INFORMATION SECURITY: ARE ENERGY SUPPLIERS READY FOR ISMS?
For the study ‘Information Security: Are the Energy Suppliers Already ISMS-ready?’ carried out by the management consultancy AXXCON, 106 decision-makers from energy supply companies were questioned, including executive directors, IT managers and IT security managers. Most of the energy suppliers questioned were active in the electricity, gas, water and district heating sectors.
In order to guarantee the unrestricted functionality of energy supplier companies, the operators of energy supply networks must have implemented a certified Information Security Management System (ISMS) by 31st January 2018. It is however questionable whether the majority of companies will manage this by the legally prescribed deadline. This is indicated by the results of the study ‘Information Security: Are the Energy Suppliers Already ISMS-ready?’ carried out by the management consultancy AXXCON. ‘Many of the companies affected will not be able to make the deadline’, warns Dirk Stieler, an AXXCON partner.
From the details of 106 decision-makers questioned, it has emerged that companies predict they will need 15.8 months on average for implementation. On average, they have 13.7 months remaining until the planned implementation date. The ISMS Readiness Index has calculated: in the first quarter of 2016, companies have achieved on average 13.4 percent of their ISMS Readiness. Most energy supply companies have not got beyond the planning phase yet, according to Dirk Stieler. His assessment: ‘The majority of companies are postponing the implementation.’
This is indicated by the details provided by the companies affected: by the second quarter of 2017, only 43 percent expect to have completed implementation of the ISMS. By the fourth quartet of 2017, only 89 percent anticipate they will be ready; in the first quarter of 2018, all companies are expecting to be ready. According to Stieler, there is one problem with this tight schedule. ‘The ISMS has to be in operation for at least six months before it can be certified’, he explains. Only after the first six months is it possible to derive measurable results regarding the effectiveness of the measures implemented. The majority of the companies will not manage this, according to their own declarations. Another factor: if all companies want to leave it to the last minute, there will be bottlenecks at the certification authorities.
During the process of certification, the energy suppliers have a series of requirements to be fulfilled. Among other things, they must compile a list of all security-relevant networks and devices. 43 percent of all energy suppliers questioned already had the required full inventory. But over 50 percent have not made an inventory of their IT infrastructure., or only a partial one. Furthermore, all threats and risks to information security must be filed and evaluated completely, and all potential security incidents must be clearly defined. Even here, a study shows: only twelve percent of companies have compiled all threats and risks. 30 percent have carried out a complete definition of possible safety incidents. Stieler: ‘In most cases the companies cannot, in the final analysis, therefore estimate what will be expected of them regarding the implementation of ISMS.’ If the companies do not implement on time, they are threatened with financial penalties. For smaller companies in particular, there will probably need to be transitional phases.
According to the study, smaller companies of up to 200 employees are the furthest behind and even have to find out about the minimum requirements for a certified ISMS. 71 percent of them are aware only partly of the minimum requirements; six percent are not even aware of the minimum requirements, according to details they provided themselves. Another contentious fact: over 50 percent of companies do not have employees to carry out the implementation, maintenance and warranty of the ISMS.
Ultimately, the companies seem to be rather inexperienced regarding budget issues, too: nearly two thirds of them have not planned more than 100,000 EUR for the implementation of the ISMS, according to the study. This sum will be totally insufficient, believes AXXCON partner Torsten Beyer. ‘The companies are underestimating the expenditure – even when one works on the assumption of the lead time and personnel deployment estimated by them.’ Almost half of the companies intend to appoint one to three internal employees; the other 50 percent are planning four to eight employees. The majority of companies estimate that they will need external support of one to three employees.