05 Dec 2024
Cyber resilience in the Swiss energy industry: Why clear processes and responsibilities are key to ICT security
In Switzerland, the energy industry plays a central role in society and the economy. Any power outage – whether caused by technical problems or cyber attacks – can have far-reaching consequences. We are seeing that power grids are becoming increasingly intelligent and complex, which is why the question of cyber resilience is becoming ever louder. But how can energy suppliers improve their ICT resilience in a targeted way?
This is where structured approaches come into play: clear responsibilities, defined processes, comprehensive guidelines and a strong information security management system (ISMS).
The ISMS also helps to ensure compliance with many of the SFOE's legal requirements.
Responsibilities and organization: the RASCI model as a success factor
Imagine a small hydroelectric power plant in a mountain valley. The technical infrastructure is complex and the dependency on IT systems is high. To ensure that everyone knows what to do in the event of a security incident, responsibilities must be clearly assigned. This is where the RASCI model comes into play, a tool that helps to precisely define roles and responsibilities.
The model answers key questions: Who is responsible for the task? Who bears overall responsibility? Who is consulted when decisions are made and who must be informed about developments?
For an energy supplier, this means specifically:
- The IT manager is responsible for the operational implementation of cyber security
- The CISO (Chief Information Security Officer) is responsible for implementing the security strategy,
- The CISO (Chief Information Security Officer) ensures the basic requirements for information security with an adequate information security management system and regularly reviews these for appropriateness.
- The technical team is involved when questions arise,
- and the executive management is always kept informed.
This type of structure allows all relevant people to act directly and in a coordinated manner. In an emergency, there are no misunderstandings or delays that could worsen an incident.
Process management: The House of Processes
Cyber resilience thrives on good processes. One way to visualize these is the House of Processes. This model shows how processes can be divided into strategic, management, core and support processes to cover all levels of a company.
An energy supply company (ESC) in Switzerland must not only ensure the security of its ICT systems, but also protect the operation of the power supply. Let's take the example of an ESC that, in addition to producing electricity with its power plants, also coordinates the transmission and distribution of electricity.The processes that come into play here are crucial to the stability of the entire energy supply.
- Strategic processes set long-term goals and provide direction, for example, on what cyber resilience should look like in the next decade.
- Management processes include regular reviews of security standards.
- The core processes in electricity transmission and distribution are at the heart of the value chain; a cyber attack affecting these processes could lead to widespread power outages.
- The support processes help to keep the infrastructure up to date and prepared for threats.
This structure ensures that the company is highly resilient both internally and externally. The electricity market is volatile, and every process must be able to withstand the challenges.
House of Policy: Guidelines as the foundation of resilience
Every company needs rules and guidelines to work safely and efficiently on a daily basis – and this is especially true in cyber security. This is where the House of Policy comes into play: It serves as a guideline for employees, and a fixed set of guidelines provides clear recommendations for action.
Let's think of a typical situation: a new employee in the technical team has questions about how to handle sensitive data. Clear instructions tell him immediately which standards he must follow in order to comply with his company's binding requirements.
The House of Policy helps to clearly present these instructions and requirements:
- The policy and directives set the general direction and describe WHY something must be done
- Guidelines define WHAT is to be done in which security domains
- Work instructions provide specific guidelines and describe HOW something must be done,
- and processes describe how to deal with things on a day-to-day basis and provide detailed procedures
For an energy company, this means that every employee – from technicians to senior management – receives clear guidelines on how to act in terms of cyber security. In an industry where even a small mistake can have serious consequences, such guidelines are a must.
ISMS: the backbone of cyber security
An information security management system (ISMS) is the core of sustainable cyber security. It structures the development, operation and continuous improvement of security measures.
The ISMS works according to the PDCA cycle (Plan-Do-Check-Act), which ensures continuous improvement. It also ensures that all parties involved – from the management level to the executing specialists – know their roles and responsibilities and receive regular training.
The eight phases for implementing an ISMS developed by ALSEC and the VSE guide companies through the entire security process: from identifying and assessing risks to defining protective measures and monitoring and reviewing. It is particularly important for the energy industry to go through these phases continuously in order to be prepared for new threats.
An example from us from phase 2: “Initialization”
The second phase of ISMS implementation, initialization, lays the foundation for all further security measures. In this phase, organizations create the necessary basis for building a robust security structure. This includes defining policies, strategies and resources for information security.
For example, an electricity grid operator defines the framework and scope for its cyber security. It creates a detailed actual state analysis to evaluate its current security situation and identify potential vulnerabilities. It then sets up a security organization and defines clear responsibilities – both for regular operating situations and for emergencies. Finally, KPIs (key performance indicators) and audit procedures are introduced to continuously monitor and improve security measures.
Conclusion: The resilience of energy companies is a national concern
For the Swiss energy industry, ICT resilience is much more than just a technical issue. It is about securing the basis of energy supply and thus of society and the economy. Comprehensive, well-structured cyber security management helps energy suppliers to respond appropriately to threats and to reliably ensure the energy supply.
With the models and structures we have highlighted here – from the RASCI model to the House of Processes and the House of Policy to the ISMS – companies create a stable basis for the future. Switzerland and its citizens can thus rely on a secure and resilient energy infrastructure that continues to function reliably even in times of crisis. And companies in the energy sector can be sure of meeting the new legal requirements of the BFE.