The German IT Security Act 2.0 (IT-SiG 2.0) has been in force since May 2021. Due to this new law, significantly more German companies have been classified as operators of critical infrastructures (KRITIS) than ever. This is a major cause of headaches for many managers. In addition, IT departments are starting to ask themselves: "Are we now regarded as KRITIS"? And if so, "What do we have to take into consideration?"
What is the Significance of the German IT-SiG 2.0 for Operators of Essential Services?
Spoiler alert: It is pretty significant. The IT-SiG regulates the basic legal framework for critical infrastructures. It is a so-called omnibus bill (‘Artikelgesetz’) which means that it simultaneously combines several existing laws and amends them with regard to a specific topic the protection of critical infrastructures, in the case of IT Security Act 2.0. It also includes the Act on the Federal Office for Information Security (BSI Act - BSIG).
What is the BSIG?
The BSI Act is the most important law on KRITIS regulation and outlines the tasks and obligations of KRITIS operators. For example, the BSIG mandates KRITIS operators to implement appropriate security measures. These include, for instance, systems for attack detection and processing.
"Systems for attack detection within the meaning of this law are processes supported by technical tools and organizational integration for detecting attacks on information technology systems. Within this context, attack detection is performed by comparing the data processed in an information technology system with information and technical patterns that indicate attacks" (Section 2 (9b) BSIG).
The BSIG also stipulates that these security systems must be in operation by May 1, 2023, at the latest:
"The obligation under the first sentence of paragraph 1 to take appropriate organizational and technical precautions shall also include the use of attack detection systems as of May 1, 2023. The attack detection systems used must continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations. They should be able to identify and prevent threats on an ongoing basis and to provide suitable remedial measures for faults that have occurred" (Section 8a (1a) Sentence 1, 2 BSIG).
After two years at the latest, i.e., by May 2025, operators of critical infrastructures must provide the BSI with corresponding proof of commissioning. In addition, the BSI subsequently requires the provision of proof of active operation of the corresponding systems at regular intervals of two years:
"Operators of critical infrastructures must provide evidence of compliance with the requirements under paragraphs 1 and 1a to the Federal Office no later than two years after the date specified in paragraph 1 and every two years thereafter" (Section 8a (3) Sentence 1 BSIG, underlining made for this OH).
How can IT Managers Implement the BSIG Requirements?
To facilitate the implementation of BSIG requirements, the BSI offers guidance, guidelines, recommendations, interpretation aids and application notes on a vendor-neutral basis. We recommend every SIEM or SOC manager read the three documents that are linked below. These BSI documents show in great detail and in a practical way, which IT security capabilities need to be built for digital sovereignty. Use these BSI documents as a helpful guide and study them carefully:
(1) Specification of the requirements for the measures to be implemented in accordance with Section 8a (1) BSIG.
(2) BSI's minimum standard for logging and detecting cyber attacks
(a) Logging Guideline Federal (PR-B) Logging for the detection of cyber attacks on the federal government's information technology, including the implementation guideline for Section 5 (1) Sentence 1 No. 1 and in conjunction with Sentence 4 BSIG
(3) Guidance on the use of systems for attack detection (SzA) (Community Draft).
As you can see, the BSI has developed project goals, scope, procedures and even the business case. Now it’s up to SIEM and SOC managers to implement these successfully.
But what about you? Which requirements and capabilities have you already implemented? Where are any gaps or open questions? Feel free to leave us a comment below!
How to Successfully Implement KRITIS Requirements
Knowledge of the aforementioned three documents is critical, however, they are not a guarantee that you are out of the woods yet. That's why you should also take a look at our e-book on the topic of the IT Security Act 2.0 and watch our webinar on IT security operations in critical infrastructures. We explore the following and more questions:
- With IT-SiG 2.0 in place, what is required of IT decision-makers in critical infrastructures (KRITIS) today and in the future?
- What are the most important innovations of the IT-SiG 2.0? And who do they affect?
- Who is now considered a KRITIS operator and an "organization in the special public interest"?
- What do IT decision-makers have to implement within a certain timeframe?
We don’t blame you if still have a whole bunch of questions. You are not alone. Many others had to deal with the same challenges, e.g. municipal utilities such as Würzburger Versorgungs- und Verkehrs-GmbH, IT service providers such as DATEV, logistics companies such as Dachser or even international corporations such as Siemens (by the way, all of these organizations have been using Splunk for years).
Feel free to reach out to us directly. We will help you crack even the toughest nuts in the field of cybersecurity, security operations and security automation. That's our speciality at Splunk.
*This blog including articles on federal law has been edited and translated from the German blog.