SAP Security and KRITIS Update May 2023

Leave a Comment / By /

Dear readers,
the security landscape for operators of SAP systems has drastically changed over the years. New legislation, particularly with regard to KRITIS (Critical Infrastructures), has raised the level of mandatory security precautions that companies must take. These changes are both a challenge and an opportunity to improve the security and resilience of IT systems. At the same time, they ensure that companies serving KRITIS sectors are better protected against potential cyber attacks. In the face of a constantly evolving threat environment, it is crucial for SAP operators to stay informed about the latest legislative changes and to take appropriate measures to adapt their IT infrastructures. The ability to develop and implement effective and legally compliant SAP security strategies is a key factor in this. This article provides insight into the latest legislative changes affecting KRITIS and SAP, and explains how SAP operators can adapt their systems to the new security requirements.

SAP Security Hot News SAP Authentifizierung RFC (remote function calls)

SAP is a central player in the world of enterprise software, with systems that control a significant portion of operational data traffic in businesses worldwide. Therefore, the question is explicitly posed: What requirements does the BSI impose on KRITIS operators with SAP systems?

  1. SAP system operators are obligated to designate a contact point responsible for communication with the BSI. This ensures a direct communication line between the companies and the federal agency.

  2. Reporting of significant disruptions Any disruption that negatively impacts the availability of critical services must be reported to the BSI. This allows for a quick response to potential cyber attacks and a systematic remediation of security vulnerabilities.

  3. Regular security audits, checks and certifications KRITIS operators are obliged to keep their IT systems up-to-date with the latest technology. This is defined by the BSI and demonstrated through regular security audits, checks and certifications. The ISO27001 certification plays a crucial role in this.

  4. Implementation of Intrusion Detection Systems (IDS) and SIEM tools for detecting cyber attacks, KRITIS operators must implement systems based on algorithms that can identify attacks in real-time. IDS and SIEM tools provide suitable solutions, such as SAP Enterprise Threat Detection (ETD).

  5. Creation of disaster recovery plans In order to restore operational capability as quickly as possible after an attack on IT systems, KRITIS operators must design disaster recovery scenarios. These include response plans and preventive measures that come into play in the event of a massive supply disruption.

BSI and SAP: Security measures for critical infrastructures SAP systems play an important role in complying with BSI regulations as they are often part of critical infrastructures. With SAP Enterprise Threat Detection (ETD), companies receive real-time insights into critical actions and conspicuous operations within their SAP system landscape. This allows cyber attacks on SAP applications to be detected, analyzed and neutralized at an early stage.

In addition, operators must take preventive measures such as automated identity management, customized authorization management, a clear role concept, authentication, and encryption. Multi-factor authentication (MFA) can achieve a significantly higher level of protection.

Sanctions and exceptions under the IT Security Act 2.0 Companies face severe sanctions in the form of fines for violations of the IT Security Act 2.0. The amounts to be paid range from 100,000 euros to 2 million euros, depending on the violation. In some cases, the penalties can even rise to up to 20 million euros or 4% of the company’s global turnover.

In addition to the operators of critical infrastructures, the IT Security Act 2.0 also affects the category of “companies of special public interest”. This includes companies from certain sectors or of certain sizes, which do not count as critical infrastructure, but nevertheless have a special relevance.

How can the state of the art for SAP systems be demonstrated?

The state of the art for SAP systems can be demonstrated in various ways, although the exact process can vary depending on the company and specific requirements. In general, however, the following steps and considerations can be helpful:

  1. SAP security guidelines and best practices: SAP provides various guidelines and best practices for security. Compliance with these guidelines can help demonstrate the current state of the art. Such guidelines include, for example, the implementation of role and authorization concepts, the consistent application of security patches, and ensuring data integrity.

  2. SAP Security Optimization Services (SOS): SAP offers a service called Security Optimization Services that performs a comprehensive review of an SAP system’s security status. This service includes a systematic review of the system to identify security gaps and suggest improvements.

  3. Certifications: Various certifications can serve to confirm the state of the art. This includes, for example, the ISO 27001 certification, which concerns the management of information security, or specific SAP certifications such as the SAP Certified Technology Associate – System Security Architect.

  4. SAP System Audits: Regular internal and external audits can check whether the SAP system meets current requirements and whether all relevant security measures are implemented.

  5. Keeping the software updated: It is important that the SAP system is always up-to-date. This means that all software components, including the operating system, the database, and the SAP applications themselves, are regularly updated and patched.

  6. Documentation: Finally, comprehensive documentation of all processes, policies, and measures related to IT security is essential to demonstrate the state of the art.

It is important to note that the state of the art in IT security is a dynamic term that is constantly evolving. Therefore, the security of SAP systems should be continuously monitored and adjusted.

Conclusion: Responsibility for a Digital World

In a world that is increasingly networked and digital, heightened requirements for IT security and the reliability of critical infrastructures (KRITIS) are not only necessary but essential. With the tightening of the IT Security Act 2.0, KRITIS operators are now more obligated to make their IT systems more resilient to disruptions and to keep them up to date with the latest technology. This ensures the maintenance of essential supply services for society and protects sensitive data. However, complying with these expanded regulations is challenging and requires careful planning and timely implementation. Operators need to continuously evaluate and improve their IT infrastructure, report relevant disruptions to the BSI, and always follow the latest technical standards. The requirements of the BSI, although extensive and demanding, ultimately offer companies the opportunity to strengthen their systems against cyber threats while simultaneously providing the best possible protection for their customers. This emphasizes the importance of a responsible digital presence and sustainable management of IT resources. Overall, the expanded IT Security Act 2.0 is an important step in ensuring the continuity of critical infrastructures in Germany and strengthening the digital landscape. It is now up to KRITIS operators to fulfill their role responsibly and contribute to the security of the digital space. In the best sense, this serves not only to protect their own IT systems, but also society as a whole.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top