The 2nd online Design Thinking Workshop on Critical Infrastructure Security of BDEW took place on the 29th of January 2021. A variety of problems were developed by the participants in the first phase of the design thinking method for problem definition. These included technical challenges such as the review of recovery solutions and interfaces between OT and IT, but also organisational and personnel issues such as changing demands on employees in terms of required expertise and skills in order to meet new architectural concepts and dynamic changes in IT systems and their operation and maintenance.
Finally, the security requirements for service providers for interfaces, open source applications, general security and contract management were selected as the topic of the workshop. In the next phase, the problem was analysed in relation to the company processes and structures. The second phase involved identifying the internal and external stakeholders of relevant companies to define security requirements for service providers and company processes, such as purchasing, planning and information management. In the third step, the participants developed solutions.
Among other things, critical infrastructure operators could benefit from an industry standard or model contract for the contract management of security audits of service providers, which contains specifications for regulating topics such as risk management for suppliers, reporting of incidents, rights of co-determination in the supply chain and the staffing of the service provider. Another idea that was developed was a set of technical guidelines/model contracts for service providers that are oriented according to the sourcing split in companies. Here, B3S standards were mentioned as an orientation aid. The participants benefited above all from the lively exchange with colleagues from the industry and the desire to deepen the security issues addressed will be taken up again in future workshops. In this context, the participants also suggested that a knowledge platform be developed as part of a research project so that a knowledge network can be formed in the critical infrastructures of the energy sector, in which, for example, best cases in the implementation of IT security concepts can be discussed among each other and the various companies can learn from each other.
For further information get in touch with Susanne Zels.