Magazine | Issue 1 2023 In May 2021, the German Bundesrat passed the German IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0, IT-SiG 2.0). Critical infrastructure operators are legally required to introduce intrusion detection systems (IDS) by May 1, 2023. For energy suppliers, this means: All plants with a generating capacity of over 104 MW, or 36 MW primary control power, as well as all black start plants are covered by this regulation. More than a year after the law was enforced, on September 26, 2021, the German Federal Office for Information Security (BSI) published guidelines on the subject. These guidelines are general as they cover many sectors (power, water, telecommunications, etc.) with differing requirements in some cases and do not prioritize any manufacturer or specific technology. The Problem with IDSs Section 8a(1a) of the law states: “…appropriate organizational and technical precautions must be taken, which from May 1, 2023, also includes the use of intrusion detection systems …” A definition is not provided for IDSs in the context of this law. In addition, the guidelines only provide general recommendations. Are any existing virus scanners or log management systems sufficient? Security experts and top consultants say: “Unfortunately not.” Operators will have no choice but to establish a network-based intrusion detection system in order to minimize the risk of outages caused by cyberattacks and detect targeted attacks as quickly as possible. Operators can choose three different approaches: › signature-based, › learning-based (anomaly detection), and › specification-based approaches, known as allow list or whitelisting approaches. Signature-Based Approach A signature-based approach assumes that there are currently enough signatures for all components in the OT networks of KRITIS operators. This method is error-prone, as false positives frequently occur. The system may warn of attacks that are intended operations, not actual attacks. Learning-Based Approach This approach involves solving the above problem by “observing” the system requiring protection for a sufficient period (several weeks). After the learning phase, the manufacturer of this «Operators will have no choice but to establish a network-based intrusion detection system in order to minimize the risk of outages caused by cyberattacks and detect targeted attacks as quickly as possible.» Thomas Friedel, Sales Manager Cybersecurity, OMICRON 23
RkJQdWJsaXNoZXIy NTkxNzY=