In 2021, not only the IT Security Act 2.0 will significantly change the requirements for critical infrastructures, but other urgent topics will also move up the priority list. According to the trend statements of TÜV TRUST IT GmbH part of the TÜV AUSTRIA group, these include above all the increased dependence on digital processes.
Dependence on digital processes increases exponentially
While Industry 4.0 is progressing, the current situation in the work environment increasingly demands high availability of digital products and processes as well as their information security.
Many industrially active companies are already focusing on optimising their production with the help of intelligently networked systems. In this context, digital value chains are increasingly determining economic strength and security, because they score not only with high efficiency, but also with optimised profits. Digital solutions also allow considerably increased flexibility with regard to safety-relevant issues as well as customer requirements.
And even beyond industry, the Corona-related change in the professional world is causing an increasing dependence on digital processes. In the home office, for example, not only more digital end devices are used in general, but the number of IoT products is also steadily increasing.
Trust services and electronic business processes in demand more than ever before
Since spring 2020, entire processes in the business environment have been restructured and implemented fully electronically. A further intensification of this trend in 2021 is virtually already programmed, whereby aspects such as seamless integration into existing system landscapes or full automation will be given a high priority.
A prominent example is the media-independent mapping of business transactions that have to be processed in a legally binding manner with the help of so-called trust services. For this purpose, the EU Commission has specified an almost complete set of services that can be mapped in business processes in part three of the EU regulation on eIDAS (Regulation EU 910/2014).
Service providers for electronic identity management are waiting in the wings
Another example is electronic identities (eID), on which a steadily increasing number of electronic processes will be based in 2021. Up to now, identification processes have been realised in a complex manner by means of person-based procedures. However, there is a clear trend towards biometric procedures based entirely on artificial intelligence (AI), which have already been approved in some EU member states in 2020.
Further new services for general electronic identity management are already in the starting blocks for 2021. To further promote the EU Single Market, the upcoming amendment of the EU eIDAS Regulation is also expected to include the necessary regulations for non-governmental identity management solution providers.
IT-SiG sustainably strengthens information security
In the area of critical infrastructures, technical security is once again becoming the focus of attention. In future, the IT Security Act 2.0 will explicitly require CRITIS companies to use an attack detection system, for example in the form of a Security Operation Centre (SOC). In addition to operating an ISMS, a BCMS should also be implemented and regular penetration tests should be done. And manufacturers of so-called “critical components” are also held accountable. They must declare their trustworthiness and fulfil the associated obligations continuously and reliably.
Emergency plans and business continuity management systems (BCMS) are gaining importance
Due to the steady increase in cyber-attacks, a security concept that enables fast, effective and practised reaction paths is becoming increasingly important. A structured BCMS bundles all measures that are necessary in the event of an emergency and thus allows a safe and consistent response in crisis situations. The establishment and operation of a BCMS is becoming state of the art and thus indispensable, especially for CRITIS companies.
The keyword “awareness” and the human factor
Human error is often the cause of a successful cyber-attack. Attackers try to gain access to systems and data, particularly via phishing mails – and often successfully. Therefore, in addition to technical and procedural security measures, responsible handling of IT systems and company information by employees is of great significance. The corresponding “awareness” is enormously important, especially in times of decentralised forms of work, which is why many companies increasingly offer online employee training in this area. Due to the growing importance of such measures, this trend is also clearly emerging for the year 2021.
ISMS expansion keeps growing
Although many companies already use an ISMS, the development of these systems will continue to increase. More CRITIS companies will be explicitly required to use corresponding systems in the future within the context of the IT Security Act and hospitals will also be confronted with corresponding requirements in 2021 due to the Patient Data Protection Act (PDSG). For apart from the much-noticed data protection aspects, the PDSG also regulates the IT security of all hospitals according to the current state of the art.
Beyond these regulations, the increasing use of an ISMS also has practical reasons. In addition to the obvious risk minimisation, such a system also offers more transparency of all IT systems. In addition, a corresponding certification, e.g. in accordance with ISO 27001, optimises the external image of a company, which can thus distinguish itself from competitors and increase or maintain the trust of customers and business partners.
Integrated management systems
Management systems are versatile and, for example, indispensable for certification according to ISO 27001. But they also offer valuable support for the management of data protection requirements, as the large number of documents for data protection management is already confronting companies with steadily growing challenges – a trend that will continue to rise in the new year. To optimise effectiveness in 2021, it is therefore increasingly advisable to bundle various contents, such as data protection and ISO 27001 requirements, in an integrated management system.
Establishing a Zero Trust environment
Employees today typically use 2 to 3 endpoint devices to access the company’s infrastructure. As the number of devices increases, maintaining endpoint security becomes more complex and sometimes impossible. A possible solution is offered by the Zero Trust Network approach, which will gain in significance this year. Here, every internal or external access to an infrastructure is always assumed to be an attack and thus authorisation is only granted via successful authentication by the employee.
Implementation of Red Teaming Assessments
Due to the rapid growth of heterogeneous IT infrastructures (group structures, connections to subsidiaries and partners, etc.), more and more branches of the company have been formed in recent years that have not yet been able to achieve the level of protection of the core IT. Comprehensive tests are required to check the security of such complex structures. Red Teaming Assessments will increasingly come to the fore here in the coming year, as they can reliably identify attack possibilities and determine vulnerabilities using future-oriented methods from the fields of penetration testing and social engineering.