Security-relevant laws and industrial standards 

It is important to understand that IT security is not only a new "product feature" that a vendor can implement more or less well at its own discretion. Instead, the integration of security features into automation equipment, systems and components is now required by national and international laws.

Therefore, this topic gives a simplified overview on the most essential security-related laws, standards and regulations. In general, a distinction must be made between legal requirements, recommendations and standards that define the necessary steps for the implementation of security-related measures and procedures.

Security laws - what must be done...

IT Security Act (V2.0 valid from May 28, 2021)

Released by the German Parliament which has the central role in the protection of critical infrastructures in Germany.

According to the IT Security Act, plant owners of critical infrastructures must establish and certificate an ISMS (Information Security Management System) as well as fulfill a set of minimum technical requirements in order to protect and maintain the provision of its essential services. The act states that the information technology (IT) builds the basis of all security measures in a company.

Note: Note that cyber security for IT and OT (Operational Technology also known as ICS, Industrial Control Systems) requires other measures and procedures. Refer to the topic IT and OT/ICS: A Comparison.

"Critical infrastructures" are facilities, installations, or parts thereof belonging to the sectors of energy, information technology and telecommunications, transport and traffic, health, water, nutrition as well as finance and insurance and are of great importance for the functioning of the community because their failure or impairment would result in considerable supply bottlenecks or threats to public safety. Since version 2, the municipal waste management sector is also considered as critical infrastructure. In addition, "companies in the special public interest" fall within the scope of the Act. These include, for example, defense manufacturers and manufacturers of IT components for use in critical infrastructures or for processing classified government information. This is intended to secure the entire supply chain.
Also affected since version 2 are companies that are of significant economic importance to the Federal Republic of Germany. The same applies to their suppliers, which are relevant due to their unique selling propositions.
Therefore, the sectors mentioned must meet industry-specific minimum standards, including in particular the introduction of an ISMS. Moreover, they must report relevant incidents concerning IT security to the BSI. The BSI recommends suitable procedures for identifying and implementing security measures for the company's own information technology (IT). The aim of basic protection is to achieve a medium, appropriate and sufficient level of protection for IT systems. To achieve this goal, the "IT-Grundschutz" catalogues recommend technical security measures and infrastructural, organizational and staff-oriented protection measures.

 

NIS Directive

Put in place by the EU (with the participation of the European Union Agency for Network and Information Security, ENISA).
The NIS directive is the first piece of EU-wide cyber-security legislation which must be transposed into national law by all member states.

Its goal is to enhance cyber-security across the European Union by improving cyber-security capabilities at national level with better EU-crossing cooperation at the same time.

The NIS directive...

  • extends the responsibilities of critical infrastructure operators (which include online service providers/marketplaces, domain registration authorities, search engines, and cloud providers) to include defined security and reporting obligations.
  • requires the member states to establish a strategy for addressing cybercrime threats.

It defines and contains, amongst other:

  • guideline for incident notification and reporting obligation
  • identification criteria
  • security requirements

 

European Cybersecurity Act (3/2019)

Released by the EU (with the participation of the European Union Agency for Network and Information Security, ENISA).

This act is a comprehensive set of regulations, technical requirements, standards and procedures for certification or conformity assessment of products. The act serves the following purposes:

  • Strengthening of the ENISA by granting to the agency a permanent mandate, reinforcing its financial and human resources and overall enhancing its role in supporting the EU to achieve a common and high level of cyber security.
  • Establishment of the first EU-wide cyber security certification framework to ensure a common cyber security certification approach in the European internal market and ultimately improve cybersecurity in a broad range of digital products (e.g., Internet of Things) and services.
  • Perspectively, the IEC 62443 standard will be placed as a certification framework.

 

Basic Security Standards - How to implement secure processes

Standards describe how precisely measures and procedures can be implemented to meet legal requirements. The basic standards in the context of industrial automation systems are the ISO 2700x series and the IEC 62443.

  • IEC 62443: Security for industrial automation: Aimed at plant owners and operators, system integrators and device/component manufacturers/component suppliers. This standard refers in particular to industrial network and system security (OT systems like production and machine networks).
  • ISO/IEC 2700X: Information Technology: Aimed at plant owners and plant operators. This standard refers in particular to information and managements system security (IT systems like office and factory backbone networks).
Further Information: For details on IT and ICS (OT) please refer to the topic IT and OT/ICS: A Comparison.

Sector-specific Security Standards

Based on national legislation, various specific security standards have been developed by industry associations especially for the requirements in their respective industries. The table below shows some examples. However, the international standard IEC 62443 is the only one with a cross-industry approach, addressing all participants in the value chain and also enabling certification procedures.

 

Standard Target group Main purpose Geographical/
industry focus
BDEW White Paper Device/component manufacturers,
system integrators		 Security requirements for suppliers D, A, CH
Energy & water sectors
WIB Security Standard Device/component manufacturers,
system integrators		 Device/component manufacturer certification Oil & gas sector
ISO/IEC 27019 Asset owners,
plant operators		 IT security for control systems Energy sector
NIST 800-82 Asset owners,
plant operators		 Technical security recommendations USA
NERC CIP Asset owners,
plant operators		 Increasing reliability of energy supply infrastructure USA, Canada
IEC 62443 Device/component manufacturers,
system integrators,
plant operators		 Requirements for secure products, secure solutions, and secure operation General industry sector

 

Further information

For further information, refer to these sources (some in German):

  • IT-Grundschutz Compendium of the BSI
  • BSI recommendations for ICS Operators
  • Best practices of the US CISA (Cybersecurity & Infrastructure Security Agency)

 

 

•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari  • 
• Published/reviewed: 2023-11-02 • Revision 011 •