IT Security Act 2.0: Operators of critical infrastructures (KRITIS) are legally obliged to take “reasonable organizational and technical precautions” to prevent cyber attacks. With the passing of the "IT Security Act 2.0" (ITSiG 2.0) in spring 2021, these obligations were tightened again. From May 2023, the operators of critical infrastructures must implement these and, above all, have “attack detection systems” available.
Sophos, as an APT response service provider (Advanced Persistent Threat) officially qualified by the BSI, has therefore created a solution brief for KRITIS that helps companies and organizations to adapt their security measures in good time in accordance with the new requirements.
144 million new malicious programs in 2021
The focus of cybercriminal activities is on companies and public institutions, mainly to paralyze operations or to steal blackmail money. Facts show that the risk situation is tense: According to the BSI, around 2021 million new malware programs were identified in 144. Around 25 percent of the companies and organizations affected saw the attacks as a serious or existential threat.
This potential risk is all the more serious when critical infrastructures are the target of cybercriminals, for example in the healthcare sector, in the areas of energy and water supply or in the food supply. For this reason, the operators of critical infrastructures (KRITIS) are legally obliged to take "reasonable organizational and technical precautions" to prevent cyber attacks. With the passing of the IT Security Act 2.0 in spring 2021, these obligations were tightened again. From May 2023, the operators of critical infrastructures must implement these and, above all, have “attack detection systems” available.
New editions but little concrete recommendation for action
As in the past, the authorities who demand security at KRITIS also have precise ideas about how violations are to be punished and punished with the new edition of the regulations. However, they give companies and organizations a largely free hand in implementing IT security. The rationale: concrete recommendations for action could hinder progressive innovation in the field of IT technology and lead to the legal obligations quickly becoming obsolete again with the emergence of new technologies. From the point of view of the control bodies, this approach is understandable, but does not help the companies in the concrete implementation of the IT Security Act 2.0.
Security solution approach for KRITIS
As an officially qualified APT response service provider (Advanced Persistent Threat) by the BSI created a solution brief for KRITIS that helps companies and organizations to adjust their security measures in good time in accordance with the new requirements. To determine the necessary measures in more detail, KRITIS companies and organizations can use two points of reference: the "industry-specific security standards" that were developed by the individual industry associations of the sectors concerned, and the current guidelines from the BSI.
While the industry-specific security standards are only applicable to the respective sector, the BSI's handout offers general requirements that are applicable to all sectors and industries. In this catalog of requirements, the BSI defines 100 relevant topics and explains the respective security precautions.
Requirements catalog of the BSI
In the Solution Brief, Sophos describes which topics from the BSI's catalog of requirements can be addressed with which security components in order to implement the required security precautions - especially in connection with the new IT Security Act 2.0 - ITSiG 2.0. One focus of the new laws is attack detection. KRITIS companies and organizations must be able to continuously compare data processed in IT with information and technical patterns in order to identify potential attacks. To do this, parameters and characteristics during operation must be continuously and automatically recorded and, above all, evaluated.
The sophistication and rapid development of cybercriminals requires a combination of automated security enriched with artificial intelligence and human expertise. Both technical and human security should come together in an ecosystem in order to avoid threats and, above all, to eliminate any disruptions that have occurred as quickly as possible.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.