Deadline May 1, 2023
BSI presents current draft of guidance on the use of detection systems
Cyber criminals are increasingly targeting operators of critical infrastructures (KRITIS). In the worst case, public safety is at stake. The German legislator has responded to this threat in 2021 with IT Security Act 2.0 and has added further measures to the existing Act of the Federal Office for Information Security (BSI). European legislators follow suit with a second EU Network and Information Security Directive (NIS2).
Furthermore the definition of critical infrastructure has been expanded and now includes additional sectors. Companies of the so-called “special public interest” such as national defense manufacturers, waste management companies or organisations of particular economic importance, will now also have to implement certain IT security measures. More than 250 additional companies in Germany are affected.
IT Security Act 2.0:
Overview of new requirements
KRITIS operators must have implemented threat detection systems by May 1, 2023 at the latest.
KRITIS operators are obliged to notify the German Federal Ministry of the Interior about every initial use of critical components, for example, if the manufacturer is controlled by a third country or contradicts security policy goals of the German federal government, EU or NATO.
Critical operators and “companies of special public interest” will be required to submit a self-declaration on a regular basis. They will have to present certifications they have obtained in the area of IT security within the last two years and how their systems are secured.
Measures to protect critical infrastructures
Critical infrastructure operators and companies who protect their IT and OT against cyber attacks require integrated solutions that comply with the IT Security Act 2.0, the BSI Act and the ISO-27001 standard on information security. Therefore the following detection modules should be used on technological side:
Log Data Analytics (LDA): Log data analytics, also known as Security Information and Event Management (SIEM)
Vulnerability Management & Compliance (VMC) for comprehensive vulnerability scanning
Network Behavior Analytics (NBA) for the analysis of data streams and related information
Endpoint Detection & Response (EDR) for indication of security relevant events with varying criticality
Security events detected by above mentioned modules are being analyzed, evaluated and sorted by a correlation engine and later processed by analysts. The peculiarity: Specialists prioritize the automated findings from a huge collection of data in order to initiate the right countermeasures by incident response teams and IT departments.
Guidance 1: Security Made in Europe
RADAR Cyber Security offers a Cyber Defense Center solution which enables critical operators and enterprises to effectively implement all of the above mentioned modules to implement an end-to-end, integrated security approach for their IT and OT infrastructures. A RADAR supplied Cyber Defense Center includes technologies, processes and knowhow, designed to monitor, analyze and maintain information security. Data from networks, servers, endpoints and other digital resources is being collected in real time and incorporates intelligent automation. Hence continuous detection of potential cyber threats can be ensured.
Additionally the use of European security technologies such as with RADAR as a software vendor is recommended to critical operators and companies in the special public interest. This approach facilitates complying with EU data protection laws, e.g. the requirements of the General Data Protection Regulation (GDPR) as well as preventing disruptions of availability, integrity, authenticity and confidentiality of their operations.
The use of European security technology, such as provided by RADAR, also facilitates the BSI’s audit of critical components to ensure that EU privacy violation by third party actors cannot succeed at any time. This is even more important in times of an inactive Privacy Act agreement between the US and Europe.
Guidance 2: Authority Guide by BSI
The German BSI recently presented its ‘Orientation Guide for the use of detection systems‘ in critical sectors. This authority guide aims to serve as an orientation for the individual implementation and auditing process of security measures to critical infrastructure companies as well as auditing institutions.