In 2015, Germany's Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (Bundesnetzagentur, BNetzA) published the IT Security Standard under the terms of the Energy Industry Act (Energiewirtschaftsgesetz, EnWG) to ensure the security of the national energy supply. Under this IT Security Standard, transmission system operators (TSOs) have the obligation to establish an Information Security Management System (ISMS) and have this ISMS certified by 31 January 2018 at the latest. TÜV SÜD expert Alexander Häußler informs about the rationale behind the IT Security Standard and the certification process.
As energy transition advances and electricity generation becomes increasingly distributed, the requirements in respect of secure and reliable network management are growing ever more complex. As network control and measurement systems are digitised, reliable network management greatly depends on the integrity of information and communication technology (ICT). To ensure security of supply, BNetzA therefore published the IT Security Standard according to EnWG, Section 11 (1a). The standard is based on the ISO/IEC 27001 and ISO/IEC TR 27019 standards, with additional specific aspects of network management. Not all of the actions specified in the standards need to be implemented in full. However, within the scope of risk management, all of them need to be reviewed completely for relevance.
Information Security Management System (ISMS)
One of the core requirements of the IT Security Standard concerns the establishment of an ISMS and its certification by an accredited third party such as TÜV SÜD. The rationale behind this demand is that implementation of isolated control systems such as antivirus software or firewalls is not enough to ensure an appropriate level of security for TC and IT systems. What is needed is an integrated approach, which must be reviewed continuously for its performance and effectiveness and aligned if necessary. Given this, information security must be firmly integrated into organisational structures as a regular process, for example by applying the Plan-Do-Check-Act model (PDCA cycle). In this context an important factor is that organisations define policies, objectives and processes, take action to ensure their implementation, and monitor developments. Important focus areas of an ISMS are risk assessment and treatment. Internal audits help to identify the corrective and preventive actions that are needed to ensure the continual improvement of the ISMS and sustainable operation of the relevant telecommunications and data processing systems in line with the standards and requirements.
Accreditation of certification bodies
To ensure all certification bodies for the IT Security Standard reach a high and comparable level of quality, the BNetzA requires certification according to the IT Security standard to be performed by a certification body accredited by the national accreditation body for Germany (Deutsche Akkreditierungsstelle, DAkkS). To become accredited, certification bodies need to fulfil certain criteria which are defined in the conformity assessment programme, such as ensuring exchanges of experience between their auditors as well as auditing all applications and systems which have been classified within the scope of risk assessment as involving “high risks”. In addition, auditors need to attend and successfully complete training on the basics of grid-based energy supply with electricity and gas.
Two-stage certification procedure
Certification according to the IT Security Standard is carried out as a two-stage procedure. Stage one is an on-site assessment to verify management-system effectiveness and determine whether the organisation is ready for certification. In the stage-one audit, auditors check whether the network plan includes all systems that might influence network management. The stage-one audit also addresses questions related to risk assessment, such as how risk assessment has been introduced, how it works and whether the results are traceable. The actions, commonly called “controls”, are also checked for their applicability. The audit is based on the documentation submitted by the organisations, such as the network plan and personal interviews. Basic aspects of management systems, such as the internal audit process and management reviews etc., are also assessed. If the stage-one audit shows that aspects are not traceable or have been evaluated incorrectly, the TSO needs to take corrective actions. The auditors document the results of the stage-one audit in a report, which they submit to the certification body. The certification body also checks whether all information is traceable and decides whether the organisation is ready for the stage-two audit.
The stage-two audit is carried out on site at the organisation's premises and takes a closer look at the management system itself, the technical systems and the controls with process character. In the stage-two audit, the auditor assesses the implementation of controls. To do so, auditors look at specific examples. If they identify aspects that are not fully in conformity with the requirements, the organisation must provide the certification body with evidence of root-cause analysis, corrections and corrective actions. The auditor cannot draw up the stage-two audit report until this has been done. The stage-two auditor report is also submitted to the certification body, which then decides on certification and issue of the certificate.
More information on the IT Security Standard is available at http://www.tuev-sued.de/management-systeme/it-dienstleistungen/it-sicherheitskatalog.
Press contact: Carolin Eckert