Industry Site from above

IT Security Act 2.0 in 5 minutes: An Interview

In this interview, discover answers to some most-frequently asked questions around IT Security Act 2.0

January 31 2022Bernd Jäger

Uncover key insights around the IT Security Act 2.0

How do you really go about the new IT Security Act 2.0, KRITIS ordinance? Does it apply to your business? Why is it essential? What measures should you be taking? Read this interview where Industrial & IoT Security expert, Bernd Jäger answers the most frequent questions around the law and critical infrastructure in Germany.

How would you explain KRITIS to a layperson?

Abstract lines and dots in light blue and green on black background

KRITIS is a compliance framework based on the German "IT-Sicherheitsgesetz" (IT Safety Act), which recently got important “upgrades.” It's not a law you must comply with, but rather it's the concept of cyber due diligence to protect the critical infrastructure we all depend on in our daily lives.

How does the new IT Security Act 2.0 – KRITIS-Ordinance differ from the first IT security act that came in 2015?

I’d say the most significant differences are, but are not limited to:

  • It applies to new industries, like waste management
  • It requires technical elements for behavior-based attack detection and related processes on top
  • There are increased fines for non-compliance
  • The regulation authority has extended powers

What made the government frame a law around this topic?  What’s the background and starting point of this?

I still believe that governments usually want to protect their people and country. Over the last decade, I think everyone has come to understand that cybercriminals are a serious and real threat to the cyber and physical world we live in. From the many high-profile cyber-attacks we read about, I don't think any particular one was the specific catalyst.

The trigger might have been a general realization that the "average" cyber-attack on critical infrastructure ("the ransomware attack of the week") won't go away any time soon. Unfortunately, it has become a part of our lives that we can't ignore. 

How do companies know whether this legislation applies to them or not? And if it does, what should be their next steps be?

The BSI's KritisV document formally describes the relevant metrics and thresholds. I know that professionals are observing these figures closely to understand whether their organization falls under the regulation or not. Unfortunately, but not surprisingly, there is still room for interpretation.

Can the companies that fall under the act take measures on their own, or will they need help from external agencies, consultants, auditors?

Man standing next to a industry with a laptop in his hand

If the regulation now applies to you, perhaps because of the update, then it's likely you're new to the topic. You should, therefore, get help from someone with experience in the subject to define your strategy towards gaining compliance within the required timeframe.

They can guide you on where best to start, the priorities, and identify a pragmatic way to implement that strategy. You may already have assets, like skills, technologies, and processes, that you can use as building blocks to gain compliance - or that just need minor amendments to do so.    

The new act applies to more companies than the original did. Are more companies likely to fall under its scope in the future?

Well, it took about five years for the current update to emerge. So, we probably won't be seeing additional annual changes from here. However, we'll likely see acts based on "IT-Sig. 2.0" that will interpret and detail the high-level requirements in that law. And neighboring counties or industry communities might adopt elements from them.

What I think is much more important is that the government has specified a baseline for cyber security in what they consider to be critical infrastructure. But if I run any business, my infrastructure is 'critical' to me, and I might want to consider concepts from the regulation that make sense in my context.

IT Security Act 2.0

Graphical representation of the companies and criteria that fall under the IT Security Act 2.0.

New obligations for companies that are of cosiderable economic importance. In the info-graphic we show the overview of the affected companies and the associated criteria.

More details in the infographic

White paper: Critical Infrastructure 2.0

What do critical infrastructure operators have to implement, what obligations – such as the detection of cyberattacks – does this involve, and how can Deutsche Telekom Security GmbH help you do this?

To aid compliance, will there be a need for better security solutions to help companies implement improved threat detection and response?

Basically, yes. But it's also about having some basic stuff (visibility, segmentation, secure remote access, asset inventory, and basic information retrieval processes) in place for OT2! Then integrating them into your IT cyber security processes and backend systems (data lake, SIEM, SOAR, ticketing, vulnerability/asset Management, and SOC).

Does T-Systems have solutions that address these security challenges?

Yes. Securing the OT environment is a journey for most of our customers. We can support them from the beginning with, let's say, an orientation workshop to see where they are and define a strategy. Or we can help them build a protection platform, tune it, train people, write playbooks, and enable their staff to use it effectively from there.  

But if cyber security for production is not your core business or skillset, you probably don't want to do it yourself. So, we also offer a fully managed service tailored to our clients' specific needs.

Our goal is not to sell a piece of technology ("You need an OT-Firewall!"), but instead, help our customers use such elements and integrate them seamlessly into their OT process. For example, what would a firewall rule base look like to shelter a specific OT subprocess zone without blocking critical real-time communication? What are the required changes and emergency management processes for an outage? We want to strengthen our clients' resilience against cyber-attacks.

Can Hitachi Energy, Telekom, and Securitas industrial security centers be seen along the same lines? What's different?

So, this is the next level of protection.

With the 'Industrial Security Center,' we have combined the three essential domains critical to your OT processes resilience: physical, OT, and cyber security. We're continuously monitoring data coming in from those domains and doing near-real-time (within seconds) analytics to identify abnormal situations or behavior.

And we haven't just combined the data. We have also partially automated the cross-domain incident response using SOAR technology - the steps that a Level-1 analyst would typically have to take manually. That allows us to be much faster in the initial response. And because we now have context information coming from sources like cameras, SCADA monitoring systems, and cyber-sensors, we're also able to understand the actual situation much faster than if we only had access to one domain, for instance, just cyber.

But don't get me wrong, we're not taking the humans out of the loop. For critical decisions, we have an incident coordinator/orchestrator who uses the broad, high-quality context information to resolve the incident jointly with our customers’ specialists.  

Some common security acronyms 

Here are some typical abbreviations you will encounter, many of which you may already be familiar with:

KRITIS, or CRITIS – Critical Infrastructures

KRITIS-Ordinance – the critical infrastructures in the seven sectors (energy, information technology and telecommunications, water, food, transport and traffic, health, and finance and insurance

IR – Incident Response

OT – Operational Technology

SIEM – Security Information and Event Management

SOAR - Security Orchestration, Automation, and Response

SOC - Security Operation Center 

SCADA - Supervisory control and data acquisition

Our goal is not to sell a piece of technology ("You need an OT-Firewall!"), but instead, help our customers use such elements and integrate them seamlessly into their OT processes.

Bernd Jäger, Industrial & IoT Security Expert

About the author

Bernd Jäger

Practice Lead Industrial & IoT Security at Telekom Deutschland , Deutsche Telekom

Show profile and articles

Get our insights straight to your mailbox

Get the best expert tips on events, best practices, white papers and more.

This may also interest you

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.