IT-SiG 2.0 and KRITIS – two terms that have particularly concerned the IT security industry since last year and that will also be on everyone’s lips in 2022. Axel Amelung can rightly call himself an expert in this field. The graduate computer scientist and holder of two patents in the field of intelligent networks looks after the information security of many customers as Senior Account Manager at TÜV TRUST IT and has been intensively involved with the IT Security Act and its practical implementation for years. In this interview, he talks about the closely related new legal regulation BSI-KritisV and explains what will be important for potential KRITIS operators in 2022.
Mr Amelung, tell us how you came to TÜV TRUST IT.
After studying computer science, I first worked in research and then went through a number of professional stations. Among other things, I worked in product management at Telekom and was later the managing director of a small software company before I finally landed at TÜV TRUST IT eight years ago. I am very happy about the great development the company has undergone since then, especially in the area of ISMS development. And from the very beginning, the IT Security Act (IT-SiG) was one of the topics I was particularly involved with here and in connection with which I took care of customers and still do today.
What is the connection between the IT Security Act and the recent “Second Ordinance Amending the BSI Criticality Ordinance” (BSI KritisV)?
In a nutshell, the BSI Criticality Ordinance concretises the provisions of the IT Security Act 2.0, which came into force in 2021, with regard to which companies as operators of critical infrastructures must fulfil the IT Security Act. The first drafts of the IT Security Act were already available in 2014, followed by the first implementation one year later. And now we have the IT-SiG 2.0 and the updated BSI-KritisV, which has been in force since 1 January. These are primarily intended to contribute to security of supply in Germany and to increase the security of critical infrastructures. Because one thing is clear: the threat situation is also constantly increasing in this area. To achieve this, the BSI Critical Infrastructure Ordinance regulates the area of critical infrastructures, defines critical infrastructure facilities in various sectors and sets threshold values. Important for operators of such facilities is now the mandatory annual review of whether their facilities are KRITIS-relevant.
What does that mean in detail?
The new KRITIS regulation has three main focuses for KRITIS operators. The first and perhaps most comprehensive are the new requirements. Among other things, the use of attack detection systems became mandatory, which must be implemented by 1.5.2023, two years after the new version came into force. And this must also be proven to the BSI unrequested. Another focus is on critical components, the use of which has been heavily regulated. Manufacturers of critical components must, for instance, provide a guarantee of their trustworthiness. This obliges them, for example, to proactively report vulnerabilities to customers and the BSI and to eliminate them. And the third focus is on Business Continuity Management Systems, BCMS for short. Although these are not explicitly mentioned in IT-SiG 2.0, guidance has been formulated concerning the requirements for a BCMS. And as part of the mandatory biennial audit, an assessment of the maturity level of the ISMS as well as the BCMS is also carried out.
Operators of such installations must therefore be well informed and may have to invest quite a lot of effort in order to comply with the new requirements.
That is definitely true, especially since some things have not yet been clearly defined. For example, the BSI plans to publish more information on the requirements for attack detection systems soon. An experienced partner in this area is very valuable here and can protect against expensive wrong decisions. One is in good hands, for example, with Certified Security Operations Center GmbH, which was founded as a joint venture of TÜV TRUST IT and dhpg. The colleagues there offer competent advice as well as a proven and well-functioning Security Operations Center (SOC) that meets all the requirements of IT-SiG 2.0, which also allows them to act as a partner in the long term.
How can TÜV TRUST IT support its customers here?
We have gained some new customers through the IT-SiG because we offer much more service than the pure ISMS set-up. 90 percent of our customers are active, which means here the relationship does not end after the set-up of the ISMS, but measures such as annual audits, certifications or scope extensions follow. Our broad range of services can be individually adapted to each customer, which makes us a long-term and valued partner for our customers. Especially when it comes to the topic of KRITIS and IT-SiG, we are also happy to act as consultants. For example, many companies ask for an assessment of the new requirements and the IT Security Act in general. Based on our established contacts with the BSI, we can usually clarify these queries quickly and comprehensively, from which our customers benefit directly. The significantly lowered threshold values for energy generation plants in the new BSI CritisV are also a major topic for potential KRITIS operators. Also new is the KRITIS sector of municipal waste management, for which no threshold values have yet been announced, but this will probably happen in the first quarter of this year. TÜV TRUST IT is always available in this regard – both for individual questions and to obtain the latest information.
Thank you very much for the interview, Mr Amelung!