Back to overview

ICT Minimum Standards according to the Federal Electricity Supply Act (StromVV): How to avoid a Blackout Scenario

Author
Andreas Winet
Published
22. September 2025
As an energy provider, if a hacker group cuts off your power supply, your resilience will determine the security of supply for your customers. Whether the lights stay on depends solely on your consistent implementation of minimum ICT standards. Four targeted measures, a 14-point checklist, and six recommendations for action can help you close security gaps and establish yourself as a reliable player in the national economy. Build your cyber resilience now!

Just imagine: A balmy summer evening, the air conditioning humming in the background. Suddenly, a hacker attackparalyzes central systems and within minutes the supply of electricity to entire regions could come to a standstill.

What sounds like a movie plot has long since become reality. Cyber attacks are now more likely for the energy sector than a power outage caused by a thunderstorm. The industry is at a turning point: with the revision of the Electricity Supply Ordinance (StromVV), the minimum ICT standards will be binding from July 2024. For the gas supply from July 2025, a signal with appeal far beyond the energy sector.

Three levels of protection - tailored to every criticality

In both the electricity and gas supply sectors, the ICT minimum standards are based on a graduated model with three protection levels (A, B, C). The aim is to create a proportionate but comparable level of security. From large operators with the highest criticality to smaller companies with a manageable risk.

  • Protection level A: Applies to the operators with the highest criticality, e.g. electricity grid operators from 450 GWh/year or gas grid operators with high-pressure pipelines or transport volumes of over 2600 GWh/year. The comprehensive security requirements of the ICT minimum standard must be fully implemented here, adapted to the specific features of the industry in each case.
  • Protection level B: Affects medium-sized operators (electricity: 112-450 GWh/year; gas: 400-2600 GWh/year). The requirements are based on level A, but are reduced, practical and can be implemented with fewer resources.
  • Protection level C: Covers smaller operators (electricity: <112 GWh/year; gas: up to 400 GWh/year). The focus is primarily on minimum organizational requirements; some technical measures are merely recommendations.

This graduation enables targeted implementation according to criticality and prevents overregulation for smaller companies. At the same time, the comparability of security levels within and between sectors is guaranteed.

However, the levels of protection remain theoretical if they are not translated into everyday life. This is precisely where IT and OT security managers are faced with the question: What does this mean in concrete terms for my company?

4 measures that security managers can implement now.

In dialogue with IT security managers, familiar pain points and new insights crystallize.

The ICT minimum standards are not a checklist, but require a methodical overall approach:

  • Structured risk assessments and regular gap analyses
  • Development and maintenance of an ICT security concept
  • Providing credible evidence to the supervisory authority (e.g. ElCom)
  • Establishment of a genuine continuous improvement process (PDCA) that goes beyond mere documentation

Interoperability, auditability and integration into existing ISMS and SOC structures are the technical salt in the soup, not a nice-to-have, but a must. The requirements are clear, but how well are companies actually prepared for them today? Gap assessments in accordance with StromVV provide information and show where the biggest gaps are.

"The best time for a gap assessment was yesterday. The second best is today. Act now and turn regulatory obligation into lived safety practice!"

The 14-point check: How to uncover weaknesses in your StromVV compliance

During initial assessments in accordance with StromVV, technical and organizational weaknesses were repeatedly identified.

The most important areas of action at a glance:

1. test backups

Backups and recovery processes are the life insurance of every company, but are often underestimated.

  • Backups are rarely air-gapped or stored externally.
  • Restore tests are rarely or incompletely carried out.

Practical example: After a ransomware attack, an energy supplier discovered that although backups existed, they had never been tested. Instead of hours, the restoration took days, with high costs. An annual test run would have massively reduced the damage.

Recommendation: At least annual, realistic recovery tests, automated monitoring and regular integrity checks of the backups.

2. properly secure external access

Maintenance and supplier access is often the weakest link in the security chain.

  • Access is usually personal and temporary, but not monitored enough.

Practical example: In the event of a network fault, an external service provider used old access data. The access went unnoticed, a potential gateway. With a jump server and session logging, the incident would have been immediately visible.

Recommendation: Introduce session logging, restrict access in terms of time and content and consistently use jump servers with MFA.

3. strengthen OT security in the machine room

Operational technology (OT) requires special attention as it is often not sufficiently integrated into security monitoring.

  • OT systems are often not sufficiently taken into account in central monitoring.

Practical example: Incorrect measured values suddenly became apparent in a grid control center. Only days later did it emerge that the OT systems were not integrated into the SIEM at all. A passive sensor would have detected the anomaly immediately.

Recommendation: Introduce passive sensors, segment networks and use specialized OT vulnerability scanners.

4. system hardening as an ongoing task

Outdated or missing hardening measures open the door to attackers unnecessarily.

  • Hardening guidelines are missing or outdated.
  • Configurations are rarely compared with best practices.

Practical example: A company was the victim of an attack via a standard admin account. A regular comparison with CIS benchmarks would have eliminated the vulnerability at an early stage.

Recommendation: Keep policies up to date and regularly compare configurations with recognized benchmarks.

5. from a paper exercise to real risk management

Effective security management requires concrete analyses, not just abstract risk reports for the boardroom.

  • Risk analyses often remain at management level, without reference to individual components.

Practical example: For a long time, an energy supplier only assessed risks at company level. Only after using a tool for component-specific analysis did it become apparent that a single, outdated firewall represented a significant gateway.

Recommendation: Use specialized tools that evaluate threats on an asset basis and break down risk analyses to component level.

6. practise contingency plans

Contingency plans are worthless if they only exist on paper.

Practical example: During a regional disruption, no one knew who would take over external communications. Although the plan was in place, it had never been practiced.

Recommendation: Regularly test crisis plans in realistic exercises and clearly define responsibilities.

7. documentation with clear responsibilities

Only well-maintained and up-to-date documentation provides traceability and security.

  • Responsibilities for maintenance and updating are often not clearly assigned.

Practical example: During an audit, processes could not be verified because the documentation was out of date. Only an interdisciplinary team brought structure and reliability.

Recommendation: Define a team that ensures ongoing governance and documentation.

8. keep service providers under control

External service providers often take on critical tasks, but without clear rules and control, there is a considerable risk.

  • Contracts rarely regulate security SLAs or emergency scenarios.

Practical example: After a cyber incident, an IT service provider installed important updates late. As no security SLAs had been agreed, the company was unable to react in time or limit the damage.

Recommendation: Embed strict security SLAs in contracts, define exit strategies and regularly audit IT service providers.

9. blind spots in day-to-day security

Basic tasks in particular are often overlooked and develop unnoticed into major risks.

  • Asset inventory and asset management are often incomplete.
  • Communication planning and anomaly detection remain immature.
  • Incident analysis is rarely pursued systematically.

Practical example: A network operator repeatedly experienced disruptions whose causes were not clearly identified. Only after a detailed asset inventory did it become apparent that outdated devices were in use that had never been recorded in the inventory.

Recommendation: Establish a complete asset inventory, integrate anomaly detection into monitoring and consistently document and analyze incidents.

10. employees as the key to security

People are often the gateway, but also the most important line of defense.

  • Phishing and awareness training often does not address realistic scenarios.

Practical example: An employee clicked on a phishing email, but reported it immediately thanks to a clear reporting chain. This allowed the attack to be stopped before any damage was done.

Recommendation: Carry out regular, realistic awareness training and establish clear, simple reporting channels.

11 Data classification: Only those who know values can protect them

Without classification, critical information remains unprotected.

  • Data classification models are missing or not applied.

Practical example: A municipal utility discovered that sensitive network data was stored unencrypted on a file server. They were only encrypted and secured with restrictive access rights following a clear classification.

Recommendation: Introduce data classification models and consistently restrict access to sensitive data.

12. orchestrate crisis communication correctly

A lack of coordination in communication can exacerbate the crisis.

  • Communication plans are incomplete or outdated.

Practical example: After an attack, internal and external communications contradicted each other. The uncertainty damaged customer trust.

Recommendation: Update communication plans regularly and include all relevant target groups.

13. consistently protect privileged accounts

Privileged accounts are the crown jewels of any IT environment and are particularly at risk.

  • PAM solutions are missing, MFA is not consistently implemented.

Practical example: Attackers compromised an admin account without MFA and gained far-reaching rights. With a PAM solution, access would have been logged and secured.

Recommendation: Establish PAM solutions and make MFA mandatory for all administration access.

14. consistently manage supply chain risks

Cyber risks do not end at the company's borders, but affect the entire supply chain.

  • Contracts rarely regulate security SLAs or emergency scenarios.

Practical example: A cyber incident at an IT service provider led to a domino effect. As there were no security SLAs, the recovery took weeks.

Recommendation: Agree strict SLAs, define exit strategies and carry out regular audits.

A clear course for SMEs: guidelines to simplify your gap assessment

For many organizations, especially SMEs, the introduction of a gap assessment according to the ICT minimum standard is challenging. Industry associations such as the VSE therefore provide guidelines and templates that facilitate structured implementation and ensure consistency.

Practical documents such as the LVR-CH 2024 (strom.ch) are helpful. Equally important is early alignment with the NIST CSF 2.0 in order to take future international requirements into account.

These guidelines provide support in

  • the identification of relevant security gaps
  • risk-based prioritization
  • the clear assignment of measures and responsibilities
  • preparing for verification obligations and audits

They offer an easy introduction, especially for companies with limited resources, and can be integrated into existing ISMS without major restructuring.

Closing implementation gaps: How to succeed even with limited resources

Experience from previous assessments shows that very similar hurdles often arise during implementation.

In these cases,three strategic levers are particularly effective:

  • Resource commitment: SMEs in particular struggle with limited personnel and know-how. This requires more than goodwill, such as supporting tools and targeted training.
  • Coordination: Cybersecurity cannot be managed by the IT department alone; only the interaction between IT, OT, management and service providers can provide the necessary boost.
  • Strategic leadership: Without a clear direction from company management, security remains a fair-weather project. Visible prioritization and regular status checks are non-negotiable.

Focus on building up expertise and the compliance goal

The introduction of ICT minimum standards is not just a compliance issue. It is an opportunity to systematically strengthen your own resilience, whether in electricity or gas supply.
The requirements create a clear framework, but it is the practice that makes the difference:

  • CISOs gain a sound basis for investment with gap assessments and clear governance.
  • Management secure supply and protect reputation by visibly prioritizing cyber resilience.
  • SMEs benefit from guidelines that enable pragmatic implementation even with limited resources.

The best time for a gap assessment was yesterday, the second best time is today. Get started today with six essential measures and turn regulatory obligations into lived safety practice.

6 essential recommendations for StromVV compliance

  1. Carry out gap assessments: Systematically identify safety deficits using gap analyses and derive prioritized measures.
  2. Use industry guidelines: Use VSE and SVGW documents as well as BWL templates as practical orientation.
  3. Take a risk-oriented approach: Prioritize measures consistently according to criticality and protection level (A, B, C).
  4. Integration into existing systems: Embed gap assessments and security measures in ISMS, business continuity management (BCM) and crisis management.
  5. Consider multi-utility structures: Cross-utility companies should use cross-sector harmonization to avoid duplication.
  6. Keep an eye on international developments: Consider NIS2, CRA and DORA early to ensure long-term compliance and competitiveness.
  7. Initiate early adaptation to NIST 2.0: Although the mandatory introduction will not take place until a later revision, companies should already check now what additional documentation obligations and adaptation requirements will arise. A proactive approach to the new NIST structures will make the subsequent changeover much easier.

This is why a gap assessment with InfoGuard is worthwhile

Cybersecurity never stops - it is a continuous process that challenges and advances organizations on a daily basis. With clear standards, practical tools and a consistently risk-based approach, energy and gas suppliers not only achieve compliance, but also turn resilience and security into a real value proposition for the business.

What makes the difference?

  • You strengthen your company's resilience in the long term,
  • fulfill regulatory requirements in an audit-proof and measured manner and
  • generate additional added value for your business processes.

The decisive factor is the interaction between management, IT, OT and external partners - because only together can regulatory obligations become a lived security culture.

Take advantage of the experience of the InfoGuard experts and take the next step: design your cyber strategy at eye level - structured, in partnership and future-proof. Contact us for a no-obligation consultation - together we can transform regulatory requirements into lived cyber security practice.

NIST CSF Gap Analysis

 

Caption: Image generated with AI
Share article

Blog

Hälftig ungesicherte Stromversorgung im Dunkel der Nacht
Blog 18. September 2025

IKT-Minimalstandards nach StromVV: So vermeiden Sie ein Blackout-Szenario

Cyber Security
Fachpersonen aller Bereiche untersuchen gemeinsam die Krisenabläufe
Blog 11. September 2025

Beyond TTX: Durch Cyber-Threat-Simulationen zur strategischen Resilienz

Cyber Security
Die fünf Security-Awareness-Ebenen zur starken Human Firewall
Blog 04. September 2025

Awareness 2.0: Die 5-Level-Journey zur Human Firewall

Security Awareness

Blog Updates abonnieren