With the IT Security Act 2.0, the obligation to use attack detection systems was established for CRITIS operators in May 2021. On 01 May 2023, the two-year transition period for implementing the new requirement ends. Axel Amelung, Senior Account Manager at TÜV TRUST IT GmbH, TÜV AUSTRIA Group, has been involved closely in the IT Security Act for years and its practical implementation. In this interview, he talks about the requirements surrounding attack detection systems and what companies can do about it now.
Mr Amelung, what specifically will change on 1 May this year?
First of all, a distinction must be made between general CRITIS operators and energy suppliers and producers, as different regulations apply to the latter. For critical infrastructures in general, §8a, paragraph 1a BSIG applies, which stipulates the obligation to implement systems for attack detection by 01.05.23 at the latest, which must also be audited and thus proven every two years. For this purpose, verification obligations that KRITIS operators already have are supplemented by the attack detection audit. In principle, this does not mean that companies will have to undergo a completely new audit; the existing one will merely become more comprehensive.
What happens if this audit has been taken recently?
In this case, systems for attack detection will also only be proven with the next regular audit. It is important, however, that the implementation must still have taken place by 1 May 2023. If CRITIS operators do not comply on time, the German Federal Office for Information Security (BSI) can impose appropriate sanctions. And if a cyber attack with possible data theft actually occurs after the deadline and this could have been prevented by an attack detection system, there is at least the question of liability for gross negligence because a legal obligation was not implemented. However, it should also be mentioned in this context that the majority of companies take this very seriously and have already complied with the obligation at an early stage. We have already received a lot of feedback from our CRITIS customers that they have had very good experiences with their implemented systems for attack detection. We know of attacks that were actually detected at an early stage and successfully stopped.
And what about the energy suppliers and producers?
The legal situation is somewhat different for these companies, as they are regulated under the Energy Industry Act (EnWG). This was also amended by the IT Security Act 2.0 by adding the implementation of attack detection systems. Here, too, the deadline for implementation is 1 May 2023. However, in contrast to general CRITIS operators, the first proof to the BSI must be provided by this deadline.
Is that really possible in practice?
With a total of more than 1,500 energy suppliers in Germany, the enquiries are naturally queuing up at testing companies like TÜV TRUST IT so close to the deadline. In addition, many of the operators concerned are unclear about the requirements for the audit because these have changed several times in the meantime. One thing is clear: self-testing is not permitted. However, audit organisations definitely do not have enough capacity to accept all audits by 1 May. Therefore, it is exceptionally possible for energy suppliers and producers to obtain an extension of the deadline from the BSI if it can be proven that no test date could be offered by the deadline. In this case, we are also happy to provide support in communicating with the BSI. It is important to note, however, that this exception means that the obligation to implement an attack detection system remains unchanged.
How can you support companies beyond that in the context of attack detection implementation systems?
In cooperation with our joint venture, Certified Security Operations Center GmbH (CSOC), we also offer the implementation of attack detection systems at short notice to companies that have not yet established an attack detection system for a variety of reasons and still want to tackle this now. This solution is particularly suitable for small and medium-sized energy suppliers. We also conduct workshops including an individual analysis in the company and give advice on necessary and sensible measures based on the results of the analysis. Furthermore, we are happy to assist our clients in the selection of providers. And finally, we also carry out the verification tests within the framework of §8a for general CRITIS providers. In the case of energy providers, the certification bodies are basically responsible on the basis of the conformity assessment programme of the Federal Network Agency (BNetzA). However, due to bottlenecks shortly before the deadline, the BSI is waiving this requirement this year and we can also provide support here.
What other requirements do auditors have to meet?
Auditors must basically be independent and neutral and have the necessary expertise. Generally speaking, anyone who is authorised to carry out the §8a test can also test the requirements for an attack detection system. As a BSI-certified IT security service provider, we at TÜV TRUST IT have already proven our competence in this area. However, it is to be expected that the BSI will tighten its requirements in the foreseeable future and introduce accreditation for auditors in this field. We will of course keep it rolling and will continue to meet all the necessary requirements in the future so as not to leave our customers out in the cold.
Thank you very much for the interview, Mr Amelung!