Automation has long occurred independently in commercial and industrial environments. However, standardisation (e.g. X86-based devices) and networking (e.g. internet) in information systems have increasingly found their way into industrial computing in recent years. This exposes industrial systems to the same cyber threats that are well known in business information systems.
Today, industrial control systems (ICS) form an integral part of critical infrastructures including power grids, oil, gas and water supply, transport systems, manufacturing industries and chemical plants, and facilitate their operation. The growing issue of cybersecurity and its impact on the ICS highlights basic risks to a nation's critical infrastructure. Effectively addressing ICS cybersecurity issues requires a clear understanding of current security challenges and specific defensive countermeasures.
This document addresses distribution system operators of grid levels 1 to 4 and power generation plants (producers) and provides a recommendation on how to reduce cyber risks in the critical infrastructure of the power supply to an acceptable level. It was developed jointly with the association of Swiss electricity companies (Verband Schweizerischer Elektrizitätsunternehmen - VSE). The core of the recommendation is the implementation of what is known as a defence-in-depth strategy, which is based on the military principle that it is more difficult for an enemy to overcome a complex and multilayered defence system than a single barrier.