In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP
Navigating KRITIS Compliance - How SecurityBridge and Turnkey Consulting Can Help You Prepare
If your business operates critical infrastructure in Germany, you may be aware of the new regulations put forth by the German Federal Office for Information Security (BSI) known as KRITIS. These regulations require companies to implement comprehensive security measures to protect against cyber threats and ensure the stability of critical infrastructure.
KRITIS Scope: Is your business provider of critical infrastructure?
KRITIS impacts various business sectors, including energy, healthcare, telecommunications, and transportation. Effective May 2023, companies that fall within the scope of the regulation must comply with strict security requirements. Non-compliance can result in significant penalties, making it crucial for businesses to take action now.
However, simply complying with the regulation is not enough. The ultimate goal should be to become resilient against cyber threats, and that’s where SecurityBridge and Turnkey Consulting can help.
May 2023 is coming: Are you prepared?
Already in early 2022, we published an article providing high-level advice on how to prepare for the implementation of the new KRITIS regulations. We highlighted the importance of self-assessment to determine whether your business falls under the scope of KRITIS, and how to identify which IT systems support critical infrastructure or can significantly impact operations.
As part of the regulation, it is mandatory to implement an automated system that detects cyberattacks. For all applications in scope, and per the § 8 a Absatz 1a BSIG regulation, this system must be in place by May 1, 2023. An audit must verify its effectiveness every two years.
KRITIS Compliance: How does it work?
Businesses must provide compliance proof to the German Federal Office for Information Security (BSI) to ensure compliance with KRITIS. A company typically starts with a gap analysis to identify the areas needing change. For KRITIS, this includes the scope definition, which furthers the understanding of the critical good or service and the supporting environment, including IT infrastructure and applications.
Once you’ve defined the scope, the BSI provides clear guidance on which measures you should implement. As always, the regulation text can be misinterpreted, particularly in the context of specific applications such as SAP S/4HANA. To reduce the risk of misinterpretation, specialized consulting firms can provide clear guidance.
KRITIS will conduct an audit on the evidence of compliance with the regulation’s requirements once you have implemented the required measures. The audit will include a review of policies and procedures and technical controls, like the system’s effectiveness to detect cyberattacks.
In our upcoming webinar on April 27th at 15 CEST, SecurityBridge and Turnkey Consulting will elaborate on this topic in the context of SAP application systems. We will provide valuable insights into KRITIS compliance, how to prepare for it, and discuss best practices for achieving resilience against cyber threats.
Join us for this must-attend webinar to learn how to confidently navigate KRITIS compliance. Register today and take the first step towards protecting your business and ensuring compliance with the new KRITIS regulations.
Find recent Security Advisories for SAP©
Leiter des Forschungslabors ist Joris Van De Vis, Director of Security Research bei SecurityBridge und Mitgründer des SAP-Sicherheits-Spezialisten Protect4S, der seit September 2013 zu SecurityBridge