InfoGuard Cyber Security and Cyber Defence Blog

ISG and OT Security: New Requirements for Critical Infrastructure

Written by Markus Limacher | 13 Jul 2026

With the entry into force of the Information Security Act (ISG), new cybersecurity requirements apply to operators of critical infrastructure (KRITIS). In addition to reporting obligations and clear governance guidelines, the security of Operational Technology (OT) is taking center stage.

This is because the increasing interconnection of IT and OT systems is creating new vulnerabilities: Already, 80% of Swiss KRITIS operators report cyber incidents in OT environments that have led to production outages or data theft. Companies should therefore tailor their OT security strategy specifically to the new legal requirements.

ISG Requirements for OT Managers

The Swiss Information Security Act (ISG) defines clear requirements for operators of critical infrastructure, particularly in the area of Operational Technology (OT).
The key obligations include:

1. Mandatory reporting of cyber incidents (ISG Art. 73a–74f)

  • Incidents with a significant impact on the security of supply or public safety must be reported immediately (usually within 24 hours) to the Federal Office for Cybersecurity (BACS).

  • This applies to OT systems that are essential for maintaining critical services (e.g., energy, transportation, water, wastewater, healthcare).
  • Reports are submitted via the BACS reporting system and must include technical details, affected systems, and measures taken.

2. Documentation of Security Measures (ISG Art. 64)

Operators must document technical and organizational protective measures to ensure the availability, integrity, and confidentiality of OT systems. Specific measures (in accordance with the ISG and international standards such as ISA/IEC 62443):

  • Network segmentation (isolation of OT and IT systems).

  • Regular risk assessments (at least annually).

  • Emergency and recovery plans (including tests and updates).

  • Access controls (e.g., multi-factor authentication for critical systems).

  • Training and awareness-raising measures for employees.

3. Cooperation with the BACS (ISG Art. 15)

Operators are required to actively cooperate with the BACS, particularly with regard to:

  • Risk analyses (e.g., as part of the national cybersecurity strategy).

  • Incident investigations (forensics, root cause analysis).

“Operators of critical infrastructure must immediately (usually within 24 hours) report cyber incidents that jeopardize the security of supply or public safety to the BACS and demonstrate that they are taking appropriate protective measures.”

OT Systems at the Center of the ISG

OT systems form the backbone of critical infrastructure. ISG-compliant strategies require the precise identification and classification of all relevant OT components. A security needs analysis regarding availability, integrity, and confidentiality—along with consideration of IT/OT dependencies—enables targeted risk prioritization and the derivation of regulatory measures.

Reasons why the ISG also explicitly addresses OT:

  • The increasing interconnection of control systems with corporate IT creates new attack vectors (e.g. , ransomware spreading from IT to OT).

  • IT/OT convergence requires security approaches such as Zero Trust to effectively prevent attackers from moving laterally between IT and OT networks.

  • Increasing attacks on OT: According to BACS, cyberattacks on Swiss industrial facilities have doubled since 2022—with a focus on energy utilities and financial infrastructures.

  • Dependence on supply chains and third-party providers (e.g., maintenance companies, cloud services) represents a common point of entry—the ISG therefore calls for appropriate contractual security clauses.

ISG: Immediate Measures for OT Managers

The ISG calls for short-term, risk-based interventions to reduce acute threats in OT environments. These include access controls, patch management, network segmentation, and monitoring. These measures ensure compliance and guarantee the operational stability of OT systems during the immediate response phase.

1. Asset discovery, including OT/IT interfaces

  • Passive network analysis to identify all OT assets—including legacy PLCs and previously unknown connections.

  • Documentation of interfaces to IT systems (e.g., remote maintenance, ERP connections).

2. Define the emergency reporting path to the BACS (24-hour deadline!)

  • Establish clear escalation paths. Who reports to the BACS and when?
  • Prepare templates for reports.
  • Conduct a test report to validate the process.

3. Establish responsibilities at the executive level.

  • Appoint a CISO or OT security officer.

  • Provide regular reports to senior management (e.g., quarterly risk status).

Technology & Processes for OT Security in accordance with ISG

ISG compliance requires a combination of technical and organizational measures. Continuous monitoring, incident response and recovery plans, backup strategies, as well as clear responsibilities and training ensure that OT systems are permanently protected and that audit readiness can be demonstrated at any time.

Practical measures for improved OT security include:

1.Segmentation & Network Access Control

  • Implementation of a zone model in accordance with ISA/IEC 62443:

    • Production zone (critical control systems)

    • Maintenance zone (remote access, updates)

    • External zone (suppliers, cloud services)

  • Use of firewalls with OT-specific rules (e.g., Modbus/DNP3 filtering).

  • Strict network segmentation between IT and OT environments, as well as within the OT zones.

2. Resilience & Recovery

  • Backup strategy for OT systems (including offline backups, e.g., for PLC configurations).

  • Restart plans for critical processes (e.g., power supply, payment processing).

  • Regular tests ( at least once a year).


3. Involvement of External Service Providers

  • Inclusion of security clauses in contracts (e.g., incident reporting requirements, audit rights).

  • Evaluation of suppliers according to recognized security standards (e.g., ISO/IEC 27001).

OT Security: Compliance and Reporting in Accordance with ISG

Documentation of measures and controls is essential for ISG-compliant OT and IT security strategies. Compliance evidence enables regulatory requirements to be presented transparently to supervisory authorities or auditors.
Structured reporting also supports management in the strategic management of information security, enables the early identification of vulnerabilities, and ensures that audit readiness is continuously maintained.

Systematic Documentation of Activities

  • Documentation of risk assessments based on the ISA/IEC 62443 methodology, including the identified risks and the protective measures derived from them.
  • Comprehensive recording of all changes to OT systems—such as firewall rules or patches—including responsibility, date, and justification.
  • Regular and logged incident response tests with documentation of the results and the resulting measures to be taken in the event of an emergency.

In the event of a reportable incident, the following points must be clearly communicated:

  • Affected systems and attack vectors. Which parts of your infrastructure were affected, and how the attack occurred.

  • Impact of the incident, e.g., production outages, data loss, or disruptions to critical processes.
  • Measures taken: how the incident was contained, what steps were taken to restore operations, and how a recurrence will be prevented.

Annual risk and compliance reviews—continuous improvement:

  • Internal audits using checklists based on ISO/IEC 27001 to identify and address vulnerabilities.

  • External OT security audits conducted by third-party organizations. Documenting the results and implementing the recommended measures.

Conclusion: The ISG Strengthens OT Security and Resilience

The Information Security Act offers an opportunity to

  • increase the cyber resilience of OT systems,

  • minimize operational disruptions through clear processes,

  • and to strengthen trust among customers, partners, and government agencies.

The ISG thus not only provides regulatory clarity but also drives important momentum for the sustainable expansion of OT security. Crucial to this is the consistent implementation of these requirements in day-to-day operations to identify risks early and permanently increase the resilience of critical systems.

In practice, it is evident that a structured approach to governance, processes, and technical protective measures, in particular, offers the greatest leverage for robust OT resilience.

We’d be happy to support you in implementing the ISG and provide you with tailored recommendations for your OT security. Feel free to contact us at any time!

Caption: AI-generated image