Iberdrola with cybersecurity

Iberdrola, committed to cybersecurity

Cybersecurity

At Iberdrola, as a leading company in innovation, transformation and digitalization, we attach strategic importance to cybersecurity, which is essential to evolve and provide increasingly secure services and operations in all the geographies in which we operate and in an increasingly complex ecosystem and threat landscape.

This commitment is expressly manifested through the Security Policy and the Security and Resilience Risk Guidelines and Limits, which are reviewed, updated and approved annually by the Board of Directors.

  • The Security Policy, framed within the Policies related to the sustainable value chain, promotes a solid culture of cybersecurity and contributes to strengthening our capabilities for prevention, protection, detection, response and resilience. 
  • The Security Risk Guidelines, framed in the Iberdrola Group's General Risk Control and Management Bases, develop a global framework for the control and management of Cybersecurity risks of cyber assets of all Group companies, set risk appetite and limits, the responsibilities and priorities that must be considered for their management and establish the basic guidelines for the configuration of appropriate controls on the matter and their periodic monitoring, with a global vision for the Group companies. 

Iberdrola´s Cybersecurity strategy

Mission

To enable secure operations, innovation, and digitization in an increasingly complex ecosystem and threat landscape by embedding Cybersecurity within the Company’s strategic and operating decisions and daily activities

Scope

  • People: employees, customers, providers, third parties and stakeholders.
  • Processes and cybersecurity by design concept.
  • Unified cybersecurity governance model across all technologies, enhancing operational efficiency digitalization.
  • Business goals and priorities.
  • Global, all locations where Iberdrola operates.

Strategic Pillars

  • Icon Governance
  • Icon Collaboration
  • Icon Cybersecurity Culture
  • Icon Continuous Cyber Control and Surveillance
  • Icon Proactive Risk Management
  • Icon Cyber Resilience

Cyber security strategic pillars

Governance

A Governance model, based on the three lines approach, which establishes updated models, rules and criteria for protection adapted to the environment and its evolution, as well as coordination and decision-making bodies to enable secure, resilient operations and value creation to address an evolving energy and geopolitical environment, and expanding attack surface, increasingly sophisticated cyber threats, supply-chain attacks and incipient and heterogeneous regulation. 

  • Cybersecurity Steering Groups

    There are Cybersecurity Steering Groups, by holding and subholding, chaired by the corresponding CISOs and in which all businesses and areas are represented, where cybersecurity models, rules and guides are shared, discussed and validated.  

  • Security, Resilience and Digital Technologies Committees

    The Group has Security, Resilience and Digital Technologies Committees at both holding company and sub-holding company levels, where cybersecurity models, standards and guidelines are approved.

  • Icono diagrama

    An organizational structure

    There is an organizational structure that has Group and subholding Cybersecurity managers (CISOs), and within each business and corporate area (BISOs) with clearly established roles and functions.

  • A committee made up of the Group's CEO, the global CEOs of the businesses and the CEOs of all the subholdings

    It meets quarterly to learn, decide and promote specific cybersecurity initiatives and plans in their respective areas of responsibility linked to the Group's strategic plans.

  • Icono documento

    A model of objectives

    They are linked to remuneration that incorporates specific cybersecurity objectives not only in Global and local Cybersecurity teams but also, in all businesses and corporate areas (1L), and at all levels, including senior management and CEOs of the Group's companies.

Cybersecurity Culture

A Cybersecurity Culture Program and awareness-raising multiyear and tailored programs to target audiences and supported by a cybersecurity skills framework to foster a proactive and responsible attitude towards cybersecurity risks, to provide the required awareness, knowledge, and training, supported by different activities and materials for all levels in the organization according to local culture and practices.

Combining different training actions and types: 

  • Face-to-face Cybersecurity training sessions for Board of Directors
  • Cybersecurity awareness sessions for managers 
  • On-line training on cyber security and data protection for employees, according to cybersecurity profiles (basic, medium, advanced) and their roles and functions 
  • Cyber exercises (role-plays) to test and train in the Incident response framework 
  • Business and expert specific/ technical training  
  • Monthly simulated Phishing campaigns targeting all employees and defined contractors and reinforcement Phishing campaigns targeting clickers 
  • Cybersecurity Community, to foster a culture of knowledge sharing, collaboration and professional development, cultivate innovation, and improve performance, by connecting experts and users across the Company, exchanging ideas and creating synergies to raise the level of cybersecurity culture across de whole Iberdrola Group. 
  • Cybersecurity tips, materials, newsletters, etc.

And a “Zero Tolerance” plan, based on identified behavioral perpetrated by employees, and supported on “4 golden rules” has been developed and deployed with the aim of investigating cases individually and applying disciplinary measures when estimated necessary.  

Responsabilidad ciberseguridad

Continuous Cyber Control and Surveillance

Robust mechanisms for the risk oversight of very high and high risk cyber infrastructures to ensure compliance with internal cybersecurity rules and applicable external regulations, which are regularly reported to the Audit and Risk Supervision Committees and the Boards of Directors, both of the Holding Company and of each of the Group's subholdings.

Proactive Risk Management

Comprehensive and proactive risk management plans, prioritizing critical cyberinfrastructure and essential services and IT/ OT cyber assets.

Iberdrola approaches Cybersecurity Risk Management as a repeatable, continuously improving process which includes the on-going assessment of cybersecurity risks according to Methodologies and Enhanced Cybersecurity Risk Assessment Model based on a set of common criteria, taxonomies, catalogues, controls and risk map reporting process across the Group, and ensuring the regulatory compliance.

  • Third Party Cybersecurity Risks

    Iberdrola depends on third parties for the provision of services and the execution of operations. These dependencies have the potential to create cybersecurity risks to the company that shall be properly understood and mitigated. 

    A global Third Party Cybersecurity Model  establishes a standard and homogeneous process for assessing risk levels and controlling the degree of compliance with third-party requirements, across the whole relationship life cycle:

Modelo de ciberseguridad de terceros

Cyber resilience

Cyber resilience capabilities based on state-of-the-art technology resources and global and local cybersecurity threats, intelligence and incident response teams to minimize the impact on business goals and ensure the continuity of essential services:

Cybersecurity Vulnerability and Threats Assessments

  • The Global Vulnerability Management Rule and Program ensure a prompt identification and timely and systematic response to any vulnerabilities affecting assets that could result in a relevant impact to Iberdrola’s processes, based on business risk criteria. Common criteria and guidelines for vulnerability discovery and management, as well as the governance model, including roles and responsibilities, for proper coordination in regards of vulnerability detection and management within the Group, are defined across the Group.
  •  
  • Iberdrola Vulnerability Management has a global scope, including any IT/OT and IoT assets, as well as any cloud-based systems, application or services, even if they are hosted in a physical infrastructure that is partially or completely owned by a third party.
  •  
  • Vulnerability management process is made up of five stages:
    • Identification.
    • Assessment and Prioritization.
    • Response.
    • Re-assessment.
    • Improvement.
     
  • IT and Businesses´ Vulnerability Management Programs and Plans ensure the implementation of processes for discovering and managing vulnerabilities affecting the infrastructure and assets they manage. For each of the management phases, the rule establishes criteria, guidelines, and minimum requirements to be considered in these Vulnerability Programs.
  •  
  • Since 2021, a specific Cybersecurity Assessments ESG indicator and goals (extended to 2030) is linked to the Board´s remuneration.

Incident and Crisis Management

  • Iberdrola has Local Incident Response Plans linked to the Business Continuity Plans and Crisis Management Team in each country.
  •  
  • A Global Cyber Incident Response Plan and a Crisis Management Model ensures the group wide coordination mechanism in case of a global incident or crisis and establishes common criteria and standards for the processes in which the incident response plans are divided: 
  •  
  • Crisis Committees have been defined in each country and at the global level.
  •  
  • A Global Cyber Fusion Center aims to improve the globalization of cybersecurity detection and response capabilities across the businesses and countries that compose the Iberdrola Group, merging IT and OT worlds.
  •  
  • Iberdrola Group´s Cyber Security Incident Response Team (I-CSIRT) operates 24x7 and acts as a single point of contact for Global IT and Cybersecurity, to ensure proper detection and management of cybersecurity threats, vulnerabilities and incidents. This team coordinates threat detection and incident management globally and is supported by local I-CSIRT teams in the countries where Iberdrola Group is present. I-CSIRT teams, with global and local representatives from Cybersecurity, ensure overall threat detection and event correlation and coordination of specific investigations with the relevant IT and/ or OT areas across the Group (Iberdrola Spain, Scottish Power, Avangrid and Neoenergia).
  •  
  • CSIRT uses a central system to monitor, detect and manage any cybersecurity incidents or events of non-compliance in all countries, in addition to specific monitoring systems in the OT environment.
     


  •  SEE INFOGRAPHIC: Iberdrola's cybersecurity map [PDF]
  •  
  • The I-CSIRT, is an accredited member of FIRST.orgEnlace externo, se abre en ventana nueva.  teams and CSIRT.es. Enlace externo, se abre en ventana nueva. 
    • The CSIRT includes services like event monitoring, vulnerabilities (discovery, prioritization and remediation), requests, and certificates management, eCrime, Threat hunting and IRT/ IRF, secure device configuration assessment and software development tests.
    • A Cyber Threat Intelligence and Response Service provides global intelligence provides global capabilities for early detection of events that could result in a risk situation for the Company’s cyberinfrastructure. 

Incident Response Testing

  • Several simulation exercises a year with different scopes (technical / non-technical, business-level, country/subholding-level) are planned and conducted regularly, as part of the training and awareness activities, but also to test existing response plans, identify lessons learned and areas for improvement and enable continuous improvements. This includes the periodic execution of a Global Roleplay Exercise where a major incident and/or crisis, globally affecting the Group, is simulated.
  •  
  • Additionally, Iberdrola regularly participates in simulation exercises locally organized by local government agencies.

Event/ Incident notification

  • Iberdrola employees have clear procedures to follow if they detect any events or incidents (malware, phishing, information & personal data breaches, stolen devices, etc.) or if they notice something suspicious in their workstations, email, mobile devices, etc.
  •  
  • For any general security issues there is a Cybersecurity mailbox as well as a phone number for employees to call 24x7. For cybersecurity related issues, like suspicious e-mails, strange equipment behavior, etc. the IT helpdesk operates 24x7 and has documented incident management and escalation procedures. 

Continuity Plans and Resilience

  • Cybersecurity Incident Response Plans aligned with Business Continuity Plans are defined, periodically tested, according to the criticality of processes and assets, and reviewed to ensure the continuity of priority services and critical cyber assets. 

Collaboration

Permanent and close collaboration, both internally between businesses and cybersecurity managers, and externally with regulators, government agencies, suppliers, companies and think tanks. Iberdrola collaborates with national intelligence agencies and specialized law enforcement groups in the exchange of real time threat and incident information and intelligence, and integrates information/ intelligence received from national security agencies and leverage other external information sources (e.g. external cybersecurity rating, cyberattacks affecting peer companies or third parties, etc.) to anticipate potential threats and attacks to our IT/OT company´s cyber assets.

Cybersecurity Indicators

A Global Dashboard with key cybersecurity and privacy metrics and indicators provides relevant global cybersecurity information.  

The dashboard is continuous evolution and tuning, including additional sources, metrics and new information views addressing key decision-making stakeholders.

ESG Cybersecurity indicator

In 2024, a new cybersecurity specific indicator and goals (extended to 2030) is included in the Iberdrola Group and subholdings ESG indicator that are linked to the Board´s remuneration based on the: 

Trust certified by Cybersecurity standards – Iberdrola´s certifications

Iberdrola demonstrates its commitment to cybersecurity and to build trust both internally and externally, by formalizing the compliance with international cybersecurity standards and extending this scope in the following years:

  • A Groupwide Information Security Management System(ISMS) has been established across Global Cybersecurity, Corporate IT and Cybersecurity Spain, certified under ISO 27001, to be extended to other organizations.
  • Other certifications:
    • ISO 27001
      • Iberdrola España - Customers
      • Iberdrola España – Networks
      • IEI – Customers
      • Scottish Power – Digital / Digital Smart Metering
    • ISO 22301
      • Iberdrola SA – Cybersecurity (Global Fusion Center Operation)
      • Iberdrola SA – General Secretary (Shareholder General Meeting management process)
      • Scottish Power - Generation
  • ENS:
    • Iberdrola España – Customers

Scottish Power

Iberdrola IEI

Iberdrola S.A. / España