The ‘Cybersecurity and cyber resilience in the Swiss electricity supply’ report by the Swiss Federal Office of Energy concludes that the electricity industry needs to take action on cybersecurity.
There’s no doubt that the electricity supply is most likely the most important of all critical infrastructures in a modern, digitalised society. In the Swiss Confederation, the electricity supply network is heavily fragmented – there are around 600 power plants supplying homes and businesses in the network. Unlike other critical infrastructures, the electricity sector must be viewed as a complex overall system from the perspective of cybersecurity. In view of the threat situation, this gives rise to major challenges.
Inside-it.ch columnist Martin Leuthold of the Switch Foundation has analysed the report entitled ‘Cybersecurity and cyber resilience in the Swiss electricity supply’ and gives his thoughts on four proposals made by the Swiss Federal Office of Energy (SFOE).
Who are the key market players in Switzerland?
The report starts by using the term ‘boundary conditions’ to propose that the SFOE define mandatory requirements and/or a risk-based minimum standard for key market players. In terms of the criteria for defining ‘key market players’, reference is made to the practice in neighbouring countries, which makes sense. How these parameters should be defined in Switzerland, however, remains unanswered. Realistically, the focus should initially be on 20 to 30 leading energy firms. We recommend looking for ways in which the many small utility suppliers can also be included in parallel with the industry.
In our experience, it’s also important that the (continued) development of a mandatory minimum standard, as yet undefined, take place in close consultation with the industry. Also in our experience, we expect that no more than the top 50 in the industry will be able to implement and operate a risk-based minimum standard for cybersecurity through their own reasonable efforts. For the others, outsourcing or establishing a specialised joint venture are likely to be viable routes. The only real alternative is a major consolidation of the industry, which would lead to massive ‘defragmentation’, but in the federalist system that we have, that goal will be difficult to achieve and will take a considerable amount of time.
Authorities should audit safety standards regularly
The second measure proposed in the SFOE report is to establish an auditing body. In view of their current activities, Elcom or METAS would be predestined for this role. This would also ensure a separation of powers. The SFOE report also mentions, among other things, an implementation option based on certification. This variant would need to be based on an internationally recognised and certifiable standard – in the cybersecurity domain, this certification would most likely be ISO 27001. Service provider certification has been successfully implemented for other critical infrastructures. With that form of solution, the effort required to undertake the audit is shifted to the service provider on a ‘user pays’ basis, with no additional state structures that need to be funded by the taxpayer. We strongly discourage country-specific adaptation of standards or even the development of a national standard, both of which are mentioned.
Encouraging reporting obligations through sanctions and incentives
Thirdly, the SFOE report proposes a reporting obligation, which includes a model of sanctions and incentives. The central reporting office would be the NSCS, which would systematically forward information concerning incidents to the SFOE. As the NCSC is developing a concept for a reporting obligation based on the NCS, pressing ahead in the electricity sector would not be a sensible approach and it would be expedient to wait for the results from the NCSC before designing this measure. In our many years of experience, the quality of the reports will suffer if the reporting office does not have a certain level of independence from the regulator, and particularly if the regulator operates a regime of sanctions.
Trust is a critical factor for success when it comes to reporting, and the NCSC will need to consider carefully whether or not to squander that trust with an inappropriate solution in the energy sector. What is forwarded to the SFOE, and how, will be decisive to this. When it comes to incentives, the end point of state functions must be clearly regulated. The NCS stipulates that the state acts a subsidiary agent, and particularly only when overriding interests – such as the functioning of society, the state or the economy – are in peril. It is not the state’s job to provide systematic incident response support to incentivise the reporting of cyber incidents – and it would be wrong to use taxpayer money to fund it. Firms themselves must remain responsible for incident response, with relevant support services procured from the market.
A two-stage reporting route, which the federal government is also considering, is not addressed in the SFOE report. It is, however, an interesting option, as reports could then be sent to an independent trusted partner – perhaps because the industry is involved in the governance of that organisation. In Switzerland, SWITCH-CERT would be an appropriate platform for energy as it enjoys trust and can be developed accordingly. In Austria, the industry comes together in the Austrian Energy CERT, which also acts as a reporting office and forwards reports in accordance with applicable requirements (e.g. the NIS Directive). There is no doubt that reports must be sent to the NCSC in suitable form in a two-stage model and that regular exchange with the regulator would be both helpful and desirable.
Encouraging regular knowledge sharing
Continuous knowledge sharing on the current situation, threat intelligence and prevention is the fourth measure proposed by the SFOE. With SWITCH-CERT’s many years of experience, this would certainly add value if implemented properly. As such, it is hard to understand why it is only treated as an option, with implementation considered only in the long term. The effort required to implement this measure is estimated to be minimal, and the NCSC and the SFOE should establish capacity in this area. Our extensive experience illustrates that implementing these measures involves considerable effort – it would make sense for the NCSC to play a central role in this.
We don’t consider the demand for the SFOE to also establish capacities in this area to be realistic or useful, as it would mean a duplication of roles and considerable effort. Truly valuable knowledge sharing – the only thing that will bring the added value needed – requires very open exchange between participants, as well as a high level of trust. The SFOE, in its role as regulator, will never be able to build that trust. In contrast, the NCSC (MELANI/GovCERT) enjoys an excellent reputation and is considered trustworthy, not least because the organisation has ample experience in moderating these kinds of closed groups.
SWITCH-CERT has proven itself adept at operating exchange platforms in selected sectors, complementary to the NCSC and in close collaboration with MELANI/GovCERT. Thanks to its independence and high degree of transparency, this non-profit foundation enjoys a high level of trust, including amongst ten firms operating in the electricity sector. SWITCH-CERT, one of the first CERTs in Switzerland, has worked systematically since 1996 to establish an excellent network both nationally and internationally. In addition, over the past few years, it has also set up its own centre of excellence for OT security for the industry & logistics and energy sectors. It would be a mistake not to use this knowledge and experience to improve cybersecurity in the energy sector.
About Martin Leuthold
As a member of the Management Board, Martin Leuthold has been Head of the Data, Security and Network Division at the SWITCH Foundation since February 2016 and is a member of the Swiss Academy of Engineering Sciences’ Cybersecurity Advisory Board. His Twitter handle is @MLeuthold.