The Guideline DWA-M 1060E is published in October 2018. The translation is based on the German edition from August 2017. Operators of water supply and wastewater disposal installations shall have at their disposal high-Performance equipment, sufficiently qualified staff and robust quality assurance measures, because they have a paramount importance for the functioning of the community. As a result, drinking water supply and wastewater disposal were categorised as a critical service according to the Act to Strengthen the Security of Federal Information Technology (BSIG). The associated Ordinance on Critical Infrastructures of the Federal Office for Information Security (BSI-KritisV) specifies for which installations the operators are to provide appropriate organisational and technical precautionary measures to avoid malfunctions. In doing so, the state of the art shall be observed. The associations of DWA and DVGW have made use of the possibility mentioned in the IT Security Act to formulate an industry-specific security standard. The Federal Office for Information Security Technology (BSI), in consultation with the Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe) (BBK) determined the suitability of this IT security standard for the water sector. The industry-specific IT security standard serves as a basis for risk assessment and the implementation of measures to protect information technology systems, components, processes and data of water supply and waste water disposal installations, regardless of whether an installation is classified as critical infrastructure in accordance with the Ordinance on Critical Infrastructures of the Federal Office for Information Security (BSI-KritisV) or not. In the context of risk management, this Guideline together with the IT Security Code of Practice - in consideration of the legal requirements - serves as an industry-specific security standard for determining measures to protect information technology systems, components or processes of installations from failure or manipulation. Following the recommendations of both, this Guideline and the IT Security Code of Practice, can help reduce the risk of impairment of public services caused by an abstract hazard, i.e. a hazard likely to occur in the light of actual findings. In the event of a concrete hazard, i.e. a hazard that actually exists in a specific situation, preventive action can be classified on the basis of efficacy. This Guideline has been elaborated by a project group of the DVGW Joint Technical Committee on “IT Security” in cooperation with the DWA Working Group WI-5.4 “Cyber Security” within the DWA Technical Committee WI-5 “Management Systems/Technical Safety Management”.weiterlesen