How will IT security develop in 2025 and over the next five years? ZfK asked Maik Neubauer from the management consultancy AXXCON for an assessment.
‘With its widely ramified – especially municipal – technical and process-related structures and complex value chains, the German energy industry is at the centre of potential physical or cyber-related attacks,’ says Maik Neubauer, Partner Energy & Critical Infrastructures at AXXCON Management Consultants.
Following the implementation of basic protection mechanisms based on the IT Security Act 2.0 and the introduction of information security standards based on ISO 27001, NIS 2 implementation and the implementation of the provisions of the KRITIS Umbrella Act are on the agenda this year. For the national implementation of NIS 2, the so-called NIS-2-UmsuCG is being finalised, while the EU requirements for operators of critical infrastructure, which includes most large energy companies, will be implemented as part of the KRITIS-DachG and derived regulations and guidelines.
‘Due to the current (geo-)political situation and many uncertainties, but also the ongoing development of AI algorithms, which also play a role in cyberattacks, the risks for energy suppliers and grid operators will potentially continue to rise sharply,’ says Neubauer’s forecast.
Many energy suppliers are currently struggling to clearly recognise the “forest for the trees” and to derive a lean but efficient strategy for action from the many different laws, guidelines on cyber security and regulations.
Challenges for municipal utilities
‘Many energy suppliers are currently struggling to clearly recognise the “forest for the trees” of regulation and to derive a lean but efficient strategy for action from the various laws, guidelines on cyber security and regulations,’ the expert observes. Many municipal utilities are still in the early stages and are trying to protect themselves from potential attacks by implementing relatively static information management processes.
“Unfortunately, this is a fallacy, as information protection and cyber security must be implemented proactively. This involves 24/7 monitoring of data and information systems with the help of professional monitoring tools that detect and analyse potential threats and actual attacks and initiate risk mitigation measures. Only when the threats can be analysed and identified does a coordinated process environment take effect within the framework of ISMS structures.”
According to Neubauer, the opportunities for municipal utilities lie in a systematic analysis of possible risks, as this can also be used as a basis to support the continuous optimisation of the IT landscape, which brings with it potential for cost savings and efficiency. All resilience and protection measures should be organised and anchored in business continuity management systems (BCMS). ‘These BCM measures should be based on existing BCM systems, documentation and processes and should be certified on the basis of corresponding ISO standards, e.g. ISO 22301 or ISO 22361,’ is Neubauer’s advice.
He advises synchronisation with other management systems (such as an ISMS in accordance with ISO 27001, the BSI standards or general governance, compliance and risk management systems) in order to provide management with a comprehensive set of control and response tools.
Addressing information, cyber and infrastructure security in cooperation projects
Following the question of how municipal utilities should position themselves so that they can sensibly implement business models within this framework while weighing up the risks and opportunities, Neubauer advises municipal utilities to tackle the topic of information, cyber and infrastructure security in cooperation projects. ‘All energy suppliers are faced with the same questions, have to establish similar process, reporting and response chains and set up similar monitoring systems in order to make the risk potential measurable.’
According to Peter Drucker’s ‘What you cannot measure, you cannot manage’, recognising and assessing risks is at the very beginning of the necessary tasks in this context. Municipal utilities should also work together to analyse the legal framework and requirements – including the obligations of managing directors and board members. “The municipal utility network service providers such as Thüga, Trianel and others can offer specific services in this context to support their municipal utility partners in implementing protection mechanisms. We still see considerable potential for innovation and catching up for service providers in the municipal utility ecosystem here,” says Neubauer.
Source: Zeitung für kommunale Wirtschaft, February 2025
