Network and energy system operators are legally obligated to ensure cyber security. The German IT Security Act and the German Energy Industry Act stipulate that they must comply with the "state of the art" to effectively manage cyber risks. The NIS2 Directive and the Swiss ICT minimum standard also require this. But what exactly does this mean in practice, and how is "state of the art" defined in vulnerability management?

What "State of the Art" Really Means

The aforementioned laws initially require energy providers to certify an information security management system (ISMS) and implement up-to-date systems for detecting attacks. The goal is clearly defined: to be able to identify and defend against potential threats on an ongoing basis. However, the exact implementation often remains an area of intense discussion.

The answer to the question of what is meant by "state of the art" can be found in various standards and guidelines. The BSI IT-Grundschutz Compendium, for example, mandates that established vulnerability management is a basic requirement. This implies that regular reports from manufacturers, as well as information from authorities and the media, must be incorporated into the security strategy.

Organizations such as the German TeleTrusT take this a step further, emphasizing the importance of constantly monitoring a wide range of sources, from CERTs to newsgroups, in order to proactively identify and remediate vulnerabilities. Standards such as ISO 27001, ISO 27002, and ISO 27019, which is particularly pertinent to the energy sector, provide detailed guidance on how organizations should manage technical vulnerabilities, assess their risks, and implement appropriate countermeasures.

It is also important to recognize the necessity for close collaboration between operators and manufacturers of critical protection and control devices. The EU Cyber Resilience Act underscores this by requiring manufacturers to report vulnerabilities within 24 hours and demonstrate a long-term commitment to the security of their products.

What Are the Implications for Those Responsible in OT and IT Security? 

It is of the utmost importance to comprehend the legal and normative framework within which one operates and to actively implement the minimum required security standards. Nevertheless, contemporary vulnerability management, which is not limited to compliance with minimum requirements but is geared towards the company's own risk exposure, is of critical significance. This necessitates continuous monitoring, taking into account all relevant sources of information based on an up-to-date (and complete) asset inventory.

Finally, companies should invest in technologies and processes that enable the reliable detection of vulnerabilities and a rapid response to them. It is important to make sensible use of both internal resources and external expertise to continuously improve one's own cyber resilience.

Did You Know?

StationGuard Receives IT Security Certificate from the BSI (The German Federal Office for Information Security)

Learn more here

Cybersecurity for OT Environments, icon, small, v2

Resources

09. April 2024

State of the Art in Vulnerability Management

In the world of network and energy utility operators, cybersecurity is not just a priority but a legal obligation. With the German IT Security Act and the Energy Industry Act, these operators are required to adhere to the "state of the art" to manage cyber risks effectively.

Read this story
26. March 2024

OMI­CRON Con­tributes to Nmap Plug-In

We collaborated with the BSI and the Fraunhofer Institute to develop an nmap plug-in for OT networks, enhancing tools for power grid administrators with our IEC 61850 expertise.

Read this story
13. February 2024

Chances & Risks of Operational Technology in the Energy and Aviation Sectors

In this episode, Andreas Klien, discusses the differences and similarities of using OT technology in the aviation and electrical power industry sectors with his guest, Ron Brash, a renowned vulnerability researcher in the aviation industry.

Read this story
11. January 2024

Building trust in digital products used in the power grid

In this episode, Andreas Klien, discusses the security engineering of digital products used in the power grid with his guest, Sarah Fluchs.

Read this story
OMICRON EnergyTalks - Podcast episode
10. January 2024

Experiences & Innovations in Developing Cybersecurity Products

In this episode, Anastasiya and Jaques share their experiences, challenges, and innovations in developing our cybersecurity products.

Read this story
StationGuard Receives Security Certificate from the BSI
17. December 2023

StationGuard Receives Security Certificate from the BSI

The German Federal Office for Information Security (BSI) has tested our StationGuard and awarded us the IT security certificate (BSZ) as a result.

Read this story
06. November 2023

Solving Cybersecurity Problems in Electrical Power Networks

OMICRON cybersecurity analysts Christoph Rheinberger and Eric Heindl share their personal experiences for IT and OT security officers.

Read this story
OMICRON Podcast Episode with Thomas Wolf and Ozan Dayanc
04. October 2023

Why do OT networks need an IDS?

Discover the challenges faced by power providers and practical recommendations for enhancing OT network security.

Read this story
02. October 2023

StationGuard 2.30 – Improved Efficiency for Intrusion Detection

With StationGuard 2.30, you will be able to make your workflows even more efficient.

Read this story
Podcast Episode 2, OMICRON
07. September 2023

Digital Transformation in the Power Industry

In this podcast episode, learn how to successfully implement cybersecurity into critical power system infrastructures with OMICRON cybersecurity experts.

Read this story
Podcast, Andreas Klien, OMICRON
07. September 2023

Vulnerability Management in Substations

Learn how vulnerability management tools ensure a more effective cybersecurity in power grids.

Read this story
Podcast Episode 1, OMICRON
01. September 2023

Bridging the gap between IT and OT

OMICRON cybersecurity expert Benjamin Teudeloff talks about the increasing necessity for power providers to improve their cybersecurity practices.

Read this story
OMICRON Magazine: Security Assessment Findings
29. August 2023

Security Assessment Findings in Substations and Power Plants

Our cybersecurity expert, Ozan Dayanc, reveals insights from global substation security assessments.

Read this story
Video: STW-Kempen
29. August 2023

Cybersecurity from the Control Center to the Substation

Cybersecurity from the Control Center to the Substation

Read this story
StationGuard Feature: Search In ZeroLine
18. August 2023

Feature Preview: Device Search in ZeroLine

StationGuard has a a new search feature that makes it easy to find all equipment information in your network.

Read this story
StationGuard Feature: Automatic Device Classification
18. August 2023

Feature Preview: Automatic Device Classification

StationGuard 2.30 will include a new feature that makes it easier than ever to assess and secure your OT network.

Read this story

Contact Us!

We’re looking forward to helping you.

  • Have a question?
  • Need more information?
  • Would you like to request a demo?
Send us a message