1. Overview
In an increasingly digitalized world, the security of critical infrastructures (KRITIS) plays a decisive role in public safety and the maintenance of important social functions. Section 8a (3) of the German Federal Office for Information Security Act (BSIG) sets the framework for the security requirements that KRITIS companies must fulfill. As an accredited certification body, we have already carried out audits in various KRITIS areas. These not only fulfill the legal requirements, but also strengthen their resilience to threats.
2. What are critical infrastructures?
Critical infrastructures include organizations, facilities and companies that are important to the community and whose failure or impairment would lead to sustained supply bottlenecks, significant disruption to public safety or other serious consequences. These include sectors such as energy, water, health and finance. The security of these infrastructures is now more closely linked to digital security than ever before.
3. What are attack detection systems?
Attack detection systems are security solutions that continuously monitor data traffic and other appropriate characteristics and parameters in an organization. They identify suspicious or unusual activities to indicate possible threats or attacks. They also provide suitable remedial measures for any disruptions that occur.
4. Article 8a para. 3 BSIG at a glance
§ 8a Abs. 3 BSIG fordert von Betreibern Kritischer Infrastrukturen, angemessene organisatorische und technische Vorkehrungen zur Vermeidung von Störungen zu treffen. Diese gesetzlichen Vorgaben zielen darauf ab, die Resilienz dieser essenziellen Dienste gegenüber Angriffen, Bedrohungen von außen und anderen Sicherheitsrisiken zu erhöhen. Ein wichtiger Bestandteil zur Erreichung dieser Ziele sind die Systeme zur Angriffserkennung, die in § 8a Abs. 3 BSIG beschrieben werden. Das Bundesamt für Sicherheit in der Informationstechnik spielt dabei eine zentrale Rolle, indem es Standards setzt und Nachweise fordert.
5. Advantages of the audit
The testing of attack detection systems offers organizations and companies the opportunity to check their compliance with this part of Section 8a of the BSIG. This also applies to Section 11 (1e) of the EnWG, which also addresses attack detection systems. In addition, the audit enables companies to evaluate existing security measures and test them for correct functionality.
6. The audit process
As an operator of critical infrastructures or other relevant organizations, systems for attack detection must be implemented in a form prescribed by the BSI. We take action here to check and verify the appropriateness of the measures. The systems you use and their implementation are analyzed using the BSI's implementation level model and must reach at least level 3. We then prepare and complete the relevant documents for the BSI.
Once the audit has been completed, operators of critical infrastructure must demonstrate continued compliance to the BSI at least every two years with a new audit.
Frequently Asked Questions
The price of an audit of your systems for attack detection in the context of Article 8a BSIG or Section 11 (1e) EnWG depends heavily on the size of your organization and the measures implemented. The decisive cost factor is the audit days, i.e. the time spent by the auditors. Please contact us for an individual offer.
The duration of the test of the systems for attack detection is calculated individually by the certification body. Please contact us for an individual offer.
After the test, all relevant test documents, which are to be completed by us, are issued by the certification body for submission to the BSI and sent to you. The BSI law stipulates this every two years.
The BSI Act stipulates this every two years.
State of the art refers to the current level of technological developments, but also to recognized best practices in the field of IT security. Above all, technological up-to-dateness and adaptation to the constantly changing threat situation are key factors here.
The consequences of non-compliance or major deviations can be both legal and financial, including fines, requirements or liability risks. Please contact the BSI directly for more information.
Security measures should be updated frequently enough to ensure that they are always adapted to the current state of technology and the threat situation. No exact time period can be specified.
No, no certificate will be issued. After the test, all relevant test documents, which are to be completed by us, are issued by the certification body for submission to the BSI and sent to you