Particularly in critical infrastructures, Cyber Security should be given very high priority. It is a design prerequisite for providing any IT service today.  However, security must be actively managed - for example, using a four-stage model from defining needs to operating and monitoring the measures taken.
Reto Amsler / Urs Binder

Cyber Security is of paramount importance not only for IT systems, but also for the increasingly networked operational technology (OT) systems at industrial companies and critical infrastructures such as energy supply. It is a matter of identifying cyber risks, protecting against them, detecting security incidents, responding to them and restoring the normal state as quickly as possible. Or switching to backup systems while the damage is contained, as stated by the Swiss electricity industry umbrella organization VSE in its handbook Basic Protection for "Operational Technology" in Power Supply.

The complex nature of the technologies and organizations involved, on the one hand, and the threats from cyberspace, on the other, make coordinated OT security management indispensable. An effective cybersecurity management system (CSMS) spans four stages: Determining security needs, site assessment, defining a security strategy, and organizational and technical operation of the security infrastructure. Continuous monitoring, reassessment if necessary, and adaptation of the security strategy keep the security management system up to date.

First and foremost is the definition of security needs. What are the functional requirements is the goal, where do you want to go? This is set out in a security policy document. In general, the aim is to ensure the confidentiality, integrity and availability of information and infrastructures. In general, the aim is to ensure the confidentiality, integrity and availability of information and infrastructures. Technology, people and processes all play equally important roles in this.

When defining the security policy, internal factors such as the general corporate strategy, company-wide risk management and business continuity management come into play, as do external factors and requirements of a legal nature. There are still no mandatory OT security requirements for the energy industry in Switzerland, in contrast to Germany, for example, where comprehensive regulations already exist in the form of the Ordinance on the Designation of Critical Infrastructures under the BSI Act (BSI-KritisV). However, new legislation is likely to make the regulation of cyber security for critical infrastructures much stricter in the not too distant future.
Secondly, security policy defines responsibilities: What should the security organization look like, who assumes which roles? Another element of the document is a set of guidelines and guard rails, together with the reasons for them. For example, is there a practiced security culture and are security incidents handled effectively (incident handling)?

The next step - or alternatively, the first step before defining the needs - is to analyze the current situation, which involves not only the technical aspects of cybersecurity, but also the processes (vague statement.) It goes without saying that the assessment takes into account requirements from security policy. If, for example, the security policy provides for a certain standard, such as the minimum standard for improving ICT resilience of the Federal Office for National Economic Supply (FONES), the assessment should also be carried out in accordance with this standard. Who audits the implementation ? Who is accountable? 

Opinions differ on the sequence between security policy and site assessment. Those who define the goals first with the security policy usually establish a standard, as just mentioned, which must or may then be followed by the site assessment - a guideline is thus already available, which can facilitate the assessment. On the other hand, if you start with the site assessment, you already know where you stand and can perhaps define more realistic goals in the security policy. However, some companies already have an approximate overview of the current situation and can easily start formulating the security policy.

Based on the security policy and a gap analysis of the differences between the actual situation and the goals, the path to the goal is then laid down in the security strategy. This includes a concrete security program: How can the desired result be achieved in what time? The result is an action plan with detailed instructions for implementation.

The measures defined in the security strategy are now implemented in the form of Cyber Security projects after the security organization has been set up. At the same time, ongoing monitoring of the measures taken starts and, if necessary, a renewed assessment of the situation: Are the goals being achieved? Is the strategic direction still correct, or are there new risks that need to be taken into account in risk management? Is there a need for new directions or new guard rails?  This is where the circle closes and enables a continuous improvement of safety management in line with requirements.