Close this search box.
made-in-germany-enginsight Guideline for KRITIS operators

Cybersecurity for critical infrastructure

The IT Security Act 2.0 calls for numerous changes and requirements for CRITIS operators and companies in the special public interest. Particular emphasis is placed on the use of attack detection systems in accordance with Section 8a (1a) BSIG. This will be mandatory as of May 01, 2023.

Find out here how to implement the BSI recommendations simply and sustainably.

For IT decision-makers in KRITIS enterprises

BSI recommendations simply implement

Cyber attacks are (unfortunately) part of everyday IT life today. The question is no longer if, but when an attack will occur. The attack scenarios are diverse and constantly present IT managers with new challenges. Because one thing is clear: attacks must be (automatically) defended against; the consequences of a successful cyberattack could be fatal, especially if critical infrastructures are affected.

What is the “BSI Orientation Guide”?

The BSI Guidance is a comprehensive document from the BSI. It outlines mandatory requirements for the use of attack detection systems (SzA) and divides these into three phases: LOGGING, DETECTION, and RESPONSE. The measures described therein are divided into SHOULD, MUST, and CAN requirements, and are also prioritized into three levels, depending on the desired “maturity level.”

In the first step, achieving maturity level 3 is sufficient. Operators of critical infrastructures should aim for level 4 in the long term. Therefore, there is a continuous improvement of IT security measures, which is absolutely sensible and necessary given the aspect of the constantly increasing and more complex threat landscape.

BSI-KRITIS-Regulation (BSI-KritisV) and German IT Security Act 2.0 (IT-SiG 2.0) therefore require “appropriate organizational and technical precautions”. From May 2023, operators of critical infrastructures will be obliged to use systems for attack detection, among other things. Which systems are suitable for this purpose remains an open question. It is not uncommon for those affected to be unsure which systems are really suitable and needed. SIEM systems are the first systems that come to mind. But, contrary to what many expect, they are not without alternative!

Enginsight Matrix for BSI Guidance
Find out at a glance how Enginsight supports you in implementing the BSI Guidance according to § 8a Paragraph 3 BSIG.

Implementation of the BSI orientation guide

Automated systems for attack detection and defense

When it comes to securing your IT infrastructure and complying with the legal requirements for critical infrastructures, we support you from planning to implementation. In this way, you achieve at least maturity level 3, demonstrate cyber resilience and secure your “Digital Compliance”.

Below is a small excerpt of which requirements from the “BSI orientation guide for the use of attack detection systems” you can fulfill with Enginsight and the appropriate service providers. The Enginsight matrix for the BSI orientation guide provides you with a complete overview.

Enginsight matrix for BSI orientation guide
Create transparency

Status quo How well are you positioned so far?

If your company is KRITIS-regulated and you are still unsure whether your measures are sufficient: Take an inventory. An analysis of your IT infrastructure creates transparency. Once the deviations between the actual and target state have been determined, you can initiate the necessary measures in a prioritized manner.

With Enginsight, the inventory of your IT assets succeeds at the push of a button.
We will be happy to show you live how quickly this can be done. Contact us.

In the long term and sustainably, Enginsight helps you with the live monitoring of your IT infrastructure. We would be happy to tell you more about this in a live demo or one of our webcasts.

FAQ on KRITIS requirements

The KRITIS regulation in Germany refers to critical infrastructures that are essential for the country. These include:

  1. Energy: companies that provide electricity and gas.
  2. Water: companies responsible for drinking water supply and wastewater disposal.
  3. Information technology and telecommunications: provider of IT and communications services.
  4. Health: hospitals and other medical facilities.
  5. Transportation and traffic: this includes both public transportation and major transportation hubs.

According to the BSI, operators of critical infrastructures will have to prove that they meet the KRITIS requirements by May 1, 2023, and every two years thereafter.

Operators of critical infrastructures (KRITIS) in Germany have certain obligations under the BSI Act (BSIG) and the BSI Criticality Ordinance:

  1. You must designate a point of contact for the Critical Infrastructure you operate.
  2. You are obliged to report IT malfunctions or significant impairments.
  3. You must implement “state of the art” IT security.
  4. You must demonstrate to the BSI every two years that you meet these requirements.

If KRITIS operators do not comply with these requirements on time, they may face sanctions. The exact sanctions or fines are specified in the BSI Act and other legal regulations. It is therefore important that KRITIS operators inform themselves precisely about their obligations and possible consequences in the event of violations.

Some basic requirements are the same for all operators of critical infrastructures and the BSI’s handout, the so-called “BSI Orientation Guide“, is based on these. Other standards apply in addition, but on a sector-specific basis.

The BSI does not specify any concrete technologies to be used. It is undisputed that the use of classic antivirus programs is not sufficient.

The publication “Recommendations for the development and use of products used in critical infrastructures” by UP KRITIS (a public-private cooperation of operators of critical infrastructures, associations and government agencies) is worth reading in connection with the products used.

According to the BSI orientation guide, the results of the audits, tests or certifications carried out on the systems for attack detection, including the security deficiencies uncovered in the process and the maturity level achieved, must be communicated.

The implementation level model is intended to successively increase the quality of systems for attack detection. The maturity level shows whether there is still potential or need for action to optimize IT security or in the use of SzA. The lower the maturity level, the greater the need for action.

The guidance provides operators with a rough framework and thus allows scope for individual implementation. The formulations in the guidance and the implementation levels are based on the BSI’s IT-Grundschutz.

Enginsight Logo