IT Security Law 2.0: Need for action by operators of critical infrastructures

The German cabinet has approved the draft of a "Second Law for Increasing the Security of Information Technology Systems" (IT Security Law 2.0). For companies in the critical infrastructure sector (CRITIS) in particular – i. e. including energy suppliers - this means adapting their own IT security strategies. Companies are now obliged to deploy systems for attack detection. A major IT challenge here is the use of a monitoring system

The IT Security Law 2.0 is intended to improve IT security in Germany and prevent cybercrime. The revision of the first version from 2015 provides for additional measures to protect consumers, the state and public IT, and above all expands the supervisory role of the Federal Office for Information Security (BSI).

Key elements of the IT Security Law 2.0

In the future, the topic of consumer protection will fall more strongly within the BSI's area of responsibility. In addition, the BSI is to make the IT security of products more transparent by introducing an IT security mark. This means that in the future, only components from manufacturers that have issued a declaration of trust and have this BSI security mark may be installed. In addition, the BSI can impose obligations on providers to delete, report and provide inventory information in the event of cybercrime incidents. The lawmakers also expect greater security from stronger cooperation between the BSI and security authorities such as the Federal Criminal Police Office and the Office for the Protection of the Constitution. 

The new draft law also expands the list of critical sectors and includes the new category of "infrastructures of special public interest" in the extended KRITIS scope of application. This includes the defense industry and companies of significant economic importance.

In the future, operators of critical infrastructures (CRITIS) will be required under the IT Security Law 2.0 to use attack detection systems within their IT structure, among other things, to increase their protection against cyber attacks. In addition, the IT Security Act 2.0 provides for a significantly increased fine framework for violations: In individual cases, fines of up to two million euros for natural persons and 20 million euros for legal entities will be due.

Need to take action for companies as a result of the additional requirements

The additional requirements also apply to energy companies and should be implemented promptly. A major IT challenge here is the use of a monitoring system that collects log data from the various infrastructure components within IT and OT - such as plants - and automatically detects and reports attacks through filtering and correlation. This is the only way to quickly initiate countermeasures and prevent unauthorized access to IT systems. One technical solution is the use of a Security Incident & Event Management system (SIEM). To support attack detection ("Detect") and defense ("Respond"), it is also possible to integrate the SIEM into a higher-level Security Operations Center (SOC). There, the pure monitoring technology of the SIEM is supplemented by a more in-depth forensic analysis of the anomalies and a structured defensive response.

Various questions arise for the design and implementation of a monitoring system, which must be answered before implementation:

  • Which monitoring strategy is chosen and how does it fit into the IT security strategy of your company?
  • Which assets are present in both IT and OT and which should be part of a monitoring?
  • What are the possible detection scenarios for the monitoring system?
  • Will the implementation and operation of the system be done in-house or will the operation of the system be outsourced to an external service provider?
  • How will the system be integrated into the IT infrastructure?

Holistic framework for IT security

The decision on how well IT systems are protected against cyber attacks is now no longer left to companies alone. Implementing the requirements of the IT Security Law 2.0 therefore not only requires a good concept, but is also quite time-critical. However, fulfilling the imposed obligations also offers companies opportunities: to approach the topic of IT security and cybersecurity holistically.