The Digital Innovation Office of the Swiss Federal Office of Energy (SFOE) commissioned Deloitte to produce a basic study which, among other things, outlines the current status of cyber security and resilience within the Swiss electricity sector.
The study also proposes a holistic concept for how the sector can guarantee an appropriate level of cyber security in the future in the face of rapidly advancing digitisation and constantly changing threats.
The full report from the SFOE can be found here.
We have briefly summarised the most important findings of the study below:
The pace of digitisation is increasing, and new technologies are constantly finding their way into Switzerland’s power plants and electricity grids.
Cyber-attacks on companies in the electricity sector are becoming increasingly common, and the cyber threat to Switzerland’s electricity supply is currently undergoing major change.
At present, the issues of cyber security and resilience are not uniformly or comprehensively regulated for all relevant stakeholders in the electricity sector.
Many of the existing guidelines are also voluntary in nature. Further, mandatory specifications and minimum requirements are still pending within the sector.
The evaluation of the E-Survey for 2020 carried out as part of the study with regard to the IT security of the Swiss electricity market participants clearly shows that the players have not yet taken all the necessary steps on an independently and voluntary basis.
Accordingly, the majority of companies are not yet compliant with their own industry guidelines and are still far from the target of an average maturity of “2.6”, set specifically for all areas as the federal ICT minimum standard.
Most of the federal government’s priorities set out in the National Strategy for Protecting Switzerland from Cyber Risks 2018-2022 (NCS) are compatible with the measures of the EU’s first directive on security of network and information systems (NIS).
However, EU member states currently appear to have a considerable lead in terms of cyber security and resilience. Many of the measures currently being discussed for Switzerland have already been put into practice and are well-established in EU countries as a result of the NIS Directive.
Based on the need for action identified for Switzerland, the holistic concept described in the study primarily focuses on four action areas: (1) Framework conditions, (2) Review, (3) Reporting and (4) Knowledge-sharing.
All approaches described in the study need to be systematically further defined and implemented within the sector in the near future, so that Switzerland’s electricity sector can guarantee an appropriate level of cyber security in the face of rapidly advancing digitisation and constantly changing threats.
The federal government is currently working at full speed on the implementation of the national strategy to protect Switzerland against cyber risks 2018-2022 (NCS).
Accordingly, companies within the Swiss electricity sector can expect new requirements and changes in the status quo in the areas of cyber security and resilience. According to the study, the most important possible future changes would be as follows: