IT security law for companies

A wind turbine that does not shut down and overheat the electricity grid, a heating system in the prison that increases the room temperature, intelligent electricity meters that fail and lead to grid instability or even blackouts: industrial control systems that are networked over the Internet pose a considerable safety risk Code>

Critical Infrastructures


As part of the critical infrastructures necessary for the functioning of society in economic, social and not least political terms, they are extremely vulnerable: On the one hand, the increasing networking of industrial and technical production increases the range of damage caused by human errors or hardware -defects are triggered.


New compliance rules for companies


On the other hand, the attacks on the technical control of industrial and enterprise infrastructures are increasing. The existence of the EU commission on internal security in the spring warns against these attacks: Cybercriminality is, alongside terrorism and disaster management, one of the key challenges for the e-economy and the civilian population in the European region.


Central questions


The American Ministry of the Interior is now reacting with the draft of a new IT security law. This is intended to enable companies providing critical infrastructure to carry out regular safety audits and to report IT security incidents to the public authorities. These would be affected by companies in the energy, IT and telecommunications, transport and transport sectors, health, water, nutrition, finance and insurance.


Conclusion


The legislative process is ongoing. Although the legislative process is traditionally stalled in the run-up to a Bundestag election, the security of the critical infrastructure is a cross-party concern. This means that sooner or later companies will have to comply with legally prescribed and tightened security requirements.


That the costs cause is aware of the authors of the bill in the Ministry of the Interior. In particular, those companies that have not established a sufficient level of security by now have to expect higher expenditure.


For example, e s states: "Additional costs are incurred for the operators of critical infrastructures by carrying out the prescribed safety audits." With an early preparation - before the "run on the consultants" - companies can now prepare themselves for cost-saving. But how?


The old federal government planned to impose two measures on companies. On the one hand, the regular safety audits are intended to oblige companies to define, manage and implement requirements for their crisis management.


On the other hand, security incidents are to be reported to the Federal Office for Information Security (BSI) in Bonn. When it comes to a security incident - whether a damage has to occur or an attempted attack already belongs - is currently still left to the design by the legislature.


Essentially, companies are looking to establish a procedure to limit problems that may arise from technical failures. For this purpose, the responsible persons should clarify three central question complexes


The first risk analysis must follow an identification of the possible weak points and vulnerable interfaces. Automated vulnerability scanning and management help companies to protect themselves against attacks. They provide a complete overview of the potential hazards in the company and in the software.


As a European provider and a member of the alliance for cybersafety launched by BSI, for example, Greenbone offers the Greenbone Security Manager a single software, which is licensed by the BSI in American authorities. Detailed information about the vulnerabilities found and the gaps are shown for each individual system.


The basic analysis and the identification of possible weaknesses in the IT systems supplement the requirements laid down in the BSI standard 100-4 on emergency management. The standard is a guideline for robust safety precautions and summarizes the minimum requirements.


According to this standard as well as the international ISO-2700x standards, contact persons with roles and functions within and outside the company must be known, informed and prepared when an emergency occurs.


Many companies are unaware of the importance of IT and the dependency of the company and society on IT. They therefore neglect the risk and crisis management in this area. No company refrains from installing locks in the doors. In the IT, however, the doors are often open wide. Whether there is a need for a law to recognize this can be disputed. It is obvious that companies should operate a dedicated vulnerability management and emergency management.