How do you really go about the new IT Security Act 2.0, KRITIS ordinance? Does it apply to your business? Why is it essential? What measures should you be taking? Read this interview where Industrial & IoT Security expert, Bernd Jäger answers the most frequent questions around the law and critical infrastructure in Germany.
KRITIS is a compliance framework based on the German "IT-Sicherheitsgesetz" (IT Safety Act), which recently got important “upgrades.” It's not a law you must comply with, but rather it's the concept of cyber due diligence to protect the critical infrastructure we all depend on in our daily lives.
I’d say the most significant differences are, but are not limited to:
I still believe that governments usually want to protect their people and country. Over the last decade, I think everyone has come to understand that cybercriminals are a serious and real threat to the cyber and physical world we live in. From the many high-profile cyber-attacks we read about, I don't think any particular one was the specific catalyst.
The trigger might have been a general realization that the "average" cyber-attack on critical infrastructure ("the ransomware attack of the week") won't go away any time soon. Unfortunately, it has become a part of our lives that we can't ignore.
The BSI's KritisV document formally describes the relevant metrics and thresholds. I know that professionals are observing these figures closely to understand whether their organization falls under the regulation or not. Unfortunately, but not surprisingly, there is still room for interpretation.
If the regulation now applies to you, perhaps because of the update, then it's likely you're new to the topic. You should, therefore, get help from someone with experience in the subject to define your strategy towards gaining compliance within the required timeframe.
They can guide you on where best to start, the priorities, and identify a pragmatic way to implement that strategy. You may already have assets, like skills, technologies, and processes, that you can use as building blocks to gain compliance - or that just need minor amendments to do so.
Well, it took about five years for the current update to emerge. So, we probably won't be seeing additional annual changes from here. However, we'll likely see acts based on "IT-Sig. 2.0" that will interpret and detail the high-level requirements in that law. And neighboring counties or industry communities might adopt elements from them.
What I think is much more important is that the government has specified a baseline for cyber security in what they consider to be critical infrastructure. But if I run any business, my infrastructure is 'critical' to me, and I might want to consider concepts from the regulation that make sense in my context.
New obligations for companies that are of cosiderable economic importance. In the info-graphic we show the overview of the affected companies and the associated criteria.
Basically, yes. But it's also about having some basic stuff (visibility, segmentation, secure remote access, asset inventory, and basic information retrieval processes) in place for OT2! Then integrating them into your IT cyber security processes and backend systems (data lake, SIEM, SOAR, ticketing, vulnerability/asset Management, and SOC).
Yes. Securing the OT environment is a journey for most of our customers. We can support them from the beginning with, let's say, an orientation workshop to see where they are and define a strategy. Or we can help them build a protection platform, tune it, train people, write playbooks, and enable their staff to use it effectively from there.
But if cyber security for production is not your core business or skillset, you probably don't want to do it yourself. So, we also offer a fully managed service tailored to our clients' specific needs.
Our goal is not to sell a piece of technology ("You need an OT-Firewall!"), but instead, help our customers use such elements and integrate them seamlessly into their OT process. For example, what would a firewall rule base look like to shelter a specific OT subprocess zone without blocking critical real-time communication? What are the required changes and emergency management processes for an outage? We want to strengthen our clients' resilience against cyber-attacks.
So, this is the next level of protection.
With the 'Industrial Security Center,' we have combined the three essential domains critical to your OT processes resilience: physical, OT, and cyber security. We're continuously monitoring data coming in from those domains and doing near-real-time (within seconds) analytics to identify abnormal situations or behavior.
And we haven't just combined the data. We have also partially automated the cross-domain incident response using SOAR technology - the steps that a Level-1 analyst would typically have to take manually. That allows us to be much faster in the initial response. And because we now have context information coming from sources like cameras, SCADA monitoring systems, and cyber-sensors, we're also able to understand the actual situation much faster than if we only had access to one domain, for instance, just cyber.
But don't get me wrong, we're not taking the humans out of the loop. For critical decisions, we have an incident coordinator/orchestrator who uses the broad, high-quality context information to resolve the incident jointly with our customers’ specialists.
Here are some typical abbreviations you will encounter, many of which you may already be familiar with:
KRITIS, or CRITIS – Critical Infrastructures
KRITIS-Ordinance – the critical infrastructures in the seven sectors (energy, information technology and telecommunications, water, food, transport and traffic, health, and finance and insurance
IR – Incident Response
OT – Operational Technology
SIEM – Security Information and Event Management
SOAR - Security Orchestration, Automation, and Response
SOC - Security Operation Center
SCADA - Supervisory control and data acquisition
Our goal is not to sell a piece of technology ("You need an OT-Firewall!"), but instead, help our customers use such elements and integrate them seamlessly into their OT processes.
Bernd Jäger, Industrial & IoT Security Expert
