Blogeintrag

21 May 2024

Cyber Resilience in Switzerland: Important Steps towards Security

From July 1, 2024, new provisions of the Electricity Supply Ordinance (StromVV) will apply. Grid operators, producers and service providers will then have to fulfill a higher duty of proof and due diligence and achieve and demonstrate a binding level of protection against cyber threats. The ordinance is based on the Federal Council's National Strategy for Protection against Cyber Risks (2018) and the ICT minimum standard integrated into it.

In the Overview

  • National Cyber Risk Protection Strategy (NCS): Targeted measures to strengthen cyber security in Switzerland.
  • ICT minimum standard: Basis for improving cyber security for critical infrastructures.
  • Sector-specific minimum standards: Supplementary requirements developed in collaboration with industry associations.
 

How do you achieve the ICT minimum standard?

  1. Introduction: Establishing the basics in the company. Various aspects are covered here, including security principles, organization and responsibilities, policies, directives and guidelines, risk management, elements of a defense-in-depth strategy and specific topics such as industrial control systems (ICS).
  2. Implementation: Based on the American NIST Cyber Security Framework 1.1, the maturity of a company's cyber security is assessed in the 5 functional groups (so-called functions) IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER and corresponding subgroups.
  3. Test: The third part is a self-assessment and evaluation tool It provides a practical way to apply the standard by allowing organizations to assess or improve their own ICT security maturity, thus providing an overview of the overall maturity of cyber security within the organization.
     

What are the challenges in companies?

A company's ICT security strategy should aim to protect the ICT assets that are critical to its business processes. These include systems, data, devices, processes and people.

Challenge #1
Due to the rapid and strongly operationally focused digital growth of companies, there is currently no complete inventory of assets or documentation of critical processes.

Challenge #2
Security is often viewed functionally. However, the ICT security principles also require the necessary organizational rules, processes, metrics and structures to answer the following questions:
  • What is done?
  • How is it done?
  • Who is responsible for it?
  • How is it measured?
 
Challenge #3
Active and continuous risk management is a prerequisite for improving ICT resilience. The organizational unit responsible for the operation and maintenance of ICT systems must know and apply the organization's risk management methods. The ICT risk process includes:
  • Risk analysis: Identification of potential threats and vulnerabilities.
  • Risk assessment: Evaluation of the probability and impact of risks.
  • Risk management: Implementing measures to mitigate or eliminate risk.

Challenge #4
A multi-layered approach to a security strategy known internationally as "defense-in-depth" is designed to prevent an attacker from exploiting existing vulnerabilities in any of these assets. At the same time, potential attackers and their methods are monitored in order to develop suitable defensive measures.

Challenge #5
The StromVV specifies the applicable level of protection for the actors and thus defines the requirement level of the tasks to be implemented. The protection levels (A/B/C) and the associated criteria were developed together with the Association of Swiss Electricity Companies (VSE) and experts from the Swiss Federal Office of Energy (SFOE). The protection levels, in combination with the required minimum values (so-called maturity rating), determine the degree of fulfillment that must be implemented in accordance with the ICT minimum standard. 

Trust through Security

Our ICT assessment package provides a detailed analysis of your current OT environment in terms of cyber security. Together, we create a report and support you in identifying potential vulnerabilities and deficiencies, as well as providing clear options for action to improve your cyber resilience.

Why an ICT-Assessment with ALSEC?

  1. Compliance with legal requirements: Our assessment helps you as an energy supply company (EVU) to evaluate the regulatory requirements, to mitigate them accordingly in order to be able to report them at any time. 
  2. Transparency and insight: Find out the current status of your OT environment and identify potential risks and vulnerabilities.
  3. Strengthening resilience: We support you in securing your infrastructure to withstand even the most demanding threats.
  4. Cost-effective solutions: We work together to develop a solution that not only meets critical regulatory requirements, but also keeps your costs in mind.
  5. First-hand support: ALSEC's industry specialists were involved in the development of the "Handbook of Basic Protection for Operational Tech.

 "Thanks to our extensive networking with universities, associations and manufacturers and our many years of knowledge in this area, ALSEC is the ideal partner for carrying out ICT assessments."

Get started in a future-proof cyber world today and let us know if we can contact you without obligation.
https://alsec.ch/en/campaigns/ikt-ict

Get our latest Whitepaper

Whitepaper only available in German.

Back to analog für Business Continuity

Gerade in industriellen Umgebungen von kritischen Infrastrukturen ist ein Betrieb mit hoher Verfügbarkeit, möglichst ohne jede Unterbrechung der Produktionsprozesse, absolut unabdingbar. Das Thema Business Continuity Management (BCM) spielt im Kontext der Security in diesem Bereich eine besonders grosse Rolle. Wenn ein Cyberangriff erfolgt und dadurch Infrastruktur lahmgelegt wird, müssen möglichst typengleiche Systeme (Hardware) als Ersatzsysteme mit kompatibler Software (Firmware, Betriebssystem) unmittelbar bereitstehen, damit Backups zurückgespielt und Systeme wiederhergestellt werden können. Bis dies erfolgt ist, müssen zudem Ersatzprozesse möglichst sofort in Kraft treten.