IT Security Act 2.0 comes into force: KRITIS companies must ensure anomaly detection
by Svenja Koch
IT-SiG 2.0 - Extended precautionary obligations for CRITIS operators and companies of special public interest
The IT Security Act 2.0 was approved by the Federal Council. The BSI is thus granted more far-reaching powers, in addition to which extended precautionary duties apply to KRITIS operators and companies of special public interest. The requirements must be implemented within one year. What exactly does this mean for CRITIS organisations?
Obligation to strengthen corporate precautionary duties
Key points of the law
Operators of critical infrastructures are obliged to use systems to detect attacks. Through an amendment to the Electricity and Gas Supply Act, this obligation also applies to operators of energy supply networks and energy plants.
The reporting obligations that already apply to operators of critical infrastructures will in future also apply to companies that are of particular public interest, such as companies in the defence industry and classified IT, companies that are of particular economic importance due to their high added value, and companies that are subject to regulation under the Major Accidents Ordinance.
The background for the adoption of the IT Security Act 2.0 lies in the changed security situation. Increasingly, critical infrastructures as well as companies with economic significance are the target of cyber attacks. The number of components in production networks that communicate with each other - intelligent control systems, sensors, actuators - is constantly growing, which simultaneously increases the complexity of such networks. Continuous monitoring of the data and data streams occurring in the network ensures that anomalies or deviations from normal operating conditions are detected at an early stage. The detection of such anomalies leads to helpful indications of cyber attacks or manipulation of data being provided at an early stage. Thus, systems for attack detection make an important contribution to the protection of industrial networks.
Measures for the detection of anomalies in systems
In the area of OT security, most investments still flow into network segmentation and firewalls, which deny a view of the plant and thus control over communication. Certainly, these investments in IT security are still necessary, but they are no longer sufficient. Attack detection systems work according to a different principle than conventional security technologies. The key point is an active solution approach that searches for suspicious actions in one's own network and uncovers compromises.
If a network is infected unnoticed, for example via an infected programming computer, the attacker can move further in the network (lateral movement) and manipulate or leak data at will. Even the reloading of malicious code would not be prevented by a firewall, since the connection to the Internet is established from the internal zone. From the point of view of IT security, the BSI has given an important impulse in favour of the operator with the BSI CS 134: The IT Security Act 2.0 deliberately goes a step further here and designates systems for the active search for unknown attack patterns as an obligation for the sectors mentioned.
Implement the requirements of the new IT Security Act immediately with Active Cyber Defense!
Our Active Cyber Defense (ACD) service, a 24/7 threat hunting and incident response service, is one of the services that companies can use to meet the precautionary obligations required by the IT Security Act 2.0.
- ACD: Our service for early attack detection
ACD monitors entire networks and actively searches for unauthorised intruders and suspicious activity. For example, it identifies anomalies such as attackers communicating with a Command & Control Server. Such attacks usually remain undetected for a long time without appropriate detection measures. On average, it takes six months for companies to identify attacks of this kind on their networks. With the ACD service, companies close this critical area in their IT security. Especially the communication with command & control servers of cyber criminals, which attackers use to coordinate attacks, is the focus of our ACD service.
- ACD meets the immediate reporting obligation
In the event of a suspicious action that requires action, the Active Cyber Defense team immediately notifies the client. This allows a direct response to the situation - in the case of an IT disruption caused by cybercrime, a direct report to the BSI is possible. Thus, with secion's ACD service, companies fulfil the legal requirement to implement a system for the early detection of attacks.
- Implement the legal requirements immediately with ACD!
According to IT-SiG 2.0, CRITIS companies must take precautions to defend against cyberattacks within one year by implementing systems for attack detection. With ACD, you and we can meet the requirements in a fraction of the time: the implementation of our Active Cyber Defense Service usually takes 3-7 days, depending on the number of your Internet accesses or company locations.
Companies from the critical infrastructure sector (CRITIS) are obliged under the IT Security Act 2.0 to implement attack detection systems, among other things. These function according to a different principle than conventional security technologies. The key point is an active solution approach that searches for suspicious actions in one's own network and immediately detects and reports compromises. With Active Cyber Defense (ACD), companies receive a permanent threat hunting and incident response service with which they can immediately close the critical area in their IT security - as required by IT-SiG 2.0.
Implement the requirements of IT-SiG for anomaly detection now!
Contact us - our IT security experts will be happy to support you!