Tag Archive for: critical infrastructures

IT Security Act 2.0 approved by the Bundesrat (Upper House)
Homepage Admin

IT Security Act 2.0 approved by the Bundesrat (Upper House)

On Friday, 07 May 2021, the Bundesrat finally approved the contro­versial IT Security Act 2.0. The Bundestag had already approved it at the end of April 2021. In this regard, Federal Minister of the Interior Horst Seehofer spoke of a “good day for cyber security in Germany”. He commented: “Digital­i­sation permeates all areas of life, and the pandemic has once again accel­erated this process enormously. Our protection mecha­nisms & defence strategies must keep pace — this is what the IT Security Act 2.0 is for”. As early as November 2020, the discussion about the IT Security Act was reignited with a third draft bill. In terms of content, many aspects that were already the subject of the government draft from 2020 have been retained. However, they have been modified in detail. Thus, the continuing industry-wide criticism of the IT Security Act 2.0 seems hardly surprising.

Expanded powers for the BSI, inventory data disclosure and the so-called “Huawei clause

A central aspect of the new IT Security Act is the expanded powers for the Federal Office for Infor­mation Security (BSI). There are improve­ments in the draft law at least in the concreti­sation of overriding protection goals and the work of the BSI geared to them. In addition, the handling of vulner­a­bil­ities and security gaps is to become more trans­parent. The new law is intended to make the BSI a key player in the fight against botnets and the spread of malware. To this end, 799 new positions will be created.

Detection of security vulnerabilities

The BSI will be empowered to detect security vulner­a­bil­ities at the inter­faces of IT systems to public telecom­mu­ni­ca­tions networks by means of port scans. In addition, it will be allowed to use honeypots and sinkholes to analyse malware and attack methods.

Storage and collection of inventory and log data

A partic­u­larly critical aspect of data protection is that in future the BSI will be allowed to store and evaluate “log data” and personal user infor­mation (such as IP addresses) generated during online commu­ni­cation between citizens and federal admin­is­trative insti­tu­tions for a period of 12 to 18 months. This also includes internal “logging data” from the author­ities. Furthermore, the BSI may obtain inventory data infor­mation from providers of telecom­mu­ni­ca­tions services. This is intended to protect those affected and to detect attacks, e.g. by Trojans such as Emotet.

The so-called “Huawei clause” — hurdle for the exclusion of equipment suppliers

The so-called “Huawei clause” sets the hurdle for the exclusion of individual equipment suppliers from network expansion for 5G, for example, quite high. It is also part of the amendment. The federal government is to be able to prohibit the use of “critical compo­nents” in the event of “probable impairment of public safety and order”. To this end, there will be a certi­fi­cation oblig­ation and manufac­turers will have to issue a guarantee declaration.

In this regard, the BSI tweets in the sense of a “self-image” that security vulner­a­bil­ities will be commu­ni­cated trans­par­ently and remedied quickly, consumers will be provided with even more neutral, up-to-date infor­mation on digital topics and critical infra­struc­tures will be supported with close-meshed advice and supervision.

Strength­ening consumer protection and more security for businesses

In addition, the new IT Security Act contains regula­tions to strengthen consumer protection and increase security for companies. To this end, consumer protection is included in the BSI’s catalogue of tasks. Furthermore, a uniform IT security label will in future make it clear to consumers which products already comply with certain IT security standards.

In order to increase corporate security, operators of critical infra­struc­tures and, in the future, other companies in the special public interest (e.g. arms manufac­turers or companies of partic­u­larly great economic impor­tance) must implement certain IT security measures and will be included in the trustful exchange of infor­mation with the BSI.

Draft of a second ordinance amending the BSI Criti­cality Ordinance (BSI-KritisV) published

The IT-SiG 2.0 not only refers to the Critis Ordinance, it also expands the existing oblig­a­tions of the CRITIS operators. For this reason, it is not surprising that on 26 April 2021, the Federal Ministry of the Interior published the draft of a second ordinance amending the BSI Critis Ordinance as part of the consul­tation of associ­a­tions, specialist groups and academia. Corre­sponding comments are to be submitted by 17 May 2021.

The draft bill contains consid­erable changes and adjust­ments to the content as well as new additions in the individual annexes to determine the categories of instal­la­tions and concrete threshold values, in particular in part also the individual numerical assessment criteria. In addition, software and IT services that are necessary for the provision of a critical service are now also identified as invest­ments within the meaning of the regulation. Furthermore, trading in securities and deriv­a­tives is included as a new critical service.

Support from SRC experts

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in the imple­men­tation of the require­ments from IT-SIG and BSIG as well as in the provision of evidence within the scope of §8(a) BSIG (“Critical Service Examination”).

IT-Security Law 2.0
Homepage Admin

Is the IT security law 2.0 on its way?

After a longer stand­still, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).

Current status of the amendment

The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal require­ments for the use of technical products from third countries by operators of critical infra­struc­tures. The third draft bill is now ready to be voted on by the various depart­ments. Adoption before the end of the first quarter of next year no longer seems unrealistic.

What are the main focuses of the draft law?

The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of respon­si­bility will be created, e.g. as a national cyber security certi­fi­cation authority with the imple­men­tation of active detection measures.

The new draft also includes the notifi­cation of critical compo­nents in § 2 section 13:

“The use of a critical component (…), is to be indicated by the operator of a critical infra­structure to the Federal Ministry of the Interior, Building and Community before instal­lation. In the announcement the critical component and the kind of their employment are to be indicated “.

Critical compo­nents are especially those IT products that are used in KRITIS and are of high impor­tance for the functioning of the community. For telecom­mu­ni­ca­tions network operators or telecom­mu­ni­ca­tions service providers, these compo­nents are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corre­sponding BSI catalog.

Only critical compo­nents may be used whose manufac­turers have issued a decla­ration of their trust­wor­thiness to the operator of the critical infra­structure (guarantee decla­ration). The BMI deter­mines the minimum require­ments for the guarantee decla­ration, taking into account superior public interests, in particular security policy concerns. The guarantee decla­ration must state whether and how the manufac­turer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, avail­ability or operability of the critical infra­structure (such as sabotage, espionage or terrorism).

Here a new duty of disclosure arises for the operators of the compo­nents. Previ­ously, manufac­turers had to apply to the BSI for certi­fi­cation of these compo­nents. This new listing of critical compo­nents contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infra­struc­tures in the Federal Republic of Germany.

The discussion about require­ments for the IT products used, identi­fi­cation and authen­ti­cation proce­dures and their evalu­ation with regard to infor­mation security is also taken up and specified. These speci­fi­ca­tions lead to the devel­opment and publi­cation of a state of the art of security require­ments for IT products. In addition, there are require­ments for consumer protection and consumer information.

Conclusion

It remains to be seen whether this schedule can be met. In terms of content, the new draft is a signif­icant improvement, because it is more concrete than the draft of April 2019. It is critical that the evalu­ation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.

The SRC experts will be happy to discuss the innova­tions and their effects with you and to support you in imple­menting the require­ments of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).