InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Frankfurter Straße 233
63263 Neu-Isenburg
Germany
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
InfoGuard Deutschland GmbH
Am Gierath 20A
40885 Ratingen
Germany
InfoGuard GmbH
Kohlmarkt 8-10
1010 Vienna
Austria
With the entry into force of the Information Security Act (ISG), new cybersecurity requirements apply to operators of critical infrastructure (KRITIS). In addition to reporting obligations and clear governance guidelines, the security of Operational Technology (OT) is taking center stage.
This is because the increasing interconnection of IT and OT systems is creating new vulnerabilities: Already, 80% of Swiss KRITIS operators report cyber incidents in OT environments that have led to production outages or data theft. Companies should therefore tailor their OT security strategy specifically to the new legal requirements.
The Swiss Information Security Act (ISG) defines clear requirements for operators of critical infrastructure, particularly in the area of Operational Technology (OT).
The key obligations include:
Incidents with a significant impact on the security of supply or public safety must be reported immediately (usually within 24 hours) to the Federal Office for Cybersecurity (BACS).
Operators must document technical and organizational protective measures to ensure the availability, integrity, and confidentiality of OT systems. Specific measures (in accordance with the ISG and international standards such as ISA/IEC 62443):
Network segmentation (isolation of OT and IT systems).
Regular risk assessments (at least annually).
Emergency and recovery plans (including tests and updates).
Access controls (e.g., multi-factor authentication for critical systems).
Training and awareness-raising measures for employees.
Operators are required to actively cooperate with the BACS, particularly with regard to:
Risk analyses (e.g., as part of the national cybersecurity strategy).
“Operators of critical infrastructure must immediately (usually within 24 hours) report cyber incidents that jeopardize the security of supply or public safety to the BACS and demonstrate that they are taking appropriate protective measures.”
OT systems form the backbone of critical infrastructure. ISG-compliant strategies require the precise identification and classification of all relevant OT components. A security needs analysis regarding availability, integrity, and confidentiality—along with consideration of IT/OT dependencies—enables targeted risk prioritization and the derivation of regulatory measures.
Reasons why the ISG also explicitly addresses OT:
The increasing interconnection of control systems with corporate IT creates new attack vectors (e.g. , ransomware spreading from IT to OT).
IT/OT convergence requires security approaches such as Zero Trust to effectively prevent attackers from moving laterally between IT and OT networks.
Increasing attacks on OT: According to BACS, cyberattacks on Swiss industrial facilities have doubled since 2022—with a focus on energy utilities and financial infrastructures.
The ISG calls for short-term, risk-based interventions to reduce acute threats in OT environments. These include access controls, patch management, network segmentation, and monitoring. These measures ensure compliance and guarantee the operational stability of OT systems during the immediate response phase.
Passive network analysis to identify all OT assets—including legacy PLCs and previously unknown connections.
Appoint a CISO or OT security officer.
Provide regular reports to senior management (e.g., quarterly risk status).

ISG compliance requires a combination of technical and organizational measures. Continuous monitoring, incident response and recovery plans, backup strategies, as well as clear responsibilities and training ensure that OT systems are permanently protected and that audit readiness can be demonstrated at any time.
Implementation of a zone model in accordance with ISA/IEC 62443:
Production zone (critical control systems)
Maintenance zone (remote access, updates)
External zone (suppliers, cloud services)
Use of firewalls with OT-specific rules (e.g., Modbus/DNP3 filtering).
Strict network segmentation between IT and OT environments, as well as within the OT zones.
Backup strategy for OT systems (including offline backups, e.g., for PLC configurations).
Restart plans for critical processes (e.g., power supply, payment processing).
Regular tests ( at least once a year).
Inclusion of security clauses in contracts (e.g., incident reporting requirements, audit rights).
Evaluation of suppliers according to recognized security standards (e.g., ISO/IEC 27001).
Documentation of measures and controls is essential for ISG-compliant OT and IT security strategies. Compliance evidence enables regulatory requirements to be presented transparently to supervisory authorities or auditors.
Structured reporting also supports management in the strategic management of information security, enables the early identification of vulnerabilities, and ensures that audit readiness is continuously maintained.
Systematic Documentation of Activities
In the event of a reportable incident, the following points must be clearly communicated:
Affected systems and attack vectors. Which parts of your infrastructure were affected, and how the attack occurred.
Annual risk and compliance reviews—continuous improvement:
Internal audits using checklists based on ISO/IEC 27001 to identify and address vulnerabilities.
The Information Security Act offers an opportunity to
increase the cyber resilience of OT systems,
minimize operational disruptions through clear processes,
The ISG thus not only provides regulatory clarity but also drives important momentum for the sustainable expansion of OT security. Crucial to this is the consistent implementation of these requirements in day-to-day operations to identify risks early and permanently increase the resilience of critical systems.
In practice, it is evident that a structured approach to governance, processes, and technical protective measures, in particular, offers the greatest leverage for robust OT resilience.
We’d be happy to support you in implementing the ISG and provide you with tailored recommendations for your OT security. Feel free to contact us at any time!
Caption: AI-generated image