Alongside electricity and gas grids, energy generation plants are of paramount importance for the energy supply. And just as electricity and gas network operators are dependent on intact information and communication technology (ICT), the same applies to energy generation plants: threats to communication and IT systems are also threats to secure plant operation.
Consequently, appropriate protection standards are necessary here in order to ensure smooth grid operation. The legislator has therefore expanded the IT security catalogue of the Federal Network Agency and added a further provision. Pursuant to Section 11 (1b) of the Energy Industry Act , operators of energy systems that are connected to the public supply grid are obliged to take security measures where there is a potential risk to grid operation.
The minimum requirements of the IT security catalogue published by the Bundesnetzagentur in consultation with the Federal Office for Information Security (BSI) in December 2018 must be implemented by energy system operators by December 2018 and this must be proven by means of certification from the Federal Network Agency. Only certificates from conformity assessment bodies that - like TÜV NORD - are accredited accordingly by the German Accreditation Body (DAkkS) are permitted.
The IT security catalogue refers to all centralised and decentralised applications, systems and components that are necessary for safe plant operation - whether for process control and in the control room or for administration. There are three protection goals for all these systems:
The target group are operators of energy systems that have been designated as critical infrastructure by the BSI Critical Infrastructure Ordinance and are connected to an energy supply network.
The basis for the introduction of an ISMS in accordance with the specific requirements of the IT security catalogue and therefore for certification is an individual risk analysis, from which suitable security measures are then derived.
In order to prove that you are implementing the selected measures, it is necessary to carry out internal audits and management reviews. These in turn form the basis for the audit by your certification body TÜV NORD.
The operators of the energy systems are obliged to implement an information security management system (ISMS) that fulfils the requirements of DIN EN ISO/IEC 27001 as amended.
When implementing the ISMS, the standards DIN EN ISO/IEC 27002 and DIN EN ISO/IEC 27019, as amended, must also be taken into account.
Our auditing process is dialogue-based, draws on proven methods and is highly structured. After careful planning and coordination, it includes a review of your processes, systems and security measures.
We also analyse and evaluate your IT infrastructure to ensure that your information security management system meets the requirements of Section 11 (1b) EnWG and the expectations of your customers and business partners.
Our auditing services include