Utility companies have to be 100% sure that their systems are reliable, safe and secure – for IT, this is often a bit of a challenge. The network control center at Energiedienst Netze GmbH submitted its IT system to strict 27001 certification at the German Federal Office for Information Security (BSI) becoming one of the first companies ever to receive official approval for “ultimate safety”. To ease the process, Energiedienst Netze called on the advice and support of Steinbeis experts at the ManagementCockpit Transfer Center.
The man responsible for managing the entire power network at Energiedienst Netze – as well as overseeing the company’s hydroelectricity plants – is Friedhelm Bäumer. His job entails supervising the network, planning, and coordination along with switching systems on and off, optimizing switching and malfunction management. Every process is underpinned by a highly complex IT infrastructure adhering to state-of-the-art security standards. In the data processing rooms (DP) the company also has an oxygen reduction machine aimed at nipping fires in the bud by suffocating the supply of oxygen. Smoldering fires are signaled to the center by smoke detectors. To keep them separate from operating equipment, the DP rooms are fitted with F30 fire doors.
Each part of the IT system is backed up to avoid single points of failure and ensure 100% availability. If any part of the system suffers an outage, the DP center in Rheinfelden jumps in. In the event of a major fault (such as the entire DP center breaking down), entire operations are relayed to the secondary center in Donaueschingen. The company even has a contingency plan for both DP centers breaking down: operations normally carried out in the network control center are kept going in a “tracking station”.
To safeguard data security, the company has an almost entirely automated data security system. The only manual operation is when data storage equipment is transferred to separate fire-proof rooms. Data integrity is safeguarded by an end-to-end virus protection system, firewalls on all external interfaces, an intrusion detection system that signals unauthorized access attempts, and central processing of log files.
Overall, this provides the technical systems needed to provide top quality security. But ISO 27001 certification under the auspices of the Federal BSI scheme goes way beyond these security levels. For example, the company must be able to prove not only that it has all the right systems in place, everything within the security system has to be monitored – constantly – and improvements made as necessary. To ensure the company lives up to this expectation, senior management has captured the importance of IT safety in internal security guidelines which was signed and published and now forms the backbone of all subsequent guidelines. IT safety processes now come under the umbrella of overarching network control center security procedures. In turn, these procedures loop back continuously according to Deming Cycle principles (plan-do-check-act).
During certification, Energiedienst Netze received professional advice and tangible support from Steinbeis experts. The entire project was steered into harbor by a “Fundamental IT Safety Catalog” provided by the BSI. The document provides waypoints for analyzing the current status systematically and comprehensively and uncovering potential gaps within the security system. The government department also provides software to simplify the complex analysis. The project already got off to a good start thanks to Friedhelm Bäumer’s involvement in a 2006 project looking at network control center management and risk management. The project resulted in MS Standard Network Operation certification from the German Technical Inspectorate (TÜV) and established a template for the systematic categorization of future IT security management processes. This made it possible to make use of tools such as a safety directory, fault tree analysis (FTA), and blackout analysis, and adhere to established schedules for implementing the project and gaining certification.
The result of the project: higher safety standards and enhanced transparency. Also, customers, suppliers and the general public can now see that the company has gained internationally recognized certification, even if the overall IT safety process is still subject to continuous improvement processes.