Attack Detection System in accordance with the IT Security Act 2.0

You can download this article at the end with more informations.

Several thousand operators of critical infrastructures in Germany are currently in the process of planning, implementing and testing systems for attack detection in accordance with § 8 a BSIG, based on the relevant guidance and other BSI guidelines. We are happy to help you with

  • the technical and organizational target architecture (minimum solution based on NIDS, log collectors, expansion stages with SIEM and Managed SOC)
  • Definition of processes and guidelines
  • Development of requirements catalogs and service descriptions
  • Structured solution and partner selection, taking into account your own capacities, tight schedules, future viability and cost/benefit ratios
  • the evaluation of content and commercial offers
  • the fulfillment of test criteria to prepare for a successful audit.

Our customers for this task include a large hospital, an operator of electricity and gas networks and a municipal public transport company.

The providers we looked at as part of these projects include

  • NIDS, NDR and OT-specific anomaly detection solutions such as Ausecus, Cisco, Claroty, Darktrace, Extrahop, IRMA (Achtwerk), Nozomi, Genua, Rhebo, Secunet, Suricata or Vectra;
  • SIEM and log collector/datalake solutions such as Chronicle, Elastic, Exabeam, Graylog, Logpoint, Logrhythm, QRadar, Rapid7, Securonix, Sentinel, Splunk, Wazuh;
  • Managed SIEM/SOC operators such as 8Com, Accenture, Atos, Bechtle, Blue Voyant, Cancom, Controlware, GData, Kudelski, Nviso, Obrela, Orange, Scaltel, SVA, T-Systems and many more.
  • Other service providers, solution providers and contributors such as Avodaq, EnBW Cybersecurity, KonzeptAcht, Phoenix Contact, PSI, R-Tec, telent, etc.

The catalogs of requirements for attack detection systems for requests to vendors depend on the initial requirements and scopes of the ISMS and, in addition to pricing structures, typically contain 30 – 100 criteria, e.g.

  • Written commitment to fulfill the mandatory criteria of the guidance regarding detection and logging as well as other recommendations (such as BSI-CS-134 “Monitoring and anomaly detection in production networks”)
  • Automated creation or completion of asset inventories and network structure plans
  • Deep packet inspection of industry-specific protocols (such as IEC 60870-5-104 or S7COMM), if relevant
  • Automated comparison with vulnerability databases.

We are happy to recommend tried-and-tested specification templates, which we adapt efficiently with you to enable a methodical comparison and a well-founded decision.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.

Download Article: Attack Detection Systems