19 Oct 2023
Critical infrastructures in the energy supply - requirements for cyber security
Authors: Reto Amsler / Peter Müller
The world is changing
Critical infrastructure such as power grids, water supply systems, traffic control systems, and industrial control systems are increasingly connected to the Internet. This increases the risk of cyberattacks by malicious actors, including state-backed groups, hacker collectives or cybercriminals. To defend against these attacks and minimize damage, robust cyber security is essential.
Society
For the day-to-day functioning of society, the impeccable functioning of critical infrastructure is critical. For example, there is a great dependence on a continuous supply of energy. The last few years have impressively shown that we have been confronted with issues we were previously unaware of, such as an impending electricity shortage or a shortage of gas reserves.
In addition to the impact of geopolitical influences, changes brought about by Industry 4.0, with aspects such as better networking and digitalization of production environments. Automation will also become much more important in the future. Through all these changes, we are also increasingly facing new threats.
Business
Critical infrastructure can also be a vulnerable area from an economic perspective. An attack on these systems can result in significant financial losses that can impact businesses, industries and even entire economies. Protecting against cyberattacks is therefore critical to maintaining economic stability and prosperity.
Critical infrastructure must be operational around the clock. A successful cyber attack can cause outages that lead to service disruptions, production delays, or other serious consequences. By implementing strong cyber security, such outages can be avoided or at least minimized to ensure business continuity.
Policy
Many countries have regulations and standards that govern cyber security in critical infrastructure to increase the resilience of critical infrastructure to cyber attacks. Compliance with these regulations is necessary to maintain a consistent baseline of protection across all critical sectors. It is also necessary to meet legal requirements, avoid potential penalties, and maintain public trust.
Society
For the day-to-day functioning of society, the impeccable functioning of critical infrastructure is critical. For example, there is a great dependence on a continuous supply of energy. The last few years have impressively shown that we have been confronted with issues we were previously unaware of, such as an impending electricity shortage or a shortage of gas reserves.
In addition to the impact of geopolitical influences, changes brought about by Industry 4.0, with aspects such as better networking and digitalization of production environments. Automation will also become much more important in the future. Through all these changes, we are also increasingly facing new threats.
Business
Critical infrastructure can also be a vulnerable area from an economic perspective. An attack on these systems can result in significant financial losses that can impact businesses, industries and even entire economies. Protecting against cyberattacks is therefore critical to maintaining economic stability and prosperity.
Critical infrastructure must be operational around the clock. A successful cyber attack can cause outages that lead to service disruptions, production delays, or other serious consequences. By implementing strong cyber security, such outages can be avoided or at least minimized to ensure business continuity.
Policy
Many countries have regulations and standards that govern cyber security in critical infrastructure to increase the resilience of critical infrastructure to cyber attacks. Compliance with these regulations is necessary to maintain a consistent baseline of protection across all critical sectors. It is also necessary to meet legal requirements, avoid potential penalties, and maintain public trust.
Cyber security in the energy supply sector
Cyber threats are a new chapter which must be actively managed as an energy supplier in order to guarantee a secure and uninterrupted energy supply in Switzerland. However, this requires a rethinking of an entire industry towards active risk management in the area of information security.
In particular, this also includes critical OT infrastructures, where the topic is often still treated stepmotherly today. There are several reasons for this. One of them is the lack of awareness or knowledge about the dangers related to information security and OT security. Other reasons include a lack of responsibilities and a lack of specifications on which smaller energy companies in particular can rely.
Here, however, there is a clear tendency for support from associations and authorities. In particular through the BWL, which is working with the critical subsectors to develop ICT minimum standards and thus offers companies guidance on how to make their own companies more resilient to cyber threats. (insert link to BWL ICT minimum standards).
Furthermore, there is a political will to define binding specifications for critical infrastructures in the area of information security. The SFOE is a pioneer in this respect in the electricity sector. On the basis of the ICT minimum standard, the SFOE defines maturity values which energy companies have to fulfill on the basis of their criticality in relation to the ICT minimum standard.
These values are to become mandatory with the revision of the Electricity Act in mid-2024. The companies will then have to report their achieved criticality for the required subcategories of the ICT minimum standard in a self-assessment and report this to ELCOM as the verifying authority.
The VSE is working closely with the SFOE to create a guideline for the energy industry that describes what the requirements to be met are and how they can be efficiently addressed and implemented with target-oriented measures. Some of the important domains that need to be addressed by the companies are:
In particular, this also includes critical OT infrastructures, where the topic is often still treated stepmotherly today. There are several reasons for this. One of them is the lack of awareness or knowledge about the dangers related to information security and OT security. Other reasons include a lack of responsibilities and a lack of specifications on which smaller energy companies in particular can rely.
Here, however, there is a clear tendency for support from associations and authorities. In particular through the BWL, which is working with the critical subsectors to develop ICT minimum standards and thus offers companies guidance on how to make their own companies more resilient to cyber threats. (insert link to BWL ICT minimum standards).
Furthermore, there is a political will to define binding specifications for critical infrastructures in the area of information security. The SFOE is a pioneer in this respect in the electricity sector. On the basis of the ICT minimum standard, the SFOE defines maturity values which energy companies have to fulfill on the basis of their criticality in relation to the ICT minimum standard.
These values are to become mandatory with the revision of the Electricity Act in mid-2024. The companies will then have to report their achieved criticality for the required subcategories of the ICT minimum standard in a self-assessment and report this to ELCOM as the verifying authority.
The VSE is working closely with the SFOE to create a guideline for the energy industry that describes what the requirements to be met are and how they can be efficiently addressed and implemented with target-oriented measures. Some of the important domains that need to be addressed by the companies are:
- The security organization
- Asset management
- Risk management
- Secure network and system architecture
- Employee empowerment and training
- The detection and handling of security incidents
Do you have any questions about it? We look forward to a call (062 874 30 00) or an email ([email protected]) from you.