Cybersecurity Becomes Mandatory: What Gas Providers Need to Know

Digitalization demands more protection for gas providers

Digitalization is making gas supply systems more vulnerable to cyberattacks, with potentially severe consequences for the economy and society. To counter these risks, a federal regulation will require all gas providers in Switzerland to implement the IKT Minimum Standard starting July 1, 2025.

What is the IKT Minimum Standard?

The IKT Minimum Standard defines fundamental cybersecurity requirements for critical infrastructure. Developed by the Federal Office for National Economic Supply (BWL), it provides companies with a clear framework to minimize risks and ensure supply security.

For gas supply, this regulatory framework has been implemented as the G1008. This set of practical measures, developed by a working group including the BFE, BWL, SVGW, VSG, and industry representatives, helps gas providers fend off cyberattacks, address vulnerabilities, and ensure supply security.

The G1008 is based on the internationally recognized NIST Cybersecurity Framework and comprises 108 specific measures. These are tailored to the size and complexity of each gas provider, depending on their protection level.

Who is affected?

The regulation applies to all gas providers in Switzerland classified as critical infrastructure. Service providers offering security-relevant services may also be held accountable, as they are often integrated into their clients’ security requirements. These provisions highlight the importance of cybersecurity throughout the entire gas supply value chain.

Protection Levels: Tailored Cybersecurity

To ensure that the measures are both appropriate and efficient, the G1008 considers the size and complexity of gas providers and divides them into three protection levels:

• Protection Level A: Large providers with over 2,600 GWh of gas distribution per year.
• Protection Level B: Medium-sized providers with 400 to 2,600 GWh of gas distribution per year.
• Protection Level C: Small providers with up to 400 GWh of gas distribution per year.

This tiered approach ensures that the measures remain appropriate and implementable depending on the company’s size and risk profile.

What does this mean for your company?

To comply with the IKT Minimum Standard, gas providers must adapt their IT systems and processes by July 2025. Key measures include:

• Demonstrating compliance: Companies must prove that they have implemented the required security measures.

• Addressing vulnerabilities: Security risks and vulnerabilities must be identified and resolved.

• Audits and controls: Regular assessments are necessary to document compliance with the standard.

• Avoiding sanctions: Non-compliance can lead to legal and financial consequences.

Why start preparing now?

Implementing the requirements requires early and thorough planning. Taking action now allows companies to identify vulnerabilities in time and ensure secure implementation before problems arise.

How to implement the requirements

Successful implementation of the IKT Minimum Standard can be achieved through the following steps:

• Assessment: Analyze your current systems and processes to identify security gaps.

• Establish an Information Security Management System (ISMS): Implement an ISMS according to ISO 27001 to structure and manage measures effectively.

• Conduct training: Raise awareness among employees about cybersecurity risks.

• Involve experts: Engage external partners like FortIT to support the implementation and provide valuable expertise.

How FortIT can support you

With FortIT by your side, you will be well-prepared to meet the new requirements. Our services include:

Strategic Consulting: Development of tailored security strategies and measures.

Security Assessments: Vulnerability analysis with actionable recommendations.

ISMS Solution fortControl: Ensuring transparency in your cybersecurity measures.

Implementation Support: Assistance with implementation and preparation for audits.

With our in-depth industry expertise, we will guide you through the entire process – efficiently, effectively, and tailored to your needs. Contact us today to future-proof your cybersecurity.

‍