Systems for Attack Detection
Mandatory for critical infrastructure –
Security with system
Since May 2023, operators of critical infrastructure are required to implement systems for attack detection (SzA). We support you from planning to operation – in compliance with standards, practical, and with additional expertise in audit procedures.
Systems for Attack Detection –
an Overview
Since May 1, 2023, operators of Critical Infrastructure (KRITIS) are required under § 8a (1a) of the German BSI Act (BSIG) to implement systems for attack detection (SzA). The aim is to detect, report, and effectively prevent attacks on IT and OT systems at an early stage.
An effective SzA concept offers you:
- Compliance with legal requirements under the BSIG
- Increased security and resilience against cyberattacks
- Rapid response capability in the event of security incidents
- Auditable implementation for BSI and authorized audit bodies
Systems for Attack Detection (SzA) are designed to continuously monitor and analyze security-relevant events in IT and OT systems, enabling rapid response to potential threats. They combine technical solutions with clearly defined processes to ensure that attacks are not only detected but also effectively repelled.
IDS/IPS systems (Intrusion Detection/Prevention Systems) and SIEM platforms are frequently used, which are fed with up-to-date threat intelligence.
Core components of an SzA:
- Logging – continuous collection of relevant event data from IT and OT systems
- Detection – analysis and identification of attacks or unusual activities
- Response – initiation of technical and organizational countermeasures
- Threat Intelligence – use of up-to-date threat data to detect new attack patterns
- Integration – embedding into existing IT security and emergency response processes
This is how an SzA concept works in practice
First, all relevant systems, networks, and interfaces are identified. Then, it is defined which events must be captured and how they will be centrally analyzed.
A complete SzA includes:
- Sensors and log sources (firewalls, servers, control centers)
- Central analysis and correlation platform (SIEM)
- Defined alerting and escalation paths
- Regular testing and optimization to reduce false alarms
The path to implementation
The introduction of systems for attack detection follows a structured approach:
- Assessment – recording existing IT and OT systems, security solutions, and interfaces
- Requirements analysis – taking into account legal requirements, BSI guidelines, and company-specific risks
- Technology selection – identifying suitable IDS/IPS, SIEM, and monitoring solutions
- Integration – embedding the SzA into existing infrastructures and security processes
- Operation – ensuring continuous logging, detection, and alerting
- Optimization – regular evaluations, rule adjustments, and staff training
An SzA project can be implemented particularly effectively when integrated into existing security initiatives such as ISMS, emergency management, or SOC structures – creating synergies and reducing ongoing maintenance efforts.
Typical Challenges
The introduction of SzA is complex and requires both technical expertise and clear organizational structures. Common challenges include:
- Integration of SzA into heterogeneous IT/OT environments
- Ensuring complete logging without impairing system performance
- Minimizing false positives while maintaining a high detection rate
- Establishing clear response processes and responsibilities
- Meeting regulatory requirements, including proof of compliance
- Dependence on qualified professionals and external partners
Our Support for Implementation
We support KRITIS operators from planning to the ongoing operation of their attack detection systems – practical, efficient, and standards-compliant.
Our services include:
- Consulting and planning in accordance with § 8a BSIG and BSI guidelines
- Selection of suitable SzA technologies (IDS/IPS, SIEM, SOC)
- Implementation in IT and OT environments
- Preparation of the required documentation for BSIG compliance
- Conducting independent audits with additional audit procedure expertise pursuant to § 8a (3) BSIG
