Energy and power supply are the lifelines of modern industrial societies. A failure or disruption of energy supply has a serious impact within a very short period of time on industry, private households and the entire public life including security facilities, infrastructure and health care. However, the complex energy supply also requires corresponding information and communication technology (ICT) to ensure smooth functioning of the system at any point and any time. ICT systems are vulnerable, however, and are therefore subject to particularly high security requirements in order to adequately protect our critical lifeline “energy” from threats and hostile attacks. Events in the recent past, e.g., in healthcare, retail or media industry, have shown that this is a real threat situation that requires a very high level of resilience to cyber attacks. Accordingly, operators of energy systems are obliged by legislation to implement minimum IT security standards with concrete specifications for increasing IT security. With the “Act on Increasing the Security of Information Technology Systems (IT Security Act)”, a very concrete framework was created, which is being concretised in further legal and regulatory requirements and is constantly being further developed; currently with the IT Security Act 2.0 and the updated CRITIS (critical infrastructure) regulation.
The activities of vgbe member companies, which are summarised under the term “IT security”, have been an integral part of the operational and strategic business activities for several years. In this context, the vgbe members are aware of their responsibility to provide system-critical services with their facilities and attach very high priority to the topic of IT security. For this reason, the second vgbe Conference “IT Security for Energy Systems” took place in Moers from November 8 to 9, 2022. The conference was accompanied by a technical exhibition. In addition to networking, technical discussions and the exchange of information in the exhibition, the exhibitors also had the opportunity to briefly present their products and services in the plenary session on the first day of the event.
Exhibitors
The focus of this conference was on the concrete implementation of the legal and regulatory requirements from the perspective of plant operators. In addition to presentations by plant operators, BSI (Federal Office for Information Security), BDEW (Federal Association of the Energy and Water Industries), auditors and technical experts, service providers and manufacturers also made active contributions, which could once again be sufficiently discussed during the appropriately scheduled lecture programme and deepened at the evening event.
The following topics were particularly covered in the lecture blocks:
- Update on regulation and basics of IT security
- Attack detection, guidance, SIEM solutions (Security Information and Event Management)
- Auditing according to IT security catalogue §11 1b EnWG
- Security operation centre (SOC)
- Verification according to §8a BSI law (industry standards)
- Consideration of life cycles and compliance in the European context
In Block 1, updates were given on regulation, which is constantly being developed in Germany and is also fed by European Directives and international standards, as well as basics on IT security. These topics were dealt with from different angles and in varying depth.
The question of why the topic of IT security is so high on the list of priorities was answered in the first place by Daniel Jedecke in his contribution “Typical IT and OT risks – Information security and hazard prevention in energy plants”. The ten main threats to industrial control systems were taken up from the BSI situation picture and the typical IT and OT risks for plant operators were presented and explained.
In Block 2 “Attack detection, guidance, SIEM solutions”, the major challenges – and thus also one of the focal points of the conference – for the introduction of an attack detection system in accordance with the IT Security Act 2.0 were discussed. Opinions still differ widely on the characteristics of such systems, as the expenses often seem unreasonable and various systems are not yet market-proven. In addition, the availability of the energy plants could be negatively influenced by over-functioning of the attack detection systems, which in turn would have a negative impact on the required security of supply.
In other blocks, there was an intensive exchange of experience on verification/certification in accordance with the IT security catalogue §11 1b EnWG and on operational management from the perspective of information security. For example, in a keynote speech by Dirk Meyer, the “Establishment of an own security operations centre (SOC) by an operator” was presented.
Of particular importance was the presentation by Holger Bajohr-May “Risk cyber crime – What to do in the event of a “hacker attack”. The concrete scenarios of an attack that has taken place, the procedure of the system operator as well as measures and conclusions were presented in this contribution.
In the presentation by Tarkan Yavas “Contribution of an operator to the verification according to §8a BSI law (B3S)”, the legal basis, scope of certification, verification and empirical values were presented and discussed.
The second vgbe Conference “IT Security for Energy Systems” was again very well received by the approximately 110 participants. The importance of IT security was underlined by the discussions and networking and once again showed the high value of a vgbe conference on this topic.
The conference team would like to thank all participants, speakers and exhibitors for their valuable contributions. The third vgbe Conference “IT Security for Energy Systems” is planned for 2023 at a more central venue. Information on the third IT Security Conference will be announced in good time on the vgbe event portal and in the vgbe energy journal.
