Kommunale Eisenberger Energiepartner GmbH, or KEEP for short, is an association of the electricity supply companies of the Eisenberg municipality and the four local communities of Hettenleidelheim, Obrigheim, Ramsen and Wattenheim. The implementation of DHC Business Solutions’ information security management system is intended to meet the security requirements of the BSI and the German Federal Network Agency, which are necessary for the secure operation of energy plants.
(Information) security is business-critical, and even existential for utilities
With the merger of 5 electricity plants in 2016, KEEP GmbH took over its role as a utility company and since then has been a reliable partner for the energy industry of the Northern Palatinate, in the southeast of the Donnersberg district.
Against the backdrop of digitization, the development of modern control center systems, the use of digital meters and the increasing networking of IT systems, information security has been accorded great importance from the very beginning. Following the enactment of the IT Security Act by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) and the IT Security Catalog by the German Federal Network Agency (Bundesnetzagentur, BNetzA), the topic gained even more importance. KEEP therefore had to make timely preparations for the ISO 27001 certification. In line with the requirements, the management objective in 2017 was to demonstrate a certified Information Security Management System (ISMS) by Jan. 31, 2018.
“The permanent assurance of information security as well as the appropriate protection for secure network operation is essential for us as an energy supply company and therefore operator of a critical infrastructure. We have the duty and also the aspiration to meet the demands of our customers for a high level of safety in order to guarantee, among other things, the permanent supply of electricity and gas,” explains Thomas Gütermann, Head of IT at KEEP GmbH. “This is not exactly new. However, compliance with the now very complex regulatory requirements and the legal obligation to prove a corresponding ISMS certification has become critical to businesses for further participation in the energy market, and therefore also for KEEP.”, continues Gütermann.
IT security catalog and ISO/IEC 27019 are the standard for utilities
The IT security catalog for electricity and gas networks of the BNetzA obliges energy suppliers, whether large or small, to implement minimum IT security standards. One of the core requirements is the establishment and certification of an information security management system (ISMS) in accordance with DIN ISO/IEC 27001 – this in consideration of DIN ISO/IEC 27019:2017, which defines security measures and information for their implementation for the area of utility company process technology and supplements the generic information security standard ISO/IEC 27002 with industry-specific measures and recommendations for the area of energy supply. When added to other laws and regulations already mentioned, the high level of complexity becomes clear.
In the past, KEEP established its own structures and processes and issued comprehensive instructions/guidelines for the safe operation of its energy plants. “In addition to the ISMS Guidelines, many of the processes or measures have been and will continue to be prescribed by a large number of laws or directives (e.g., occupational health and safety regulations) and integrated into daily routine,” explains Steffen Kistner, IT Administrator and Project Manager. The practice experience did not follow any real standard, but was individually tailored to KEEP. It is not uncommon, as is the case with all smaller utilities, for certain tasks to be performed exclusively by one person, “so a formal creation, review, approval and distribution of processes has not been mandatory in the past” says Kistner.
The challenge of certification 27001
However, ISO 2700x certification requires a lot more. More systematics, more documentation, more control and verification, and more standardization.
At the beginning of 2017, a project was initialized to establish an ISMS in accordance with 27001. It quickly became clear at KEEP that the introduction of such an ISMS would be a long-term process involving many different areas of the company and tying up capacities. Resources that will continue to be involved in information security beyond certification. Due to staff resource constraints, but also to save time and nerves, the decision was made to adopt a standardized approach to achieving ISO compliance. With external support, a compliance check for ISO readiness was carried out and then work began on revising the security guideline and mapping all other components of the ISMS. This included, for example, risk identification, IT structure analysis, protection needs assessment for any elements or documentation of necessary measures.
In addition to the resource bottlenecks, the main challenge was acceptance as well as knowledge in the organization: The recurring need to raise awareness of all employees; answering the question of why processes are re-evaluated and re-modeled, creating a new security awareness to implement and operate the ISMS. “Until then, the employees, management and we as IT had hardly any direct contact with the topic of information security according to ISO 27001,” explains Gütermann. “As an employee, it is naturally difficult at first to accept changes, the benefits and meaningfulness of which one does not initially recognize,” continues Kistner.
ISMS software to digitize processes and simplify maintenance and communication
“Since, in addition to the high complexity, the implementation period and available resources are tight, smart solutions are needed to be able to handle the enormous effort in creating the necessary documentation and the subsequent maintenance to maintain the security level and communication,” explains Dr. Wolfgang Kraemer, Managing Director of DHC Business Solutions GmbH & Co. KG. DHC VISION ISMS is such a solution, which covers the entire process, works reliably as well as tamper-proof and is also as simple and intuitive as possible for all employees to use.
The decision in favor of DHC VISION as the ISMS solution was preceded by an extensive selection process. “Already after the first presentation we found DHC VISION to be a perfect fit,” says Gütermann and continues “DHC VISION has emerged as the solution for medium-sized utilities – like KEEP in our case”.
The high safety and quality standards of DHC Business Solutions, which are based on many years of experience in the regulated world, such as the pharmaceutical, chemical or medical technology industries, generated additional confidence. The planning, implementation, review and continuous improvement of the Information Security Management System (according to the PDCA model) is supported throughout. Kistner: “With DHC’s ISMS software, we expect significantly shorter turnaround times in the release of ISMS-relevant documents / guidelines in the future, while at the same time guaranteeing security within the processes.” Gütermann adds: “We expect a noticeable reduction in the effort required for the continuous maintenance and control of the ISMS, and thus also lower compliance costs”.
DHC VISION ISMS – Smart to daily use
Utilities like KEEP are subject to the same laws and regulations that apply to international corporations and the big players in the industry. What is often lacking in SMEs, however, are specialized staff departments or dedicated resources for urgently implemented digitization projects. For example, projects taking months for the introduction of an ISMS in parallel with ongoing day-to-day business are not realistic. And DHC Business Solutions was able to score here as well: “What convinced us in our decision to introduce the DHC VISION ISMS was the direct connection to our industry and size. The lean complete package was decisive for us: Standard software with short and fast implementation times (within one month from order to go-live), consistency in the processes paired with the possibility to integrate additional management systems into the ISMS,” confirms Gütermann. “In addition, the appealing design and its simple use appealed to us..“ adds Kistner. “The transparent presentation of processes, guidelines or instructions as well as the intuitive search mechanisms have a positive effect on the acceptance of the system among our colleagues and will increasingly raise their awareness on the topic of ISMS..” Compliance with information security standards is smartly integrated into everyday practice and does not become a “burden.”
KEEP’s digitization strategy is future-oriented, but at the same time pragmatic in its implementation. Kraemer: “ISO 27001 certification marks the start of more digitization and standardization; further processes are to be successively digitized, such as the management of risk assessments, occupational safety or the EU GDPR.”
Merged from originally 5 separate electricity plants, since 2016 KEEP GmbH has been both network operator and basic and substitute supplier for the supply area Eisenberg, Hettenleidelheim, Obrigheim, Ramsen and Wattenheim. In addition to generating, purchasing, trading, transporting and distributing electricity, gas and heat, KEEP also operates the outdoor swimming pool in Eisenberg. For more information about KEEP, please visit: www.keep-gmbh.com.