Skip to content

Navigating KRITIS Compliance - How SecurityBridge and Turnkey Consulting Can Help You Prepare

If your business operates critical infrastructure in Germany, you may be aware of the new regulations put forth by the German Federal Office for Information Security (BSI) known as KRITIS. These regulations require companies to implement comprehensive security measures to protect against cyber threats and ensure the stability of critical infrastructure.

KRITIS Scope: Is your business provider of critical infrastructure?

KRITIS impacts various business sectors, including energy, healthcare, telecommunications, and transportation. Effective May 2023, companies that fall within the scope of the regulation must comply with strict security requirements. Non-compliance can result in significant penalties, making it crucial for businesses to take action now.  

However, simply complying with the regulation is not enough. The ultimate goal should be to become resilient against cyber threats, and that’s where SecurityBridge and Turnkey Consulting can help. 

May 2023 is coming: Are you prepared?

Already in early 2022, we published an article providing high-level advice on how to prepare for the implementation of the new KRITIS regulations. We highlighted the importance of self-assessment to determine whether your business falls under the scope of KRITIS, and how to identify which IT systems support critical infrastructure or can significantly impact operations.

As part of the regulation, it is mandatory to implement an automated system that detects cyberattacks. For all applications in scope, and per the § 8 a Absatz 1a BSIG regulation, this system must be in place by May 1, 2023. An audit must verify its effectiveness every two years.

KRITIS Compliance: How does it work?

Businesses must provide compliance proof to the German Federal Office for Information Security (BSI) to ensure compliance with KRITIS. A company typically starts with a gap analysis to identify the areas needing change. For KRITIS, this includes the scope definition, which furthers the understanding of the critical good or service and the supporting environment, including IT infrastructure and applications.

Once you’ve defined the scope, the BSI provides clear guidance on which measures you should implement. As always, the regulation text can be misinterpreted, particularly in the context of specific applications such as SAP S/4HANA. To reduce the risk of misinterpretation, specialized consulting firms can provide clear guidance.

KRITIS will conduct an audit on the evidence of compliance with the regulation’s requirements once you have implemented the required measures. The audit will include a review of policies and procedures and technical controls, like the system’s effectiveness to detect cyberattacks.

In our upcoming webinar on April 27th at 15 CEST, SecurityBridge and Turnkey Consulting will elaborate on this topic in the context of SAP application systems. We will provide valuable insights into KRITIS compliance, how to prepare for it, and discuss best practices for achieving resilience against cyber threats.

Join us for this must-attend webinar to learn how to confidently navigate KRITIS compliance. Register today and take the first step towards protecting your business and ensuring compliance with the new KRITIS regulations.

Posted by 

Christoph Nagy

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.