Cybersecurity 
Preparedness 
in the 
Energy Sector

Welcome to the second episode of our Energy Talks miniseries titled, Why Should You Talk About Incident Response?. Join OMICRON cybersecurity consultant Simon Rommer as he explores the different process steps involved with cyber incident response alongside other experts from the power industry.

In this episode, Simon speaks with Tibor Külkey from ALSEC Cybersecurity Consulting , a leading OT security consultancy in Switzerland. Simon and Tibor discuss the critical importance of preparation, which is the first step in the incident response process according to the SANS Institute, an organization that specializes in cybersecurity training, certifications, and research.

This conversation between OT security experts highlights the need for a proactive approach to cybersecurity in the energy sector, the distinction between general and specific threat scenarios, and the regulatory frameworks in Switzerland compared to the European Union. Most importantly, Simon and Tibor emphasize that incident response preparation is not just about policies but also about ingraining a culture of readiness within organizations.

If you haven’t already listened to Part 1 of this miniseries, be sure to check it out:
#85: Why Should You Talk About Incident Response? | Part 1

Scott: Hello everyone! This is the second episode in our new Energy Talks podcast miniseries titled, "Why Should You Talk about Incident Response?” Your host for the continuation of this new miniseries is Simon Rommer, who is an OMICRON OT Security Consultant in the company’s Power Utility Communication Team. Simon was a guest in our first episode in this miniseries about incident response, specifically about past and future OT cyber incident response and disaster recovery in power grids. Moving forward, Simon explores the steps involved in the incident response process. So, without further delay, I hand over the microphone to Simon.

Simon: Thank you, Scott. I welcome our listeners to this episode in our Energy Talk Cybersecurity Miniseries, where we explore the critical roles of IT and OT in power systems, cybersecurity discusses the steps involved with the incident response process according to SANS. The SANS Institute is a highly regarded organization specializing in cybersecurity training, certifications, and research. In this episode of our special miniseries, I speak with Tibor Kühlke from ALSEC Cybersecurity Consulting. A leading Swiss OT security consultancy about preparation, which is the first step in the incident response process. Welcome Tibor to this episode in our Energy Talks mini-series about “Why should you talk about incident response?”.

Tibor: Good morning, Simon. I am very happy to be here.

Simon: First of all, Tibor, could you please tell us about your background in cybersecurity and what your focus within the industry is?

Tibor: I have a consulting background in cyber resilience with a strong focus on industrial companies. We as Allsec, Cybersecurity Consulting have grown out of the energy sector in Switzerland and are focused on pure OT security and have also strongly contributed to the manual for the basic protection for OT in power supply in Switzerland. We do not only advise in energy environments, but everywhere where OT technology is used, and we work on the entire spectrum from technology to management themes. We also audit, have a very experienced OT pen testing team, and have an internal OT Lab to test and validate OT protective technologies. Last but not least, we lecture and teach OT security in various organizations and universities, also from the technical to the management level.

Simon: So that sounds like quite a broad background, and you seem to have many different fields of expertise. Let's head right in. There are a lot of idioms for preparation. Some well-known ones like preparation are key or planning your work and work your plan. And some lesser-known ones like dig the well before you're thirsty and a good beginning is half the battle won. But all of them talk about how important it is to be prepared for something before it happens. In today's episode, we're going to discuss exactly this. SANS views this step as establish and train an incident response team, develop policies and procedures and ensure all necessary tools and resources are in place. So why even bother preparing for a cyber incident that might not happen?

Tibor: Well, I think the last years have shown us that business interruptions in any form or scope or dimensions are possible anytime and anywhere. So, the approach to assume breach or to take over the assume breach perspective and go with a rather boring credo, it's not the question if it happens, but when, must be programmed into the daily work of the companies. Conversely, that means that you either can be prepared or you are unprepared. We all know that you should be preparing yourself in the best way possible. I think in the critical infrastructure or energy sector; we must focus that utility companies have to prepare the steps to handle IT security incidents because they play a critical role in maintaining essential services for society and the security of the state. Any disruption caused by an insecurity incident could have far-reaching consequences impacting public safety, the economy, and also the company's reputation, of course. In summary, proactive preparation allows utility companies to protect essential services, comply with regulations, reduce financial risks and at the end safeguard public safety. Failing to prepare could result in severe consequences affecting a lot of people, let's say millions of people and undermining national stability. So, from my perspective the key reasons for preparing are we have to ensure service continuity. The utility companies are responsible for the nation's critical infrastructure. Disrupting critical services leading to power outages, water supply issues or gas disruptions could endanger lives. As I said, compliance with regulations. So, they must adhere to regulations like the IKT Minimal Standard here in Switzerland to ensure safety and security operations. And then the maintaining of the public trust and their own reputation. So, a security breach that disrupts essential services or compromises customer data can severely damage trust, resulting in long-term harm to the company's reputation and leads to direct financial losses through repair costs or business downtime.

So, preparing for incidents ensures readiness to defend against evolving threats like ransomware, phishing or insider attacks and is from my point of view, very critical in the times today.

Simon: That sounds really interesting and also it sounds like there is no way around preparing for an incident waiting to happen. But the question now is “What kind of preparation are you going to do?” and “Is there a difference between certain scenarios? Is there something you can do in general?” And also, what is the difference between the policy and the technical implementation? Is the technical implementation described in the policy or does it depend on the use case?

Tibor: I think we must approach this question or this problem from the question of is it a general incident or is it a specific threat scenario like ransomware? I think if it's a general incident, we must create the security policy that details the response to security incidents.

to identify the types of threats within the organization that you should defend and respond against. We should conduct regular incidence response tests to identify weaknesses and procedures. And in the end, we must define clear roles in the form of a security incidence response team with...

repeat and ensure that the computer security incidents response team have the appropriate permissions to respond to incidents. So on one side we must define people with the roles and we must train them, we must train the procedures, we must train with the involved tools and we must focus on specific attack techniques.

for the incidence response. And I think at the end, we must select and implement security technologies that enable us to react more efficiently and effectively to incidence. We must select technologies which enable us to have a clear view.

over the risk environment and also over the attack surface. So that helps to create some, let's say, more time before even the incident happens to react in the pre-phase. So to react earlier and not in the moment when everything is already blocked or compromised. So that's probably the part from the general incidents.

And if we go to specific threat scenarios, let's go with ransomware, is very, very, well, it's a very common thing now. We all know we must create policies that describe how to handle, let's say, a ransomware incident. In the case of ransomware, we must perform regular backups with critical data and test recovery processes.

In my eyes, we have to implement a strong access control to limit the damage caused by ransomware. So to disable ransomware to move laterally in the network and also train employees. Never forget your employees in this case. Train employees in the best security practices. How to prevent ransomware infections. Then more technical points like update all software, including all operation systems, applications, security software, and address known vulnerabilities. Then, let's say, common steps to implement anti-malware software and other security solutions to protect against specific threat scenarios like ransomware. At the end, develop a communication plan to communicate internally and externally to stakeholders in the case of an incident.

Simon: So you basically have to be prepared doing everything beforehand, when the incident happens that everybody knows exactly what to do, how to do it and who to inform. And also you have to document it, right?

Tibor: Exactly right. You don't want to have the situation that you have to deal with the incident itself and you have to deal actually with missing operations part of your companies so that people do not know what to do now. There are no procedures in place to handle the incident. You don't want to do that. So, you want to create an environment where people are trained, where people are aware of their roles and where people know what to do, when to do it, and who to communicate to. This would be an ideal world to handle an incident, or it makes it at least a little bit easier with the workload so that you can focus really on getting back on track and recovering your company fast.

Simon: I like what you just said with only having to deal with the incident. I imagine a ransomware scenario where you have to deal with the incident and the incompetency of people that are not trained well enough. Sounds like double the trouble for half the price. But let's hope our listeners are documenting and training their stuff well so they don't have to face two issues at the same time.

Tibor: Absolutely.

Simon: But you said you're mainly focused on Swiss area and based in Switzerland. Do you also know a little bit about the EU directives and what is the difference between Swiss and the EU in general?

Tibor: From my point of view, the following measures enhance the protection of critical infrastructures in the EU. It's the NIS2 directive, which strengthens cybersecurity requirements for critical energy companies. We have the EU Cybersecurity Act, which introduces certifications for digital products. We have the well-known GDPR which is focused on data protection and security across actually all sectors, including energy. Then we have the DORA, the Digital Operational Resilience Act, which sets resilience rules against digital disruptions and cyber-attacks. The CRA, so the Cyber Resilience Act, which defines security standards for digital products. These are some of the ones in the EU. In Switzerland, we have a more focused approach actually, at least in the energy sector. In Switzerland, we have the revised Federal Electricity Supply Act, so the Strom VG, and the Electricity Supply Ordinance in English, which is a strong word, the Strom VV, which have been valid since the 1st of July in 2024. These new regulations require producers, grid operators, storage operators, and service providers in Switzerland to meet minimum cybersecurity requirements for OT security. The measures to achieve the protection levels are defined from the BWL ICT minimum standards, which is based on the NIST cybersecurity framework. And the regulator ELCOM oversees the implementation and at the moment, they allow a transition period of 24 months, beginning from the 1st of July in 2024, after the regulations really take effect. And ELCOM uses various tools to verify compliance, including assessments and awareness discussions and audits.

So that means that the minimum requirements in the Strom VV are abiding immediately upon enactment with no transition period and unmet targets, let's call them target categories, and the measures and the implementation plan with concrete objectives must be submitted. I think the difference to other countries is that we in Switzerland have a strong sector specific focus. Switzerland targets the OT systems of energy sector entities. In other countries, I think we have a broader regulation spectrum that covers multiple sectors like healthcare, finance, with less focus on OT. I think one of the special points is that the regulatory framework in Switzerland is based on the so-called, as I mentioned, BWL, ICT minimum standards which is strongly aligned with the NIST cybersecurity framework.

Simon: This sounds really interesting because as you said in the EU we have the NIS directive and it deals with all the critical infrastructure. This sometimes leads to misunderstandings between auditors and the asset owners. The plan with the NIS is to have the first few audits and then see what the outcome is and see how the auditors interpret the NIS and how the legislators interpret the NIS and also each country has their own version of the NIS and it seems that Switzerland really has it dialled down on the certain industries. So, this is a major difference.

Tibor: You're correct. And I think it's a very good model because they started with the energy sector this year. So, you have a sector specific standard for OT security. And this will go on with the other ones as well. So next year, I think from the first of July 2025, gas will follow. There will be a mandatory minimum standard for gas, which must be fulfilled. And I think the plan is to go over all the critical infrastructure sectors so that we really dial it down to the specific sector with its specific environment, even more specific threat scenarios based on the used technology within the industry and so on and so forth.

I think it's a good approach that the Swiss government took about this issue. And it will lead to a higher level of awareness for IT and OT security, which will lead to more public safety, more stable structures, and in the end to a better environment and a safer environment for the people.

Simon: This is really interesting seeing the different approaches of different legislators, but it shows that it doesn't matter where you are or what kind of approach you're taking, you need to have an approach and you need to deal with the issue of all the ever-growing number of incidents, especially in the energy sector since there are so many people.

since there's so many people depending on the national power grids.

With that said, I think that we talked a lot about how preparation is the first step to successfully recovering from an attack. Preparation is not only policies, but the steps to be ingrained in company culture. Preparation measures need to be tested. For example, the four mentioned backups and the response plans and good preparation speeds up processes during an incident and makes the lives of analysts and incident responders easier. Preparing for an incident not only includes the security personnel, but also the whole team and all parts of the company. Preparations start with the mindset of management and the leaders within the company.

Thank you, Tibor, for joining me for joining me for this discussion about the first step in the incident response process.

Tibor: Thank you Simon, it was a pleasure to talk with you about this important topic and I think the approach of assuming breach is the right one and we all hope to make this world a little bit safer if critical infrastructures are prepared to respond to incidents.

Simon: Absolutely. Our next episode in this Cybersecurity Incident Response mini-series will explore the second important incident response process step of identification. So be sure to join the next time for that and now I'm returning the microphone back to Scott.

Scott: Thank you, Simon, for hosting this and upcoming episodes of your new Energy Talks podcast miniseries, Why Should You Talk about Incident Response? We look forward to listening to further discussions in this important area of cybersecurity.

And to our audience, a big thank you for listening to this and other episodes of Energy Talks! We always welcome your questions and feedback. Please send us an email to podcast at omicronenergy.com.

OMICRON has several years of experience in power system testing, data management, and cybersecurity and offers the matching solution for your application. For more information, visit our website at www.omicroncybersecurity.com.

Please join us for the next episode of Energy Talks and stay tuned for feature episodes of our new miniseries, Why Should You Talk about Incident Response, with Simon Rommer.

Goodbye for now, everyone!