How do you really go about the new IT Security Act 2.0, KRITIS ordinance? Does it apply to your business? Why is it essential? What measures should you be taking? Read this interview where Industrial & IoT Security expert, Bernd Jäger answers the most frequent questions around the law and critical infrastructure in Germany.
KRITIS is a compliance framework based on the German "IT-Sicherheitsgesetz" (IT Safety Act), which recently got important “upgrades.” It's not a law you must comply with, but rather it's the concept of cyber due diligence to protect the critical infrastructure we all depend on in our daily lives.
I’d say the most significant differences are, but are not limited to:
I still believe that governments usually want to protect their people and country. Over the last decade, I think everyone has come to understand that cybercriminals are a serious and real threat to the cyber and physical world we live in. From the many high-profile cyber-attacks we read about, I don't think any particular one was the specific catalyst.
The trigger might have been a general realization that the "average" cyber-attack on critical infrastructure ("the ransomware attack of the week") won't go away any time soon. Unfortunately, it has become a part of our lives that we can't ignore.
The BSI's KritisV document formally describes the relevant metrics and thresholds. I know that professionals are observing these figures closely to understand whether their organization falls under the regulation or not. Unfortunately, but not surprisingly, there is still room for interpretation.
If the regulation now applies to you, perhaps because of the update, then it's likely you're new to the topic. You should, therefore, get help from someone with experience in the subject to define your strategy towards gaining compliance within the required timeframe.
They can guide you on where best to start, the priorities, and identify a pragmatic way to implement that strategy. You may already have assets, like skills, technologies, and processes, that you can use as building blocks to gain compliance - or that just need minor amendments to do so.
Well, it took about five years for the current update to emerge. So, we probably won't be seeing additional annual changes from here. However, we'll likely see acts based on "IT-Sig. 2.0" that will interpret and detail the high-level requirements in that law. And neighboring counties or industry communities might adopt elements from them.
What I think is much more important is that the government has specified a baseline for cyber security in what they consider to be critical infrastructure. But if I run any business, my infrastructure is 'critical' to me, and I might want to consider concepts from the regulation that make sense in my context.
New obligations for companies that are of cosiderable economic importance. In the info-graphic we show the overview of the affected companies and the associated criteria.
Our goal is not to sell a piece of technology ("You need an OT-Firewall!"), but instead, help our customers use such elements and integrate them seamlessly into their OT processes.
Bernd Jäger, Industrial & IoT Security Expert