Skip to main content

Iberdrola with cybersecurity

Iberdrola, committed to cybersecurity

Internet Informatics Cybersecurity

At Iberdrola, as a leading company in innovation, transformation and digitalization, we attach strategic importance to cybersecurity, which is essential to evolve and provide increasingly secure services and operations in all the geographies in which we operate and in an increasingly complex ecosystem and threat landscape.

Our main objectives are:

Protect our critical infrastructures

Guarantee the reliability and quality of the energy supply

Protecting the data of our customers and other stakeholders

Ensure the integrity and confidentiality of financial and business information

Protecting the Iberdrola Group's brand and reputation

This strategic importance is ed by the commitment and involvement of the Group's Senior Management, aware of the importance of leading the digital transformation in the energy sector, and in which proper management of cybersecurity risks is essential. 

This commitment is expressly manifested through the Security Policy and the Cybersecurity Risk Guidelines, which are reviewed, updated and approved annually by the Board of Directors. The Security Policy, framed within the Policies related to the sustainable value chain, promotes a solid culture of cybersecurity and contributes to strengthening our capabilities for protection, detection, prevention, defense and response to possible attacks or incidents.

The Cybersecurity Risk Guidelines, framed in the Iberdrola Group's General Risk Control and Management Bases, complement the principles and criteria established in the Security Policy on cybersecurity, develop a global framework for the control and management of cybersecurity risks of cyber assets (IT, OT and critical infrastructures) of all Group companies, set risk appetite and limits, the responsibilities and priorities that must be considered for their management and establish the basic guidelines for the configuration of appropriate controls on the matter and their periodic monitoring, with a global vision for the Group companies.

Iberdrola´s Cybersecurity strategy

Mission

To enable secure operations, innovation, and digitization in an increasingly complex ecosystem and threat landscape by embedding Cybersecurity within the Company’s strategic and operating decisions and daily activities

Scope

  • People: employees, customers, providers, third parties and stakeholders.
  • Processes and cybersecurity by design concept.
  • All technologies (IT, OT, IoT) ing digitalization.
  • Business goals and priorities.
  • Global, all locations where Iberdrola operates.

Strategic Pillars

Governance

A Governance model, which establishes updated standards, frameworks and criteria for protection adapted to the environment and its evolution, as well as coordination and decision-making bodies for the integration of cybersecurity into decision-making processes: 

Cybersecurity committees

Global and local, chaired by the corresponding CISOs and in which all businesses and areas are represented, where cybersecurity standards, frameworks and models are shared, discussed and approved. 

A committee made up of the Group's CEO, the global CEOs of the businesses and the CEOs of all the subholdings

It meets quarterly to learn, decide and promote specific cybersecurity initiatives and plans in their respective areas of responsibility linked to the Group's strategic plans.

Modelo de gobernanza
Icono diagrama

An organizational structure

It has cybersecurity managers (CISOs), global and local (Group, subholdings) and within each business and corporate area (BISOs) with clearly established roles and functions,

Icono documento

A model of objectives

They are linked to remuneration that incorporates specific cybersecurity objectives not only in Global and local Cybersecurity teams but also, in all businesses and corporate areas (1L), and at all levels, including senior management and CEOs of the Group's companies.

Modelo objetivos

Cybersecurity Culture

A Cybersecurity Culture Program and awareness-raising multiyear programs aimed at all levels, areas and functions of the organisation to foster a proactive and responsible attitude towards cybersecurity risks, to provide the required awareness, knowledge, and training, ed by different activities and materials for all levels in the organization according to local culture and practices:

Estrategia integral
  • Cybersecurity training sessions for all Board of Directors
  • Cybersecurity awareness sessions for all managers
  • On-line training on cyber security and data protection for all employees, according to cybersecurity profiles (basic, medium, advanced) and their roles and functions
  • Cyber exercises (role-plays) to test and train in the Incident response framework
  • Business specific/ technical training 
  • Monthly simulated Phishing campaigns targeting all employees and defined contractors and reinforcement Phishing campaigns targeting clickers
  • Cybersecurity Community, to foster a culture of knowledge sharing, collaboration and professional development, cultivate innovation, and improve performance, by connecting experts and s across the Company, exchanging ideas and creating synergies  to raise the level  of cybersecurity culture across de whole Iberdrola Group.
  • Cyber Security tips, materials, newsletters, etc. 

Since 2021, a specific Cybersecurity Training Hours ESG indicator, with defined targets extended to 2030, is linked to the Board´s remuneration.

And launching a “Zero Tolerance” plan, based on identified behavioral perpetrated by our employees,  and ed on “4 golden rules” has been developed and deployed with the aim of investigating cases individually and applying disciplinary measures when estimated necessary. 

Responsabilidad ciberseguridad

Proactive Risk Management

Comprehensive and proactive risk management plans, prioritizing critical cyberinfrastructure and essential services and IT/ OT cyber assets.

Iberdrola approaches Cybersecurity Risk Management as a repeatable, continuously improving process which includes the on-going assessment of cybersecurity risks according to Methodologies and Enhanced Cybersecurity Risk Assessment Model based on a set of common criteria, taxonomies, catalogues, controls and risk map reporting process across the Group, and ensuring the regulatory compliance.

Third Party Cybersecurity Risks

Iberdrola depends on third parties for the provision of services and the execution of operations. These dependencies have the potential to create cybersecurity risks to the company that shall be properly understood and mitigated. 

A global Third Party Cybersecurity Model  establishes a standard and homogeneous process for assessing risk levels and controlling the degree of compliance with third-party requirements, across the whole relationship life cycle:

Modelo de ciberseguridad de terceros

Cyber resilience

Cyber resilience capabilities based on state-of-the-art technology resources and global and local cybersecurity threats, intelligence and incident response teams to minimize the impact on business goals and ensure the continuity of essential services:

Cybersecurity Vulnerability and Threats Assessments

The Global Vulnerability Management Rule and Program ensure a prompt identification and timely and systematic response to any vulnerabilities affecting assets that could result in a relevant impact to Iberdrola’s processes, based on business risk criteria. Common criteria and guidelines for vulnerability discovery and management, as well as the governance model, including roles and responsibilities, for proper coordination in regards of vulnerability detection and management within the Group, are defined across the Group.

 

Iberdrola Vulnerability Management has a global scope, including any IT/OT and IoT assets, as well as any cloud-based systems, application or services, even if they are hosted in a physical infrastructure that is partially or completely owned by a third party.

 

Vulnerability management process is made up of five stages:

  • Identification.
  • Assessment and Prioritization.
  • Response.
  • Re-assessment.
  • Improvement.

 

IT and Businesses´ Vulnerability Management Programs and Plans ensure the implementation of processes for discovering and managing vulnerabilities affecting the infrastructure and assets they manage. For each of the management phases, the rule establishes criteria, guidelines, and minimum requirements to be considered in these Vulnerability Programs.

 

Since 2021, a specific Cybersecurity Assessments ESG indicator and goals (extended to 2030) is linked to the Board´s remuneration.

Incident and Crisis Management

Iberdrola has Local Incident Response Plans linked to the Business Continuity Plans and Crisis Management Team in each country.

 

A Global Cyber Incident Response Plan and a Crisis Management Model ensures the group wide coordination mechanism in case of a global incident or crisis and establishes common criteria and standards for the processes in which the incident response plans are divided: 

 

Crisis Committees have been defined in each country and at the global level.

 

A Global Cyber Fusion Center aims to improve the globalization of cybersecurity detection and response capabilities across the businesses and countries that compose the Iberdrola Group, merging IT and OT worlds.

 

Iberdrola Group´s Cyber Security Incident Response Team (I-CSIRT) operates 24x7 and acts as a single point of for Global IT and Cybersecurity, to ensure proper detection and management of cybersecurity threats, vulnerabilities and incidents. This team coordinates threat detection and incident management globally and is ed by local I-CSIRT teams in the countries where Iberdrola Group is present. I-CSIRT teams, with global and local representatives from Cybersecurity, ensure overall threat detection and event correlation and coordination of specific investigations with the relevant IT and/ or OT areas across the Group (Iberdrola Spain, Scottish Power, Avangrid, Neoenergia and Iberdrola Mexico).

 

CSIRT uses a central system to monitor, detect and manage any cybersecurity incidents or events of non-compliance in all countries, in addition to specific monitoring systems in the OT environment.
 



 SEE INFOGRAPHIC: Iberdrola's cybersecurity map [PDF]

 

The I-CSIRT, is an accredited member of FIRST.orgEnlace externo, se abre en ventana nueva.  teams and CSIRT.es. Enlace externo, se abre en ventana nueva. 

  • The CSIRT includes services like event monitoring, vulnerabilities (discovery, prioritization and remediation), requests, and certificates management, eCrime, Threat hunting and IRT/ IRF, secure device configuration assessment and software development tests.
  • A Cyber Threat Intelligence and Response Service provides global intelligence provides global capabilities for early detection of events that could result in a risk situation for the Company’s cyberinfrastructure. 

Incident Response Testing

Several simulation exercises a year with different scopes (technical / non-technical, business-level, country/subholding-level) are planned and conducted regularly, as part of the training and awareness activities, but also to test existing response plans, identify lessons learned and areas for improvement and enable continuous improvements. This includes the periodic execution of a Global Roleplay Exercise where a major incident and/or crisis, globally affecting the Group, is simulated.

 

Additionally, Iberdrola regularly participates in simulation exercises locally organized by local government agencies.

Event/ Incident notification

Iberdrola employees have clear procedures to follow if they detect any events or incidents (malware, phishing, information & personal data breaches, stolen devices, etc.) or if they notice something suspicious in their workstations, email, mobile devices, etc.

 

For any general security issues there is a Cybersecurity mailbox as well as a phone number for employees to call 24x7. For cybersecurity related issues, like suspicious e-mails, strange equipment behavior, etc. the IT helpdesk operates 24x7 and has documented incident management and escalation procedures. 

Continuous Cyber Control and Surveillance

Robust mechanisms for the risk oversight of very high and high risk cyber infrastructures to ensure compliance with internal cybersecurity rules and applicable external regulations, which are regularly reported to the Audit and Risk Supervision Committees and the Boards of Directors, both of the Holding Company and of each of the Group's subholdings.

Collaboration

Permanent and close collaboration, both internally between businesses and cybersecurity managers, and externally with regulators, government agencies, suppliers, companies and think tanks. Iberdrola collaborates with national intelligence agencies and specialized law enforcement groups in the exchange of real time threat and incident information and intelligence, and integrates information/ intelligence received from national security agencies and leverage other external information sources (e.g. external cybersecurity rating, cyberattacks affecting peer companies or third parties, etc.) to anticipate potential threats and attacks to our IT/OT company´s cyber assets.

What is cybersecurity?

Key pillars of cybersecurity at Iberdrola.

Phishing

Phishing

Find out how to avoid being scammed via email, SMS or instant messaging.

Vishing

Vishing

 Find out what telephone scams involve and what types exist.

Smishing

Smishing

Find out how text message scams happen.

Cybersecurity Indicators

A Global Dashboard with key cybersecurity and privacy metrics and indicators provides relevant global cybersecurity information.  

The dashboard is continuous evolution and tuning, including additional sources, metrics and new information views addressing key decision-making stakeholders.

ESG Cybersecurity indicators

Since 2021, two cybersecurity specific indicators and goals (extended to 2030) are included in the Iberdrola Group and subholdings ESG indicators [PDF] that are linked to the Board´s remuneration:

Indicadores

Trust certified by Cybersecurity standards – Iberdrola´s certifications

Iberdrola demonstrates its commitment to cybersecurity and to build trust both internally and externally, by formalizing the compliance with international cybersecurity standards and extending this scope in the following years: