Most Swiss people will never have heard of the FONES, the Federal Office for National Economic Supply, a small part of the Federal Department of Economic Affairs, Education and Research. Nonetheless, it has a crucial mission, laid out in the constitution: To ensure the availability of essential goods and intervene in the case of supply shortages and take precautionary measures against such shortages. With ICT systems becoming ever more critical in all areas, FONES decided that as part of its precautionary measures it needed to address cyber security as well.

Since the focus of FONES is not cyber security in general but to ensure Switzerland remains supplied with crucial goods from food and water over medicine to power, the standard has a slightly different focus and approach than most other cyber security standards. It isn’t meant to compete with these, but rather to provide entry-level information and guidance while aiming at a high degree of protection. Its intended audience must after all be relied on by everyone else, even in crises.

FONES Minimum Standard

There are nine sectors of critical infrastructure that FONES is concerned with: Energy, Finances, Food and Water, Therapeutic Products, Transport, ICT, Waste disposal and Public Health, Safety and Administration. Information and communications technology as an area is distinct from the ICT that the standard is about, and refers to service providers and other companies who work in the field. However, all fields are dependent on computers and networked devices for their operation – from the software used to manage the electrical grid over industrial automation to milking robots in the agricultural sector, digital threats can potentially affect all areas.

Since each of the sectors has different threats and risks to contend with, FONES aims to provide implementation guidelines for each of the different fields in order to spur adoption. These additional standards are created in close cooperation with organizations in the field. Currently, they have produced three such documents: One for the water suppliers in cooperation with the Swiss Gas and Water Industry Association, one for the food sector in cooperation with two retailers’ associations and one for the energy sector in cooperation with the Association of Swiss Electrical Companies. Implementation of these standards is voluntary, in the sense of an industry self-regulation, assisted by FONES. In all cases, the standard is aimed at senior management and ICT officers, and presents a high-level view of the necessary steps.

Implementation And Assessment

Before going into the steps necessary to increase resilience, the standard explains that risk assessments and risk management are a pre-requisite factor. Only if you know what you need to protect against and what your threat model is, can you take the right steps. It is also clarified that there is no such thing as absolute security and that resilience is also about coming back from being hit with an attack. Lastly before getting into the actual model of the standard, there is also a reminder that effective cybersecurity measures answer the following questions:

• What is to be done?
• How is it to be done?
• Who is responsible?
• How will the outcome be measured?

The actual measures of the standard are then organized in five functions:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Identify is about comprehensively identifying all relevant systems, including external ones and ones in the supply chain and having processes to keep that list up to date. Similar to the risk analysis, this is a necessary prerequisite for defensive measures to be most effective. It’s not unusual in a network assessment or system review to find an old backup or a forgotten system that can then be used to attack further targets. Such situations show the failure of the Identify steps, as the risk wasn’t dealt with because it wasn’t properly tracked.

Protect contains most of the steps commonly thought of as cybersecurity but at a high, process-oriented level. Importantly, the measures in this function include both awareness and training and extend to suppliers and other 3rd parties. For many companies, it might not be possible to audit their suppliers or mandate them to have certain training, but for the operators of critical infrastructure, these are important measures, in particular now that suppply chain attacks are rising.

Detect really is what it says on the tin. Watch for anomalies, monitor your systems continuously, make sure you are able to notice a breach fast.

Respond and Recover bring in elements from business continuity planning. These functions stress the importance of having plans for crises and the value of organized communications in bad situations. Not just internally for an efficient and effective response, but also externally, towards the public. This sort of PR is important for any company but is highlighted in these critical areas where poor public perception can lead to knock-on effects from a frightened public. Another important part of the Recover function is to ensure that learning from previous recoveries and improvement happens.

On top of the measures in these functions, the FONES Minimum Standard also comes with an assessment system for judging your maturity. Tasks are scored from 0-4 with the following meanings:

Obviously, while a 4 is ideal, the risk management of a business determines the goals and targeted levels. An assessment using this tool does not generally identify specific vulnerabilities in a company’s ICT infrastructure but weaknesses in their security posture and where they might or might not yet have reached their maturity goals. A full review would be a fairly major undertaking, as it would involve reviewing processes and specific technical steps affecting the company in many areas. However, as the process of implementing all measures would likely take a considerable amount of time, such a review could likely be done in multiple steps, as well.

Who is it good for?

All in all, the FONES Minimum Standard for Improving ICT Resilience is a high level overview of all the necessary measures a company may need to take to handle cybersecurity risks. It is very good for setting goals and understanding why all these measures are important, without overwhelming the reader with technical details. At the same time, that makes it too vague to derive a specific implementation from and the goals it sets are high enough that they might not be feasible for most SMEs. Which is fitting given its target audience, and only somewhat limits its usefulness for security experts.

The FONES and their collaborators from the various private companies have come up with a well-researched document that can certainly help guide companies to greater resilience.

About the Author

Mark Zeman has a Master of Science in Engineering with focus on Information and Communication Technologies at the FHNW. He was able to transform his passion of information security to his focus since 2017. During his bachelor studies he worked for an email security company. (ORCID 0000-0003-0085-2097)