the security of data and the overall infrastructure.

 

Information Security

2012 saw a further increase, on the quantitative and qualitative level, of cyber threats affecting the IT networks and systems of businesses and organisations, specifically recorded by international institutional or technical-scientific institutions. Like many large companies, for Terna, this scenario deserves great attention considering the growing needs of its business areas to power up its connections and digital exchanges with external stakeholders, particularly with the online community.

In this context, Terna, also because of its status as a critical infrastructure - one of the largest in Italy - has been required to update, Group-wide, all the measures in place to protect tangible and intangible information assets, by means of an articulated programme of controls and improvements to security of information, systems and networks.

The programme, based on the study and knowledge of risks (cyber risks in particular) and on techniques designed to reduce them within levels sustainable for the business objectives, experienced a further phase of growth in 2012, with the growth of the internal model for the governance of security and related processes, in terms of maturity, replicability and efficiency.

Terna's model is structured in such a way that it can adapt over time to various IT threats and cyber crimes, while simultaneously improving compliance with laws and regulations on data protection and computer crime (privacy laws, Legislative Decree 231/01 etc.).

The existence of a comprehensive and detailed internal information security policy complete with methods, procedures and working practices, provides multi-level actions to all Group companies in order to improve the security position and the ability to prevent and limit risks connected to cyber security and other negative, voluntary or involuntary factors that could impact the information assets.

The key initiatives, projects and lines of intervention characterising the 2012 programme, with the contribution of the SOC and Group IT divisions followed three main lines, to reinforce the defences of the network perimeter, the intrinsic security of each new IT application, and finally the scope and effectiveness of the process of maintaining security on operating systems.

The company network, now universally recognised as strategic and even essential for the success of business activities (by virtue of its dual role as a widely-used form of access to company information resources but also a form of protecting those resources) requires the constant reinforcement of defence strategies.

Apart from the work done to reduce the risk of external penetration of the Terna network, in 2012 activities were also implemented in order to improve the segmentation and defences of the internal perimeters. Within the critical infrastructure area, where a growing volume of IT resources are providing fundamental support for operational processes, the network's configuration is even more vital, as it is directly linked to the security and continuity of services. In the current context, another very important issue is the regulation of remote access to resources on the company network by authorised users - including technology suppliers in relation to contractual matters, software and equipment management - with a view to reducing intrusions and documenting activities on the Group's information systems in the specific case of interconnections with third party information networks.

With regard to the correct posture of an ICT system, in 2012 great investments were made in implementing the security plan, which by definition consists of a list of controls or countermeasures considered suitable to protecting the infrastructure components, applications and information, in line with information security and business requirements, by allocating specific responsibilities for implementation. In accordance with the now consolidated policy, in 2012 there was an increase - partly because of the work on the classification of the security of information and the IT systems used to process it (99% of company information is now digital, and cyber security is an essential part of protecting it) - in the number of new projects or major change IT systems and services, with an associated, adequately developed safety plan.

Terna, in line with the new opportunities offered by the market for cloud computing, evaluated the security of Software as a Service (SaaS), in order to address this paradigm shift appropriately, which transfers to a third party the responsibility for several IT functions supporting company processes, overturns the concept of security by transferring it to the third party, and places a focus on legal and contractual aspects, starting with the extensive Service Level Agreement (SLA).

With reference to verification and control, the maturity of internal resources and vulnerability management tools has allowed more complete, effective activities to be carried out. In the second half of 2012, thanks to the extension of the company scanning platform, the verification activities (also carried out entirely in-house) in terms of analysing the technological vulnerability of individual or group ICT assets or security audit sessions resulted in a numerical increase and improvements in quality. A risk level indicator was allocated to each vulnerability, to indicate the real extent to which it could be attacked, with evident advantages for the IT departments who are required to remedy these situations. This type of approach is obviously valid if it is able to set up a remediation circle that increases the level of protection against the most common threats, with particular reference to those from cyberspace. This is why each action is always carried out with a high degree of reporting so that recovery plans can be suggested and recommended.

Finally, specific mention should be given to the value - also in terms of image - coming from the confirmation in July 2012 of the ISO/IEC 27001:2005 certification acquired by Terna in 2011, for the TIMM applications after a procedure approved by the Authority for Electricity and Gas. This confirmation, after a year of work, was an important test that confirms Terna's ability to continue to apply internationally-recognised safety principles and standards, particularly with regard to TIMM systems and processes, but with positive impacts on the management of all the company's IT services.

Managerial information technology and services to people

In the second half of 2012, the software development area of the ICT division completed the application upgrades needed to support company processes in the wake of the organisational restructuring.

The technological infrastructure has not undergone any material perimeter changes in the absence of any significant short to medium term projects agreed by Terna Holding. Work has continued on the technological renewal of the application servers and work stations, according to the renewal plan programmed for the end of life of the ICT assets.

At the end of 2012, the restructuring activities at the AOT plant in Cagliari were complemented by the design and completion of the technology infrastructure, also with a view to the transfer of the Cagliari CR and control room.

With reference to the security of ICT infrastructure, the server and client logics and protection modes were also optimised, with the McAfee anti-virus program, reducing the upgrade deficit on the Terna archive, with regard to the vulnerabilities recognised by McAfee worldwide.