The Federal Network Operator (BNetzA) and the Federal Office for Information Security (BSIG) have jointly published a list of requirements for the safe operation of telecommunications and electronic data systems necessary for operating energy supply networks.
1. Aims of the IT List and Deadlines
According to Section 11 para. 1 German Energy Act (EnWG) operators of energy supply networks have to operate a safe, reliable and efficient network.
Section 11 para. 1a EnWG that was introduced in 2011 and recently amended by the IT Security Act that entered into force on 25 July 2015 further specifies what a “safe” operation of a network is. It reads
“The operation of a safe energy supply network comprises in particular sufficient protection against attacks on telecommunications and electronic data processing systems that are necessary for the safe operation of grids. The regulator will jointly set up and publish with BSI a list of IT security requirements. The list also includes provisions on regular reviews concerning compliance with safety requirements. Compliance with the security requirements listed and documentation thereof is considered suitable protection of an energy supply network. Implementation can be examined by the regulator. For this purpose the regulator may specify format, content and design of the documentation mentioned in sentence 4”.
The aims of the IT security requirement list (IT-Sicherheitskatalog) that BNetzA and BSI published are
- Protection of the availability of data systems and data that need protection (Sicherstellung der Verfügbarkeit der zu schützenden Systeme und Daten);
- Ensuring the integrity of the information processed and the IT systems;
- Safeguarding the confidentiality of the information.
The list contains minimum standards for the IT of electricity and gas grid operators, in particular the obligation to set up a certified information security management according to the DIN ISO/IEC 27001 standard by 31 January 2018.
The requirements laid down in the IT-Sicherheitskatalog have to be met by all grid operators regardless of size and number of customers connected if they operate systems covered by Section D of the IT security list.
Already by 30 November 2015 grid operators have to inform BNetzA by e-mail about a contact person for IT security and provide contact details.
2. More Information on IT Security Requirements for the Energy Sector
Please note that the new IT Security Act also contains obligations for so-called “critical infrastructure”, including in the energy sector. However, further specifications will be made in an ordinance based on Section 10 BSIG, which is currently being drafted by the Interior Ministry.
As we said in our blog post on the matter “… companies need to be mindful that the IT Security Act is only one step. It precedes the EU Network and Information Security (NIS) Directive which will cover similar – and probably also partially differing – requirements. It is also connected with the existing and upcoming EU data protection legislation which also contains IT security and (data breach) notification obligations.”
IT obligations should not be taken lightly as failure to comply may result in claims for damages. Please let us know if you need further information.
Source: Federal Network Agency
- IT Security Law Enters into Force – New Rules for Critical Energy Infrastructure
- Bundestag Passes IT Security Law Containing Provisions for Critical Infrastructure Including Energy Sector
- Government Approves IT Security Bill – IT Security Report Presented
- Critical Infrastructure: Ministerial Draft for IT Security Act To Improve IT Security Standards for Energy Sector