The IT Security Act and attack detection
The German IT Security Act 2.0 (abbreviated as IT-SiG 2.0), which was passed in May of this year, obliges (among others) CRITIS operators to use so-called systems for attack detection, which must be achieved through the implementation of technical tools and organisational integration of supported processes for detecting attacks on information technology systems. The use of such systems will be mandatory from 1 May 2023. According to the legislator, attack detection must be carried out by comparing the data processed in an information technology system to information and technical patterns that indicate attacks.
secunet created the "secunet monitor" system to provide such an attack detection system for the field of Critical infrastructures according to the current state of the art. CRITIS operators from different sectors have already been using this system for several years. The system incorporates sensors in networks, e.g. in the network at the control centre level, and evaluates the network communication by means of various detection functions (assets, intra-network communication, vulnerabilities, anomalies and indications of hidden attacks). secunet monitor primarily protects mixed IT/OT operations and covers not only the internal IT and OT area with the sensors, but also the IT-OT junction – because at present many threats to the OT network emanate from the connected IT area.
IDS/IPS, SIEM and virus scanner solutions are already in use at many companies and unfortunately, they are often not clearly differentiated from each other in the ongoing discussion. The purposes and technical possibilities of such systems are fundamentally different. A classic IDS/IPS is often based on predefined signatures and is used to detect known, dedicated attacks. However, since these do not contain any historical monitoring, they are not able to evaluate temporal anomalies and detect unknown attacks. In order to detect these threats, the respective normal behaviour must be determined using machine learning (so-called "baselining") and compared with the models for deviations in live operation. Since each network has different systems, such anomaly detection must be take place for each sensor location.
Virus scanner solutions also mainly process signatures of known malware. It is precisely the fact that they typically have to run on the respective host systems that prevents their use in many ICS systems of Critical infrastructures – be it due to a lack of compatibility with the operating system used or the voiding of the ICS manufacturer's warranty through modification by means of installed additional software.
A SIEM starts one level higher and fulfils other tasks: The recording of data from a wide range of third-party network or host sensors and their evaluation, whereby concrete incidents must be defined in advance using complex rules. The technical gap in the need for suitable sensors can be closed by using a modern attack detection system like secunet monitor with a connection to a SIEM system, if there is one.
The IT Security Act 2.0 recommends three measures for attack detection: Checking against static patterns, generic patterns as well as artificial intelligence methods and the detection of deviations from trouble-free operation. secunet monitor serves all three proposed points with respective independent detection modules by using IOCs (Indicators Of Compromise; "known signatures"), advanced attack detection with pattern recognition without using IOCs and anomaly detection with prior baseline creation. This fully meets the requirements of the IT Security Act 2.0.