Cybersecurity, ICT minimum standards, and mandatory reporting.Whether it's electricity, water, or data: When it comes to critical infrastructure, cybersecurity is not a "nice to have," but a requirement. The new mandatory reporting of security incidents presents companies like Axpo with new challenges – and opens up opportunities to strengthen processes and collaboration.

In an interview with M.Sc. René Oester, CEO of AXPO Systems AG, we take a look behind the scenes: How does a Swiss energy supplier handle this responsibility? How can energy suppliers and SMEs with limited resources benefit from it? And where is the topic heading?

Importance of mandatory reporting - Why are ICT minimum standards and mandatory reporting in the energy sector more important than ever?

Risk exposure from cyber threats has increased significantly in the energy sector. A resilient, digitally controlled energy supply is central to the economy and society – and must be treated with appropriate awareness and priority, especially in the context of the ongoing energy transition.

ICT minimum standards and mandatory reporting are essential today, as they structure security, clarify authorities' expectations, and enable standardization across the industry. This leads to pooled expertise, faster responses to security gaps, and thus to a reliable energy supply.

However, this implementation requires substantial investments in the industry's security infrastructure.

How does Axpo ensure that security incidents are detected and reported? What internal structures and solutions has it established for this purpose? How can smaller Swiss energy suppliers meet the new regulatory requirements – and how can Axpo help?

Axpo has been investing extensively in the security architecture of its facilities, systems, technology, processes, and employees for years. The changing threat landscape since the coronavirus pandemic and the war in Ukraine has led to targeted adaptation and refocusing of existing programs. With the establishment of a specialized Security Operation Center at Axpo Systems AG, critical infrastructures are monitored around the clock in real time – both physically and digitally. This allows security incidents to be identified early, resolved in a coordinated manner, and ideally avoided. Specialists are available at all times in the event of an incident. Even smaller energy suppliers benefit from this infrastructure through publicly accessible and specialized Security Operation Services such as SOC monitoring and incident response. This allows them to comply with regulatory requirements quickly and efficiently – without having to establish their own complex security structures.

Have there been any incidents that had to be reported to BACS so far – and what lessons has Axpo learned from them?

The reporting requirement enables a comprehensive situation analysis in Switzerland for the first time. According to BACS, over 80 reports from various sectors were received in the first quarter since the introduction of the reporting requirement. Axpo is in close contact with BACS. Information and insights from BACS flow directly into the Security Operation Center (SOC) and help to continuously improve monitoring and incident management.

Experience from incidents shows:

• Rapid detection and response are crucial to minimizing damage.
• Phishing is a frequently used starting point for initiating attacks.
• Regular awareness training is essential for detecting social engineering at an early stage.

Continuous training ensures that security awareness remains high internally.

How do you see this topic developing in the coming years? And what role does cooperation with authorities such as BACS or European partners play in this?

Cybersecurity is increasingly becoming a core strategic issue in the energy sector. Digitalization is increasing the attack surface, which is why rapid, standardized communication with authorities, partners, and industry is essential. This is the only way to quickly identify and resolve security gaps in order to ensure long-term resilience and security of supply.

M.Sc. René Oester, CEO of AXPO Systems AG