05 Apr 2023

Swiss Energy Companies establish Security Standards

Swiss Companies push Security Standards

In Switzerland, the Federal Office of Energy is in the process of creating mandatory basic protection. Companies with a certain number of customers or energy output are subject to a law that requires a certain basic protection to be met.
The remarkable thing about the Swiss energy industry is that the companies themselves have recognized that they are not as far as they should be in terms of OT security - as critical infrastructure. Already 10 years ago, efforts were made to impose an obligation on themselves. Over the years, the industry has developed its own basic OT protection, which is considered the industry recommendation in the energy sector.

Mandatory Basic Protection from the Industry

The security standard officially published and adopted in 2018 is an industry recommendation that many energy companies follow. This was a first important step and nationally respected basic protection, which must firstly be adhered to and of course expanded in mutual dialogue. 
ISO 27001 must also comply with an ISMS (Information Security Management System - the establishment of procedures and rules within an organisation designed to permanently define, manage, control, maintain and continuously improve information security) set of rules.

NIST Cyber Security Framework

In Switzerland, the requirements go for the NIST Cyber Security Framework. This is a minimum standard compatible with other measures. 
And this applies to all critical infrastructures. The BWL (Federal Office for National Economic Supply) is also working with the individual critical sectors and has drawn up sector-specific ICT minimum standards. The fundamental responsibility for self-protection lies with the respective companies and organisations.

KT Minimum Standard and ISO 27001

This ICT minimum standard is an expression of the state's responsibility to protect its citizens, the economy, institutions and public administration. 
Critical infrastructure operators are recommended to implement the minimum ICT standard based on the NIST Cyber Security Framework.
In this framework, one can also look up on a NIST comparison table which ISO 27001 controls one would already fulfil, if, for example, one wanted to be certified according to this standard.

Please read our latest blog entry

Article only available in German.

Schweizer Energie-Unternehmen setzen Sicherheitsstandards