Checklist: Certification according to the IT Security Standard

Transmission system operators (TSOs) must implement the requirements of the IT Security Standard, i.e. they need to establish an Information Security Management System (ISMS) and submit the relevant certificate to Germany's Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (Bundesnetzagentur, BNetzA) by 31 January 2018. However, certification involves various preparations and considerations. TÜV SÜD expert Alexander Häußler knows what needs to be done.

Prepare a network plan

TSOs need to prepare a network plan. A network plan is an “as is” recording of the existing applications, systems and components, their interrelations and how they impact on network management. The overview must differentiate between the following categories of technology: “Control system/System operation”, “Transmission technology/Communication” and “Secondary, automation and telecontrol technology.

Carry out risk assessment

Subsequently, the information-security risks for the processes identified as relevant in the network plan must be assessed. Risk assessment differentiates between three categories of consequences: “moderate”, “high” and “critical”. Systems, components and applications required for safe and reliable network operation must always be assigned to the category “high”. Classification is based on various criteria, including impairment of security of supply, restriction of energy flow, number of people affected and dangers to life and limb. Potential risks include targeted IT attacks and malware as well as technical failure or basic threats.

Planning and implementing controls

Based on the identified risks, the organisation must define suitable and reasonable controls. Controls are considered suitable if they correspond to the state of the art. When it comes to determining whether controls are reasonable, the technical efforts and costs of these controls need to be taken into account. However, when weighing their options, TSOs should always consider the consequences involved in the failure or impairment of secure and reliable network operation.

Statement of applicability

The statement of applicability (SoA) documents the controls that have been defined as applicable within the scope of the ISMS. The SoA must include all 114 controls of ISO/IEC 27001 plus the controls of ISO/IEC TR 27019, including acceptable justification of their application or exclusion. Any further controls added may also be documented in the SoA. The auditors review the SoA within the scope of certification.

Define objectives and carry out internal audits

A management system also always includes the definition of targets and objectives and measurement of their achievement. Potential targets for TSOs could be avoidance of exceeding a certain number of hours of continuous power outage, or reaching a certain percentage of trained employees. In addition, internal audits must be conducted either by the organisation's own employee or an external consultant. In this context it is important for the internal audit results to be available after the internal audit, as they form part of certification.

IT Security liaison

Network operators need to designate a liaison for coordination and communication with BNetzA. Upon request by BNetzA, the liaison should be able to inform the agency of the status of implementation of the requirements of the IT Security Standard, as well as any security incidents that have occurred, their causes and the measures taken to remedy said incidents and prevent their recurrence in future.

Selecting a certification body

Once the organisation fulfils all the requirements, it is ready for certification according to the IT Security Standard. For certification, TSOs need to select a certification body accredited by DAkkS, as BNetzA only recognises certificates issued by accredited certification bodies. Another factor to consider when choosing the certification body is the number of auditors provided by the certification body. Only auditors who attended training in the IT Security Standard are authorised to participate in an audit. Another important consideration for scheduling is that certification is carried out in the form of a two-stage procedure, and thus takes two to three months.

More information on the IT Security Standard is available at http://www.tuev-sued.de/management-systeme/it-dienstleistungen/it-sicherheitskatalog.