Cyber security for Switzerland’s electricity supply
What is the status of cyber security in Switzerland’s electricity supply, and what is the strategy for its digital future? Deloitte in its capacity as author of a study on behalf of the Swiss Federal Office of Energy (SFOE).
The Digital Innovation Office of the Swiss Federal Office of Energy (SFOE) commissioned Deloitte to produce a basic study which, among other things, outlines the current status of cyber security and resilience within the Swiss electricity sector.
The study also proposes a holistic concept for how the sector can guarantee an appropriate level of cyber security in the future in the face of rapidly advancing digitisation and constantly changing threats.
The full report from the SFOE can be found here.
We have briefly summarised the most important findings of the study below:
1. Increasing digitisation and a changing threat situation
The pace of digitisation is increasing, and new technologies are constantly finding their way into Switzerland’s power plants and electricity grids.
Cyber-attacks on companies in the electricity sector are becoming increasingly common, and the cyber threat to Switzerland’s electricity supply is currently undergoing major change.
2. Sharply fragmented legal landscape for cyber security and resilience in the electricity sector
At present, the issues of cyber security and resilience are not uniformly or comprehensively regulated for all relevant stakeholders in the electricity sector.
Many of the existing guidelines are also voluntary in nature. Further, mandatory specifications and minimum requirements are still pending within the sector.
3. At present, the level of development for cyber security within the sector is lower than expected
The evaluation of the E-Survey for 2020 carried out as part of the study with regard to the IT security of the Swiss electricity market participants clearly shows that the players have not yet taken all the necessary steps on an independently and voluntary basis.
Accordingly, the majority of companies are not yet compliant with their own industry guidelines and are still far from the target of an average maturity of “2.6”, set specifically for all areas as the federal ICT minimum standard.
4. Our neighbours in the EU currently have a head start
Most of the federal government’s priorities set out in the National Strategy for Protecting Switzerland from Cyber Risks 2018-2022 (NCS) are compatible with the measures of the EU’s first directive on security of network and information systems (NIS).
However, EU member states currently appear to have a considerable lead in terms of cyber security and resilience. Many of the measures currently being discussed for Switzerland have already been put into practice and are well-established in EU countries as a result of the NIS Directive.
5. As part of the study, a clear need for action was identified and a concept for addressing the open points was drawn up
Based on the need for action identified for Switzerland, the holistic concept described in the study primarily focuses on four action areas: (1) Framework conditions, (2) Review, (3) Reporting and (4) Knowledge-sharing.
All approaches described in the study need to be systematically further defined and implemented within the sector in the near future, so that Switzerland’s electricity sector can guarantee an appropriate level of cyber security in the face of rapidly advancing digitisation and constantly changing threats.
Conclusion: What does this mean for companies in the Swiss energy sector?
The federal government is currently working at full speed on the implementation of the national strategy to protect Switzerland against cyber risks 2018-2022 (NCS).
Accordingly, companies within the Swiss electricity sector can expect new requirements and changes in the status quo in the areas of cyber security and resilience. According to the study, the most important possible future changes would be as follows:
- The existence of a simplified regulatory environment for cyber security and resilience in Switzerland’s electricity sector with mandatory minimum requirements, as well as more support from the federal government
- A regular, central review by the federal government to determine whether a company is complying with the law
- The obligation to nominate a cyber officer within every company in Switzerland’s electricity sector to represent it in relation to the federal supervisory body
- The introduction of an obligation to report major cyber incidents to the federal government, as well as easier access to relevant information regarding the current threat situation (threat intelligence) for all companies in the electricity sector