Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

How to master KRITIS/IT-Sig 2.0 for SAP

“KRITIS” is a pretty well-known abbreviation for “KRITische InfraStrukturen” (Critical Infrastructure) and is closely associated with the Federal Republic of Germany. The Federal Republic is attempting to make critical infrastructure resilient to cyber-attacks by proactively identifying vulnerabilities and implementing measures to protect attractive targets. 

Critical infrastructure includes areas and companies whose impairment or failure could cause significant economic damage. Outside of Europe, the protection of critical infrastructure is of course, also a highly critical issue. 

Companies that fall into this classification must comply with or face sensitive penalties. 

History of KRITIS

Before we look at KRITIS for SAP, – a brief history lesson. Back in 2006, the European Union launched an initiative for critical infrastructure protection. At that time, it was named the European Program for Critical Infrastructure Protection (EPCIP). This program has been continuously developed through several national and European initiatives. At a national level in Germany, the BSIG – “Law on the Federal Office for Security in Information Technology”, has laid the foundation for the regulation of critical infrastructure. Most recently, these efforts culminated in the IT Security Act 2.0, (IT-Sig 2.0).

Who counts as a KRITIS operator?

Generally speaking, companies providing critical infrastructures for the national community are considered as KRITIS operators. If a KRITIS company fails, sustainable supply problems can occur, and it is also difficult to guarantee public safety.

Until recently, 9 different sectors in Germany are considered to KRITIS. These include, for example, the energy, water, and food supply, telecommunications, and healthcare and finance sectors. The BSI KritisV (BSI Criticality Ordinance) specifies the threshold value, for example in terms of rated power in megawatts, at which a company is affected by the requirements. In the latest version 2.0 of the IT Security Act, waste management has also been included. In addition, there is a new category that includes all areas that are subject to a special public interest.

What is necessary for SAP KRITIS?

  • Incident & Response plans: What should be done in an emergency, by whom in what order?
  • Update of the SAP infrastructure: Hardening of SAP components, implementing patches, establishing a timely Patch Management process
  • Intrusion Detection System for SAP and SIEM Integration for SAP: Early warning systems for threat detection on SAP infrastructure (IDS) and central collection and aggregation of relevant logs for anomaly detection and automatic alerting using a SIEM
  • Disaster recovery scenarios: This is certainly nothing new but still red-hot: How can the operability of an SAP service be restored in the event of an SAP attack/disturbance?

Our recommendation if KRITIS applies to you

KRITIS or IT-Sig 2.0 is a law that, where applicable, everyone must abide by, so you can’t neglect it. Get professional support. We can recommend a specialist from our partner network who has the expertise to advise you on the necessary measures for SAP environments. Define a Disaster Recovery Plan and test the defined scenarios on a regular basis. Equally important is the creation of an Incident & Response playbook which is used in the event of an attack. Finally, you should of course do everything possible to prevent an SAP attacker from succeeding. You can do this by hardening your environment adequately according to your risk profile and by continuously checking that the measures are effective.

Certain risks cannot simply be eliminated. You must accept this. In this case, you should compensate with targeted monitoring using an intrusion detection system for SAP like the SecurityBridge Platform.

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Jun'22
Whitepaper - Top SAP security mistake to avoid

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Accenture webinar

Webinar: SAP Security Baseline: Surviving an SAP Audit

With the recent increase in attention to SAP security from auditors, we decided to investigate SAP baselines. We took a closer look into what SAP baselines are, how they can help you, and how to survive an audit.
Learn more
DSAGTechnologietagen 23

Innovator für SAP-Sicherheit: SecurityBridge auf den DSAG-Technologietagen 2023

DSAG-Technologietage, das bedeutet traditionell: Wissensaustausch unter Technologen und Technologiebegeisterten. „Work in progress“ lautet das diesjährige Motto (22.- 23. März 2023, Congress Center Rosengarten, Mannheim). SecurityBridge nimmt die DSAG beim Wort und veranstaltet zusammen mit seinem Partner cbs Corporate Business Solutions Unternehmensberatung GmbH einen zweitägigen Hackathon, bei dem Studierende einen Prototyp für Security entwickeln können, unterstützt durch Coaches führender Beratungsunternehmen.
Learn more
SAP security by design

6 Principles for Security-by-design for SAP

SAP Cybersecurity
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
coding

Remote Code Execution (RCE) Vulnerability in SAP 

SAP Vulnerability
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard

SecurityBridge Introduces The SAP Management Dashboard – The Real-Time, Customizable Data View and Analysis Solution For SAP Security

Press coverage
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
Hacker mining SAPsecurity

How to detect script-based attacks against SAP? 

SAP Cybersecurity- SAP Vulnerability
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.