Germany's approach to securing critical infrastructure - a benchmark for others?

Wolfgang Kandek notes that a key concern for countries securing critical infrastructure is ensuring legislation compliance doesn't limit flexibility, and asks if new German laws might provide a benchmark.

Germany's approach to securing critical infrastructure -  a benchmark for others?
Germany's approach to securing critical infrastructure - a benchmark for others?

Critical infrastructure is all around us – it keeps power on, water flowing and food in the shops. Protecting this infrastructure is therefore a big issue. In Germany the Government has turned to the law to ensure that this infrastructure is protected and more resilient. Legislation was put together called the IT-Sicherheitsgesetz (literally “ IT safety law”) and it applies to around 2,000 companies that are involved in delivering critical services.

As more of the IT systems that are running critical infrastructure organisations get connected to the public Internet – such as Industrial Control Systems and SCADA applications – this law requires companies and organisations to include security in their operations. However, there are some issues with the law as it stands today that are being discussed in a quite animated way at the moment.

For example, the definition of “critical infrastructure” within this law is quite woolly and includes companies that might not traditionally be included. While the “usual suspects” - power, utility and safety organisations - are covered, there are other businesses that are now included under this law that previously would not be considered. This includes companies involved in large-scale food distribution as outages for these businesses would impact a significant percentage of the civilian population.

For these organisations, business continuity and security should already receive budget and attention as part of the terms for them doing business. However, these current investments may or may not reach the level of security that the new law demands. It's here that the second potential problem comes in, as the definition of the security standard is left open and will be defined in the next 18 months when the law is due to enter into effect.

In some respects, this is a good thing. Prescribing solutions or technology choices can be limiting over time, as legislation cannot easily keep pace with new developments in the industry as a whole, let alone new malware attacks or hacking initiatives. However, at the moment there is a certain level of insecurity in the process. It is not clear how the BSI (German Federal Institute of Information Security) will set these standards. The companies affected are tasked with seeking dialogue with the BSI and working on a standard that is acceptable to the enterprise and government.

How can we encourage better critical infrastructure security?

Striking this balance between prescribing specific approaches and supporting greater investment in security around critical infrastructure is a difficult balancing act. If the government is too prescriptive, then it risks being behind the times; too loose, and companies find it challenging to define where and how to apply the rules and ensure they are compliant.

There is still work to do for this law to reconcile these objectives. For example, it is not currently clear what the results of a successful attack on a company covered by the law will entail for the regulator in terms of public disclosure. How will the information be transmitted, what is the timeline and how can it be avoided to make the information traceable back to its source?

Currently, the law as it stands will include mandatory reporting of “severe” incidents, yet what this means is still vague.  The reporting requirement calls for investment in an infrastructure that will allow for tracking and dissemination of this information, both on the federal level and the industry level.

Another problem that we have seen in the PCI space is that IT investment around meeting regulations tends to be based on meeting 'minimum standards' rather than looking at the wider business impact. To avoid this outcome, CISOs should see the legislation as an opportunity to improve IT security, rather than looking at it purely as a legal requirement that's a hindrance to be put up with.

For example, deploying cloud-based security might support more flexibility and access to data while keeping the use of that data secure wherever employees have to be. This approach can help companies get more value out of their spending, while also maintaining compliance.

For companies in Germany, this law will at least get IT security on the management agenda and support potential investment in improvements. However, just as the IT security sector continues to evolve in response to changing IT practices and new hacking attacks, so the law will have to update itself as well.

For companies and governments outside Germany, this law is an interesting benchmark. What will its effects be? Are German companies going to be bogged down with additional reporting to a point that competitiveness is affected? Are there some areas that the market can meet better than regulation, particularly when it comes to disclosure and market activities after any breach? What is the impact in relation to the coming EU regulation? One big benefit is certainly the discussion around the regulation, and how it can be used to raise standards for everyone.

The data sharing section of this law comes into force in January 2016, while the auditing side will follow on in 18 months time based on consultation with industry. What we can see is that further investment in security planning and business understanding will be required, but that German companies are making their moves to achieve compliance with the law as soon as they can possibly can. As the IT systems that make up critical infrastructure are increasingly connected, protecting these assets becomes essential. These assets never sleep, so continuous scanning and protection of these applications is also required.

Contributed by Wolfgang Kandek, chief technology officer, Qualys