Critical Infrastructure and IT-SiG 2.0

Three Steps toward Attack Detection According to the BSI

With the German IT Security Act 2.0 (IT-SiG 2.0), both the German "Act on the German Federal Office for Information Security" (BSIG) and the German "Electricity and Gas Supply Act" (EnWG) have been rendered more precise in relation to critical infrastructure. It is now compulsory to put in place attack detection systems. How can the requirements of the German Federal Office for Information Security (BSI) be met?

Attack Detection According to the BSI

Paragraph 8a of the German "Act on the German Federal Office for Information Security" (BSIG) makes it obligatory for operators of critical infrastructure and companies of special public interest to use attack detection systems as of May 1, 2023. These systems are effective means of detecting cyber attacks at an early stage and thereby avoiding or at least reducing the extent of the damage. To give affected companies additional clarity and security when it comes to implementing the new legal requirements in their individual case, the German Federal Office for Information Security (BSI) published an "Orientierungshilfe zum Einsatz von Systemen zur Angriffserkennung" ("Orientation guide to using attack detection systems") at the end of September 2022. This guide is also intended to act as a reference point for auditing bodies in the future.

Functions and Task Categories of Attack Detection Systems

According to the guide, the technical functions and tasks of attack detection systems can be divided into three categories:

  1. Logging

  2. Detection

  3. Response.

Thus, the systems must use functions such as misuse detection or anomaly detection to continuously evaluate gathered information and thereby identify security-relevant events. In addition, they must implement measures to prevent or respond to disruption caused by attacks. The measures implemented can be technical or organizational.

1. Logging as Part of Attack Detection

In the common IT infrastructure, central logging services and log management solutions are widely established. They enable extensive analysis of processes and attacks. The situation is different with the Internet of Things, e.g., when it comes to networked machines and plants in industrial production. In this case, central logging is so far very rare but nevertheless essential in order to effectively detect and combat disruption and attacks. This requires the relevant log data from all components to be recorded centrally.

In addition, some components in the network cannot perform any additional logging tasks because they have limited resources beyond their normal function. In such cases, the relevant network segment must be monitored externally. The findings of this monitoring must also be logged centrally.

The quality of the detection is dependent on the attack detection system being able to scan an entire network. Relevant data includes which devices are present in the network, who communicates with whom, and which communication protocols are used and how frequently. Therefore, the BSI recommends also installing a network monitoring system, even if all devices are capable of logging their own activities autonomously. The reason for this is that a large data pool is essential in ensuring that the subsequent detection is successful.

2. Analyzing for Deviations – and Assessing Properly

The data generated through logging must be analyzed for deviations. For this, relying purely on technical and automated analysis is not recommended. Instead, it is crucial that a human regularly checks the entirety of the logs for vulnerabilities.

The BSI is aware that technical systems are very good at detecting deviations from learned patterns but very bad at predicting the effects of such deviations, and that this can cause difficulties. Especially in common plants, (desired) changes regularly overload the learning capabilities of automated methods. Therefore, detecting new and unknown disruptions and assessing whether these are malfunctions, problems or even attacks is explicitly the responsibility of specialist personnel.

3. An Effective Response Requires Clarity

It is then necessary to respond adequately to the security-related events detected. In addition to naming the people responsible for handling this, it is primarily important to define and follow standardized procedures. To respond effectively, it is essential that all those involved and affected have a clear understanding of the threat and the necessary response.

It is fundamentally important to weigh up implementing more or less drastic measures to combat the attack versus ensuring that the critical infrastructure can continue performing its actual core task. It is also necessary to define how and which appropriate information will be reported promptly to the relevant contact points.

The more quickly and more comprehensively measures are implemented, the more effective they are. Therefore, at least in less critical areas, an automatic response is not simply an additional recommendation – it must be possible. Thus, how a network will be monitored and how active and automated intervention will be enabled must also be considered from the outset.

Implementing State of the Art Attack Detection

How logging, detection and response can be supported by state-of-the-art anomaly detection can be explained using the example of the Network Detection and Response (NDR) System cognitix Threat Defender. This intelligent solution meets all fundamental legal requirements for a technical attack detection system. cognitix Threat Defender offers benefits such as excellent detection of network components and incorporates all relevant systems, components and processes, such as IT, OT, datacenters and embedded systems. Operators can continually and automatically record and evaluate relevant parameters and characteristics from ongoing operation.

If vulnerabilities are detected, a graduated range of response options are available. In addition to reporting anomalies, devices and communications can be isolated, slowed down or blocked completely, for example. To avoid unnecessary disruption in the network if the threat situation is unclear, cognitix Threat Defender can also respond adaptively in the event of an incident. In such cases, it only allows the affected device in the network to perform actions that have been learned as "normal" in the last 24 hours. Everything that deviates from this is slowed down or blocked and reported to those responsible for security. This gives them time for an adapted and effective response.

Supporting Organizational Measures

According to the BSI, however, an attack detection system is not limited to technical solutions but also includes organizational measures to ensure the cyber security of a company. As a technical component, cognitix Threat Defender has therefore also been developed with usability in mind. The modern user interface presents those responsible with the relevant information in a simple format so that they can familiarize themselves with the situation quickly.

Sources and related links: