- Critical infrastructure companies have two years to implement a comprehensive intrusion detection system
- Entirety of complex networked infrastructure moves into focus
- IT Security Act includes companies along the supply chain
Leipzig/Berlin, Germany, April 29, 2021 - On April 23, the German Bundestag passed the revised IT Security Act (ITSA 2.0). In addition to expanded powers for the Federal Office for Information Security (BSI), cybersecurity requirements are toughened in some cases. Critical infrastructures such as energy suppliers and water utilities and, more recently, waste disposal companies and GDP-relevant corporations are required by the amendment to implement an intrusion detection system. According to the explanatory notes to the law, this system should protect the communications technology of critical infrastructure operators as comprehensively as possible, i.e., it should take into account the entire infrastructure in order to "continuously identify and prevent threats," according to § 8a (1a). This means that the operators' industrial control systems (ICS) and operational technology (OT) also need to be taken into account.
»Even though the law remains vague in its requirements in large parts, the demand for a holistically effective system for threat and intrusion detection is absolutely overdue,« confirms Rhebo CEO Klaus Mochalski. »This reflects both the increased relevance of OT cybersecurity and the trend towards convergence of enterprise IT and OT. In monitoring projects and risk analyses at energy suppliers and industrial companies, among others, we have for many years been identifying threats that traverse the interfaces of what were once separately managed networks. This not only increases the risk of cyber attacks occurring via OT. The risk of industrial processes such as energy supply and production being permanently disrupted has also increased significantly in recent years.« A statistical analysis of cyberattacks on energy utilities that became public in 2020 shows an increase of 38 percent worldwide compared to the previous year. For industrial companies, there was an increase of 111 percent (https://www.hackmageddon.com/).
Operators of critical infrastructures now have 24 months to implement the intrusion detection system. In the first drafts of the ITSA 2.0, the BSI had called for implementation within 12 months. The implementation period was only doubled in the final weeks of negotiations due to the complexity of some critical infrastructures. »With regard to the current threat situation, a shorter-term obligation would have been desirable,« Mochalski comments on the last-minute adjustment. »Particularly because approaches and technologies that make it possible to quickly secure even complex infrastructures are already available. For example, some of our customers operate a large number of substations, renewable energy plants, municipal utilities and other substations. The Íntegration of our industrial network monitoring with anomaly detection can be implemented in a short period of time. This is also possible because we can easily integrate our solution on existing network components from e.g. Barracuda, Cisco, RAD, Siemens Ruggedcom and Welotec.«
Suppliers are held accountable
Another improvement of ITSA 2.0 is the extension of the legislation to major suppliers of critical infrastructure. This takes into account an increasingly complex cyber threat landscape where the entire supply chain must be considered.
»Even though this regulation is presumably aimed at foreign supplier companies for the 5G network, this is the right step for all critical infrastructure operators or economically relevant companies,« Mochalski emphasizes. »Not least the SolarWinds incident has made this clear.« Using the attack technique known as Supply Chain Compromise, the attackers had first compromised the IT platform service provider SolarWinds at the end of 2020 in order to gain access to their actual targets - SolarWinds customers - from there. »We have been working with various manufacturers of OT components and critical IoT assets for some time for this reason.« For example, since 2019 Rhebo has been protecting the energy storage systems of German manufacturer Sonnen GmbH, which are used in infrastructures worldwide. At the beginning of 2021, Rhebo was acquired by the leading provider of energy management solutions Landis+Gyr. With the integration of Rhebo into Landis+Gyr's Advanced Metering Infrastructure, critical infrastructures worldwide will also get a secure solution for the further digitalization and automation of their services.
In June, Rhebo launches a webinar series together with partners, customers and stakeholders from politics and consulting discussing the release and implications of the updated IT Security Act.
Rhebo develops and markets innovative industrial monitoring solutions and services for energy suppliers, industrial companies and critical infrastructures. The company enables its customers to guarantee both cybersecurity and the availability of their OT and IoT infrastructures and thus master the complex challenges of securing industrial networks and smart infrastructures. Since 2021 Rhebo has been a 100% subsidiary of Landis+Gyr AG, a leading global provider of integrated energy management solutions for the energy industry with around 5,500 employees worldwide.
Rhebo is a partner of the Alliance for Cyber Security of the Federal Office for Information Security and is actively involved in Teletrust - IT Security Association Germany and Bitkom Working Group on Security Management for the development of security standards. https://rhebo.com/
Kristin Preßler, COO Rhebo