Posts

IT Security Act 2.0 passed by the cabinet

IT Security Act 2.0 passed by the cabinet

In the end, draft followed draft — and then it happened very quickly. Last Wednesday, 16 December 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer calls it a “break­through for Germany’s security”. Industry associ­a­tions as well as the UP KRITIS are sharply critical of the involvement of the experts there, both in the content and the very short comment period of only a few working days for draft nos. 3 and 4. This does not reflect the impor­tance of the planned amend­ments to the law.

Start of discussion in November

Surpris­ingly, the discussion on the IT Security Act was reignited in November with a third draft bill. After a long stand­still, the discussion about critical infra­struc­tures, their operators and the role of the BSI got moving again. The comments of the technical experts, which were aimed at improving the content of essential points as well as clari­fying open questions, e.g. the partly dispro­por­tionate level of sanctions, transition periods, the certi­fi­cation and notifi­cation of the use of so-called critical compo­nents or also the inclusion of new sectors such as waste management.

More powers for the BSI

It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created posts, but also in the effort to create a cyber inter­vention force as quickly as possible.

Evalu­ation of the IT-Sig 1.0

Furthermore, the legally stipu­lated evalu­ation of the IT-SIG 1.0 according to Article 10 is still pending. Also according to Article 9 of the Critical Infra­structure Ordinance (KritisV), the BSI Critical Infra­structure Ordinance — and thus in particular the threshold values above which an operator is considered a critical infra­structure — must be evaluated every two years.

Changes in content

In the view of the SRC experts, the following points are the main changes in the new IT-SIG:

  • Regula­tions on the use of critical components
  • Concreti­sation of key figures and threshold values for the largest companies in Germany, insertion of a legal regulation on the disclosure of inter­faces and compliance with estab­lished technical standards.
  • Regula­tions on fines and sanctions
  • Amendment of the provi­sions on the storage of log data
  • Alignment of inventory data disclosure with the require­ments of the BVerfG decision of 27 May 2020 (“Inventory Data Disclosure II”).
  • Limitation of the imple­men­tation of detection measures for network and IT security (“Hacker Paragraph”)
  • Amendment of deadlines for the KRITIS regula­tions in Section 8a BSIG and an adjustment or limitation of the oblig­ation to submit operator documents, insofar as the regis­tration oblig­ation has not been fulfilled.
    Regula­tions on IT security of companies in special public interest: Self-decla­ration forms provided by the BSI are no longer binding, with the submission of the self-decla­ration there is an oblig­ation to register with the BSI.
  • Temporal restriction of the BSI’s right of entry to check the require­ments of EU Regulation 2019/881 (EU Cyber­se­curity Act).

In addition, conceptual adjust­ments and concreti­sa­tions were made throughout the entire bill. On 16 December 2020, the Federal Cabinet adopted the draft for the IT Security Act 2.0. The cabinet version is available for download.

Further regulation on IT security

The draft bill on the Telecom­mu­ni­ca­tions Moderni­sation Act (Act on the Imple­men­tation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Commu­ni­ca­tions Code (recast) and on the Moderni­sation of Telecom­mu­ni­ca­tions Law), which was also presented on 09.12.2020, also contains provi­sions on IT security.

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in imple­menting the require­ments from IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-Prüfung”).

NextGenPSD2 certification

New BSI guidance on evidence according to § 8a paragraph 3 BSIG

The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Infor­mation Security (BSI) accom­panies law and regulation with the so-called BSI Orien­tation Guide to Evidence.

IT-Sig 2.0 — Is it coming or not?

Unfor­tu­nately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic impor­tance) is also being considered. For these companies, the prepa­ration of safety concepts, the oblig­ation to report incidents, the regis­tration and management of a reporting office and the trust­wor­thiness of the employees in the area are important. The planned tight­ening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is partic­u­larly striking.

New guidance on evidence

While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concreti­sa­tions and clari­fi­ca­tions of the facts and require­ments. In addition, there are further signif­icant changes. For example, the new Form P combines the infor­mation contained in the previ­ously used forms PD (test perfor­mance), PE (test results) and PS (testing body). In addition to the written submission, a digital/­ma­chine-readable copy is now also required. The list of safety deficiencies and the imple­men­tation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for infor­mation security (ISMS) and business conti­nuity (BCMS). The strong focus on the aspect of trace­ability is also very noticeable. This becomes visible at various points:

  • Detailed description of the scope (with its inter­faces, depen­dencies and parts of the critical service operated by third parties) and
  • the instal­lation (including associated parts of the critical service and all essential features) as well as
  • Provision of a compre­hen­sible network structure plan.
  • In addition, a list of deficiencies must also be compre­hen­sible without the need for further documents.

Even without IT-Sig 2.0, the new BSI orien­tation guide requires attention. SRC experts will be pleased to discuss the innova­tions and their effects with you and support you in the imple­men­tation of the extended requirements.

KRITIS 2018

Critical Day 2018 | Knowledge and experience in a lively exchange

The Critical Day

On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at repre­sen­ta­tives of companies that operate a critical infra­structure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experi­ences and best practices on IT and physical security of critical infrastructures.

The Schedule

After the arrival of the first partic­i­pants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the partic­i­pants’ need for information.

Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and repre­sen­tative of the Federal Office for Infor­mation Security (BSI), explained the proce­dures and processes in the super­visory authority. Randolf Skerka, Head of SRC and respon­sible for the topic of auditing according to §8a (3) BSIG, described the first experi­ences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the devel­opment of hospital organ­i­sation in prepa­ration for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indis­pensable corner­stone of a meaningful exami­nation, rounded off the morning.

The expert presen­ta­tions gave the partic­i­pants a 360° view of the require­ments of the BSI audits, which were largely and with good reason vaguely formulated.

At the end of the morning the visual artist Frank Rogge described his view on the questions of criti­cality in the field of artistic creation.

The afternoon was completely dedicated to the main interests of the partic­i­pants. Under the moder­ation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.

The partic­i­pants indepen­dently organized the various contents for nine sessions.

The most signif­icant results of the afternoon

From the session ” Submitting certi­fi­cation findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or devia­tions formu­lated down to the last technical detail. A roughly described framework of devia­tions and a description of a course of action in the test report is useful. Never­theless, an appro­priate measure must be in place for each risk within a critical infra­structure. This is of enormous impor­tance for the BSI.

The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.

In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and imple­men­tation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be respon­sible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guide­lines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.

In another session, the partic­i­pants focused on the safe and simple defin­ition of the scope. The pyramid model was partic­u­larly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infra­structure of a sewage treatment plant, the defin­ition of the scope requires identi­fying and deter­mining which systems clarify the water, what effects a failure would have and how this failure can be compen­sated by other methods to maintain the critical service.

With this method you system­at­i­cally move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.

Conclusion of the first “Critical Day” from SRC’s point of view

An example of the fasci­nating atmos­phere was the contin­u­ation of the bilateral commu­ni­cation of the partic­i­pants between the individual sessions. The feedback proved that the partic­i­pants were able to make many new contacts and gain insights from other KRITIS projects.

The overall positive response of the partic­i­pants shows us as SRC that the Critical Day is a useful hub for the exchange of infor­mation on KRITIS projects between the partic­i­pants. Our thanks goes to all partic­i­pants who contributed funda­men­tally to the success of the Critical Day with their open-mindedness and commitment.

We regard the Critical Day as a successful exper­iment. This motivates us to start preparing for a follow-up event.

Critical Day

Critical Day 2018 | on April 25, 2018, critical infra­structure operators meet at SRC

Critical infra­struc­tures and their signif­i­cance | Critical day 2018 makes an exchange possible 

Critical infra­struc­tures (KRITIS) are organ­i­sa­tions and facil­ities of major impor­tance to the public sector, the failure or impairment of which would result in sustainable supply shortages, major public security disrup­tions or other dramatic conse­quences. These critical infra­struc­tures are exposed to various dangers. Among other things, there are also various scenarios in which the security of infor­mation technology systems in critical infra­struc­tures takes centre stage. The starting point for the conference “Critical Day 2018” with accom­pa­nying barcamp.

Profes­sional “networking” with each other

With the aim of estab­lishing personal contacts and stimu­lating profes­sional exchange, the critical day offers a regular meeting place for people respon­sible for the protection of critical infra­struc­tures. The target group of the critical day are those people who work in a company or insti­tution that supplies the population with essential goods and services. Furthermore, the critical day addresses people who deal with the topic of critical infra­struc­tures in a practical, advisory, regulatory or scien­tific way. The first critical day will take place on 25 April 2018 at the SRC Conference Centre with accom­pa­nying barcamp. Tickets are now available.

The demand of the Critical Day

The Critical Day aims to provide a world-class platform for repre­sen­ta­tives of affected companies, the public sector, science and research to network and exchange experi­ences on devel­op­ments and best practices in IT and physical security of critical infra­struc­tures. It also plays a role that the partic­i­pants are encouraged to design the second part of the critical day as a barcamp. A barcamp is an open conference with open workshops, the contents of which are developed by the partic­i­pants themselves at the beginning of the conference and will be designed in the further course. Barcamps therefore serve the exchange of content and discussion.

Portfolio Items