In April 2021, the IT Security Act 2.0 was passed by the German Federal Ministry of the Interior. Among other things, the regulation provides for changes in connection with the protection of critical infrastructures (KRITIS). For example, KRITIS companies are confronted with the expansion of their reporting obligations. CARMAO GmbH shows how companies can comply with the new requirements. Together with PECB, the expert for corporate resilience also offers qualifications and further training for specialists and managers on the implementation of specific measures in the area of information security complying with the new law.
The German Federal Government sees a need for many KRITIS operators to catch up on information security. KRITIS companies are organizations or facilities of critical importance to the state, the failure, or impairment which would result in lasting supply bottlenecks, significant disruptions to public safety, or other serious consequences for the common good.
A comprehensive report by the Federal Office for Information Security (BSI) had shown: IT systems in critical infrastructures are not sufficiently protected against cyberattacks. The 2020 communiqué on the state of IT security in Germany shows an increase in the number of reportable IT security incidents at KRITIS operators of over 60 percent within one year, which is why an adjustment of the existing IT Security Act was deemed necessary and carried out in 2021. The new law also strengthens the role of the BSI. It becomes the central authority with farreaching powers.
KRITIS companies now highly challenged
The IT Security Act 2.0 significantly expands German KRITIS regulation by imposing more obligations on KRITIS operators while granting the state more power. For the operators of critical infrastructures, the new law means, among other things, a great deal of uncertainty regarding current and future requirements, as the tightening of the law may entail investments in technology, personnel, or the involvement of service providers.
Companies will be subject to an increased reporting obligation to the BSI if certain KRITIS facilities defined in the law are affected. Operators of such critical infrastructures are required, for example, to implement extensive documentation and reporting. Another major innovation of the law is the inclusion of the “waste management” sector in the list of industries that operate critical infrastructures.
In addition, the category “infrastructure of special public interest” was introduced, for which the KRITIS rules are also to be applied. This concerns sectors such as; culture, media, and defence industry.
The new regulations will lead to more KRITIS operators and more affected companies, as well as, suppliers in the German economy.
For them, it is important to increase their efforts for cyber security in order to be able to comply with the new legal requirements. In the course of the IT Security Act 2.0, organizations of “considerable economic importance” are also to present to the BSI their plans to improve their IT security.
The office then has the authority to order extra measures. In addition, companies are obliged to report cyberattacks to the BSI without delay.
BSI is also responsible for cyber security certification
The BSI is being successively strengthened within the framework of the IT Security Act 2.0 and it is being equipped with more expanded tasks as well as power.
On the basis of the new law, the BSI has now been appointed the National Cybersecurity Certification Authority (NCCA). As NCCA, the BSI is bestowed with two important functions: certification and supervision. Both functions are strictly separated and carried out independently of each other.
As part of its statutory supervision activities, the NCCA is responsible, among other things, for monitoring and enforcing statutory regulations and obligations, as well as for tracking relevant developments in the field of cybersecurity certification.
The new security law requires systems for attack detection that continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations.
These systems should be able to continuously identify and avoid threats and to provide suitable remedial measures for any disruptions that have occurred. The necessary systems for attack detection should protect the infrastructure as comprehensively as possible. In addition to the company’s IT infrastructure, telecontrol technology, network control technology, and process control technology are also included.
Digital consumer protection provides for basic security standards
The transfer of consumer protection tasks to the BSI is also new. The task is to strengthen security in the sense of digital consumer protection. Increasing digitalization permeates almost all areas of life, with many advantages, but also quite a few disadvantages. The increasing networking of information and consumer electronics, household appliances, and other objects of daily use creates new risks and potential attack targets for cybercriminals. As the national cyber security authority, the BSI is therefore also enforcing the establishment of basic security standards and sees the information and sensitisation of consumers as an essential task.
In the future, the IT security of products is to be made visible with “IT security labels”. For manufacturers, this means, that they must also comply with stricter requirements and provide regular updates and troubleshooting measures for their products. This should put a stop to the active exploitation of vulnerabilities by criminals. In its first report on digital consumer protection, the BSI warns against software and systems that often contain highly complex vulnerabilities – to the detriment of society. The report cautions against serious omissions in the security design of products. Dangerous security vulnerabilities have been found, for example, in networked doorbells and “smart” toys. This carelessness extends to providers and consumers. The still popular Microsoft operating system Windows 7 also poses a considerable security risk. The operating system has no longer been provided with free security updates since the beginning of 2020, thus, it is becoming progressively more vulnerable.
CARMAO experts help meet the new requirements
Not all points of the new safety law are uncontroversial. Many experts and specialists do not see the new extensive documentation and reporting obligations as a significant gain in security. According to CARMAO GmbH, for instance, the additional obligations keep companies from their core business. Therefore, affected companies should think about an information security management system (ISMS) or contact IT security specialists in order to be able to meet the increased requirements.
In the IT security infrastructure of a company, potential weaknesses often remain undetected without a consistent basic structure. In case of a problem, there is a lack of clear processes and responsibilities. An information security management system (ISMS) creates the necessary clear basic order and lays the foundation for a comprehensive IT security strategy. CARMAO GmbH has published a guideline on the strategic orientation and introduction of an ISMS. Companies can request this free of charge.
CARMAO experts also provide support in the implementation of specific information security measures, e.g., by providing external information security officers, reviewing IT emergency management, internal audits, preparing for KRITIS audits, resilience assessments, and much more.
Training the workforce as a means of information security
Furthermore, CARMAO GmbH offers training, consulting, and services around the topics of information security, business continuity management, and organizational resilience.
As an authorised Gold Partner of the PECB, CARMAO is continuously expanding its cooperation with PECB for its training and advisory services in order to meet the requirement of a globally educational standard. In this context, CARMAO sees continuous training as an important lever for organizations to implement meaningful corporate resilience with its individual components. The workforce should therefore be sensitised, qualified, and continuously trained for their tasks in areas such as; information security, compliance, business continuity, risk management, and service management.
Sustainability is another premise that is considered in the CARMAO and PECB seminars. This results from the growing need for expert knowledge. With digitalization and globalization, the half-life of learned knowledge and processes is visibly shortening in many sectors, but at the same time, other requirements are increasing and changing – e.g. for information security. Corresponding strategies transcend national borders and are often controlled centrally, especially in internationally oriented companies.
The partnership of CARMAO and PECB combines the extensive experience of both companies and offers a new approach to understanding and efficiently eliminating corporate risks. Sustainable management of these risks as well as the continuous building of organizational resilience are elementary, especially to meet the growing requirements through the IT Security Act 2.0.