In 2020, not only will IT Security Act 2.0 significantly change the requirements for critical infrastructures, but other urgent issues will also come to the fore. According to the trend statements by Detlev Henze, Managing Director of TÜV TRUST IT, this includes the zero trust approach as well as agile ISMS. In addition, the need for the IEC 62443 standard in OT will increase and the aspect of usable security will also come into focus.
1) The question of trust will arise: “Zero Trust” is the more and more relevant approach that has so far hardly been used in corporate practice. It means actually not trusting anyone and therefore not your own devices and networks. The consequence is that the focus must also be on monitoring and checking one’s own assets. Effective perimeter protection and segmentation of the networks must remain unchanged, but authentication, authentication, authorization and auditing must no longer only be carried out centrally, but must be checked and practiced throughout the IT network.
2) Agile Information Security Management Systems (ISMS) emerge: Companies are increasingly turning into agile organizations in order to become more flexible and faster. This started in software development and is also reflected in the DevOps methods, but there is also a need for action from an information security perspective. However, it is not enough to integrate the security aspects into the agile software development, rather it is necessary to set up an ISMS that fits into agile organizational environments. Equally, it is important to ensure that the ISMS itself meets agile requirements and that IT operations are supported with SecDevOps in an agile manner. With this objective the questions have to be answered, which methods are used and which existing standards have to be used or changed. This goes hand in hand with training needs for employees.
3) eIDAS and PSD2 remain on course for growth: elDAS has been regulating electronic identification and trust services within the European Economic Area since 2016. This means that for the first time, cross-border signature and transmission of, for example, contract documents in a continuous online process is completely media-free and legally secure. This has already led to a significant increase in qualified trust services in Europe, especially since the service workers also benefit from it. As a result of digitization, their use will continue to grow very dynamically, also because, for example, the European Banking Authority (EBA) makes the use of qualified trust services according to eIDAS mandatory for the implementation of the new Payment Services Directive 2 (PSD2) to secure payment transaction data.
4) The IT Security Act 2.0 comes with significant changes: The first IT Security Act has revealed a considerable need for improvement. Legislators are now pursuing significant changes with the IT-SiG 2.0, which has only been available in a draft bill so far. These include, for example, the expansion of the powers of the BSI and higher requirements for the protection of critical infrastructures such as the obligation to set up systems for attack detection (SIEM) and that in the future the focus will be on a holistic view. The introduction of a safety label and the role of the authority as consumer protection are also new. At the same time, the penalty payments will increase drastically from the previous EUR 100,000 to up to EUR 20 million or four percent of global annual sales.
5) AI is becoming more involved in security strategies: preventive measures for cyber protection make the use of artificial intelligence imperative. AI solutions have to take on the task of identifying threats and classifying forms of attack, for example by learning to understand malware and cyber attacks. This enables more targeted defense and preventive measures. It is also important to have AI algorithms automatically perform tasks that were previously carried out manually.
6) The need for the IEC 62443 standard in the OT is increasing significantly: There is still a solid silo landscape between the IT and the OT. The degree of networking of industrial plants continues to increase very quickly, and with it also risks in OT-related information security. The IEC 62443 standard will therefore receive a great deal of attention in 2020. In this context, it is important that the gaps between IT and OT do not become deeper. A mutual understanding of the situation, possible threats and effective measures in the respective context will be an additional task in 2020.
7) Growing constraints on Security by Design: It is important to take security aspects into account from the early planning stage of software solutions and apps. However, this requires a change in mentality in software development by incorporating defined protection goals and orienting itself to application-related threat models. In doing so, specific security requirements must be explicitly raised in the requirements process. The test methods will also change, as will a selection of test tools based on security aspects.
8) Usable security is also coming into focus: Uncertainty in handling IT and telecommunication devices as well as processes due to inadequate usability often creates security problems. In the area of smartphones, there are already sensible approaches with regard to usable security, but there are still significant deficits in other areas. This topic will therefore become significantly more important in 2020. In combination, the basic features of ISO 271001 and ISO 9241 can create a sensible basis.