BSI lays foundation stone for tests according to IT security law

(Picture: BSI)

Operators of critical infrastructure must be checked regularly in the future and thereby demonstrate that it has made security arrangements according to the prior art. The first training for examiners to make clear what this means in practice.

The implementation of the IT Security Act (IT SiG) start: operators of critical infrastructure (CIP) of the energy, IT + telecommunications, food and water sectors must first audit evidence (already on 3 May 2018 at the Federal Office for Information Security BSI ) Submit. in a "Multipliers workshop" BSI mid-February laid down the training contents and concepts according to which auditors should be trained. This in turn defines what and especially how to be tested eventually.

The foundation stone for the exams is entered into force on 25 July 2015 IT SiG; specifically regulates section 8a, the requirements for the "Security in Information Technology Critical Infrastructure", BSI workshop "Additional investigation competence for Section 8a BSIG" was developed together with the trainers, as auditors are able to check and so what they should consider.

Away from pure economics

As a rule, the measures it approved are not new and certainly also part of traditional audits. However, the bar is much higher in the Kritis tests, since in particular the specific questions for the availability will be provided in emergency situations. For example, the economy applies only very limited as an excuse not to implement a measure actually required.

For example, the Kritis Examiner may well complain about the use of complex PLC control systems that run flawlessly for years and so far are quasi industry standard when they now have serious vulnerabilities that allow a significant supply shortage could be effected. This should then not be used or readily purchase compensated by insurance.

Nevertheless, such a problem does not lead to shutdown of the plant, which would not also improve the supply. Rather, it is discussed in the subsequent dialogue with the BSI and other supervisory authorities, is done with the non-performance measures and to designated implementation plans of the operator. At present one therefore seeks more of a dialogue with industry to rely on formal requirements and penalties instead. However, these are quite already provided in the law.

Who should be tested?

Critical infrastructure in § 2 (10) are BSIG facilities, plants or parts thereof:

  1. energy, information technology and telecommunications, transportation, health, water, nutrition, and finance and insurance sectors belong and
  2. are of high importance for the functioning of the community, as would occur by its failure or its interference significant supply shortages or threats to public safety.

affected by the current audit requirement is published on May 3, 2016 the first basket consisting of the energy, IT + telecommunications, food and water. Whether their operators but actually all provide test reports until the deadline of May 3, 2018 at BSI, may be doubted, as some still with the implementation of measures under the required "State of the art" have begun.(Ju)