Current state of evidence for attack detection systems

Security for Critical Infrastructures (KRITIS)
Current state of evidence for attack detection systems

By Sascha Jaeger

providers on the subject

With the introduction of IT-SiG 2.0, the detection and handling of cyber attacks in the control and telecontrol technology of energy and water suppliers is becoming more and more important. The understanding of tools, processes and operational performance is a decisive factor.

The mandatory introduction of a system for detecting cyber attacks in utility companies through IT-SiG 2.0 enormously strengthens the resilience of our economy.
The mandatory introduction of a system for detecting cyber attacks in utility companies through IT-SiG 2.0 enormously strengthens the resilience of our economy.

(Image: Mr.B-king –

It is easy for large utility companies to operate adequate monitoring tools in their own security operations center. The situation is different for medium-sized companies, which often have neither the financial means nor the necessary specialist staff. Establishing an appropriate security system quickly presents such operators with a major challenge. Unfortunately, resourceful software manufacturers are only too happy to take advantage of this fact.

May 1st, 2023 is the legal deadline for many operators to introduce and verify a system for detecting attacks. Dealing with complex new topics and a seemingly impenetrable information overload from different providers is already a big challenge. There is enormous time pressure for this.

The legal requirements and possible verification are discussed in detail in the following article. In addition, it is intended to provide an overview of the various service offerings and help to differentiate between them.

The orientation aid of the BSI – more than just an orientation aid?

With the publication of the legal requirement on April 1st, 2021, the OH was also announced as a guide for operators of critical infrastructures. The guidance on the use of systems for attack detection was actually only finally published by the BSI on September 29th, 2022.

The BSI outlines the components of a SzA and classifies the elements and expansion stages in the OH into the MUST, SHOULD and CAN criteria. The degree of implementation should be assessed based on the examination and application of these criteria. At the end of the OH, an appropriate implementation of the legal guidelines is specified based on the degree of implementation. The document formulates a clear specification for a legally compliant implementation and no longer follows the initial form of a recommendation. There is currently an intensive dialogue between the BSI, associations and certifiers on the validity of this implementation requirement. If the operator wants to implement an implementation of a SzA that deviates from the OH, a comprehensible and well-documented justification must be submitted. This justification for the verification is approved by the auditor of the certifier. In such a case, it is necessary to provide conclusive evidence as to why certain measures are not required in some places. The key points are the appropriateness anchored in the law and well-managed risk management.

READ:  Options: Restore Data or Pay Ransom

Apart from the universal applicability of the degree of expression, the OH is an easily understandable best practice document. It shows the ideal approach for cyber attack detection in utility companies.

Particular attention is paid to the following points in the OH:

  • Complete planning. This means that even if systems/data are not or not initially taken into account when detecting an attack, this must be documented and justified
  • Collection and analysis of system log data and network log data
  • Active collection and systematic evaluation of attack information for automatic attack detection and vulnerability management
  • Sufficiently competent personnel for the analysis of the attack reports
  • Comprehensive emergency management process (response)

verification procedure

authorized examiners

According to the verification document P (for BSIG) part PS.A, ideally the certifiers usually used and their authors are authorized to carry out examinations. This is evident from the fact that a SzA was inserted in §8a and is therefore part of the §8a proof.

For the testing of energy systems and energy supply networks according to EnWG, accreditation according to EnWG §11 paragraph 1a/1b (IT security catalog of the Federal Network Agency) is required. However, the BSI published a report on February 12, 2023 that refrained from restricting the first verification to accredited testing bodies. This is to ensure the timely completion of the exams.

examination procedure

In the proof document P* (for EnWG) the proof is shown in the degree of implementation procedure of the OH. The auditors’ approach to determining the degree of implementation may vary. Determination is conceivable through an interview through to a self-assessment using a questionnaire and a subsequent random test. Talking to the auditors in advance about their examination procedures can be very helpful.

Deviations are identified and documented in part PD.E of the verification document P*. A distinction is made between minor deviations and serious or significant deviations or safety deficiencies. This challenge can also be better assessed in a preliminary discussion with the auditors. If, for example, delivery problems arise for necessary hardware components, this can lead to delays that hinder the examination. Such conflicts can be avoided by the timely assessment of the auditor. In such a case, applying for a deferment from the BSI may be a better choice.

Submission of the test documents and the deviation documentation

The form Verification document KI / KI* and the verification document P / P* are submitted to the BSI.


The IT-SiG 2.0 is very much to be endorsed, because the legally binding guidelines make a major contribution to the national security of control and telecontrol technology. The mandatory introduction of a system for detecting cyber attacks in utility companies enormously strengthens the resilience of our economy. It offers protection against the ever-increasing threat from criminals and state actors. The integration of such a system should therefore become a priority for every operator of critical infrastructure.

READ:  Customers Pay the Cost of Data Loss

The open formulation of the legal requirements enables appropriate implementation in each case for the very different utility companies. However, at the time of publication, there were no concrete implementation proposals. This was made up for with the OH 17 months after the publication of the law. Only 7 months remained to establish a comprehensive, adapted and functioning concept to protect against attacks on control and telecontrol technology. Such time pressure, coupled with the legally unclear binding nature of the degree of implementation of the OH, is of little use, since this task is new territory for many operators.

Some product sellers see their chance in this stressful situation. The operators who are now looking are offered software and hardware that apparently cover all the necessary areas quickly and easily. These systems claim to have no operational overhead, never fail, and their safety messages are always understandable and unambiguous. The need for individual adaptation to your own control system is completely left out. They sell legal compliance out of the box, a simple solution to a complex problem. Unfortunately, the time pressure mentioned quickly leads to operators of critical infrastructure resorting to such offers.

The more reliable and long-term approach is to proceed in a planned manner despite a lack of personnel and time. Even if deviations are initially accepted, there is a well-founded implementation plan that can be submitted to the BSI. It can be assumed that such a procedure will be tolerated by the BSI.

In principle, one can assume that the BSI will be confronted with more than 1000 submissions by May 1st, 2023. The authority’s response to the evidence will therefore most likely only be possible in the medium term. However, providers who do not submit or implement any implementation may be served first.

About the author: Sascha Jäger is managing director and shareholder at ausecus GmbH. From 1996 to 2013 he held various positions at the IT security specialist Integralis/NTT in Germany, Austria, Switzerland and France, most recently as Managing Director. He was then responsible for setting up the Cybersecurity department (Security Operations Center) in Central Europe at Fujitsu and managed it until he started at ausecus in January 2021.