New German cyber security law to protect critical infrastructure

Germany has passed a new IT security law requiring critical infrastructure institutions to implement minimum information security practices or face fines of up to €100.000.

The new law, which was drafted last August, was passed by the Bundestag last month and has now been passed by Germany’s upper house, the Bundesrat.

It gives more than 2,000 essential service providers two years to comply with the new requirements, which include achieving certification to cyber security standards and obtaining clearance from the Federal Office for Information Security (BSI). The BSI itself will be expanded to cover new obligations, which include evaluating reports of possible cyber attacks on critical infrastructure.


SCADA attacks

Dell Security’s recent 2015 Annual Threat Report found that, worldwide, attacks on supervisory control and data acquisition (SCADA) systems – used by critical national infrastructure operations such as power stations, oil refineries and water treatment plants – increased “from 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014”.

Although it is rare for a cyber attack to cause physical damage, it is not unheard-of. Last year, a German Federal Office for Information Security report (Die Lage der IT-Sicherheit in Deutschland 2014) described an incident at an unnamed steel mill in Germany that resulted in catastrophic damage: using a spear phishing email to install malware on the mill’s computers, hackers stole login credentials that enabled them to access the production computer networks and gain control of systems that controlled the plant’s manufacturing equipment. They then caused system failures that prevented the plant from shutting down a blast furnace properly, causing “massive damage”.

Many feared that successful attacks on SCADA systems will become increasingly common – hence this new legislation.


Recent cyber attacks in Germany

Cyber security is much on the minds of legislators in Germany: the Bundestag itself recently fell victim to a cyber attack apparently perpetrated at Russia’s behest, and in January numerous German government websites – including that of Chancellor Merkel – were hacked by a Russian group demanding Germany end its support for the Ukraine government.


The GDPR and best-practice information security

German organisations that want to fulfil their information security obligations are advised to implement an information security management system (ISMS), as described in the international best-practice standard ISO 27001.

An ISO 27001-compliant ISMS provides a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been certified to the Standard you can insist that third-party contractors and suppliers also achieve certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts – as well as allowing you to meet legal and regulatory obligations.

In addition, an ISO 27001-compliant ISMS will help organisations meet the requirements of the EU General Data Protection Act (GDPR), which is expected to be implemented later this year and come into force in 2017.


ISO 27001 implementation resources

IT Governance has led hundreds of ISO 27001 implementation projects around the world. Our ISO 27001 Packaged Solutions provide fixed-price implementation resources and implementation guidance for all European organisations.

The ISO 27001 Get A Lot Of Help package is by far the most popular, combining a comprehensive mix of core ISO 27001 standards and implementation guidance with key implementation tools, attendance at our Live Online masterclasses, and our unique Mentor and Coach service – all at a fixed price.

Click for more information >>


  1. Bob Flores 17th July 2015
  2. Murray Rosenthal 21st July 2015
  3. Dave Strudwick 30th July 2015

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.