For operators of energy supply networks and energy systems: Demonstrate the use of attack detection systems

Source: BUS Rheinland-Pfalz

As an operator of energy supply networks and energy systems that are considered critical infrastructure, you are obliged to use systems for attack detection. These must continuously identify and prevent threats. You must also provide suitable measures to rectify any faults that occur. Since 01.05.2023, you must provide evidence of the use of these systems to the Federal Office for Information Security (BSI) at least every 2 years.

To protect your information technology from external attacks, you must take organizational and technical measures and precautions. You can have these documented through security audits, further tests or certifications. In the next step, you send the BSI the results of the tests carried out, including any security deficiencies discovered, using a verification document.

The BSI then checks whether your precautions and measures meet the legal requirements. The BSI can request the submission of further test documents and, in the event of security deficiencies, the rectification of the deficiencies.

Energy supply networks and energy systems are elementary for the state community. If they fail or are impaired, there is a risk of supply bottlenecks, significant disruption to public safety or other dramatic consequences. Regular verification of the use of attack detection systems is therefore required by law.

You can submit your evidence online, by encrypted e-mail or by post. To submit the evidence, you must be registered with the BSI as an operator of energy supply networks and/or energy installations and have an operator ID/institution ID, which you received when you registered.

Submit evidence online:

To use the online service, you need an ELSTER organization certificate and ELSTER business account.
Go to the federal portal verwaltung.bund.de and complete the online application.
Upload the required documents.
The BSI's KRITIS office (Critical Infrastructure) will check your details. If the KRITIS Office has any queries during the review or requests additional documents, it will contact you by email.
After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Submit evidence by e-mail:

Download the KI* verification document from the BSI website
Complete the form.
You can either complete the form digitally or print it out first and then complete it.
Sign the form.
Send the form and your verification documents by encrypted e-mail to the BSI's KRITIS office. For encryption, please use the S/MIME certificate of the KRITIS office on the BSI website.
The BSI's KRITIS Office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by e-mail.
After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Submit evidence by post:

Download the proof document KI* from the BSI website.
You can either complete the form digitally and print it out or print it out first and then complete it.
Sign the form and add the necessary supporting documents.
Send your proof by post to the BSI's KRITIS office.
The BSI KRITIS Office will check your details. If the KRITIS office has any queries during the check or requests additional documents, it will contact you by email.
After the formal check, the KRITIS office will send you a confirmation by e-mail and inform you of the deadline for your next proof.

Critical infrastructure verification document (for operators of energy supply networks and energy installations that are considered critical infrastructure) KI*: Details of the operator, the audited energy system or audited energy supply network and the contact person
Verification document (inspection) P*: Details of the inspection. It must be signed by a person authorized to sign on behalf of the verifying body. It contains the following information:
- Section (test execution) PD: Information on the execution of the test
  - Appendix PD A: Description and graphical representation of the scope of the test
- Section (test result) PE: Information on the test result and the safety deficiencies detected
  - Appendix PE.A: List of safety deficiencies including implementation plan for remedying the deficiencies
Section (information on the inspecting body and the inspection team) PS: contains information on the inspecting body and the inspection team

Period of Validity: 2 Years
You must provide evidence of the use of attack detection systems to the Federal Office for Information Security every two years. You can also submit your verification documents at any time before the verification deadline. The statutory 2-year rule is the minimum requirement. The calculation of the deadlines depends on the time of the previous submission. If a proof proves to be incomplete in the course of the review, so that subsequent deliveries have to be made, this does not affect the deadline for the subsequent proof once it has been calculated. If you register new installations in addition to those already registered as a result of the annual inspection, you can combine all installations in one verification, provided you do not exceed the respective verification deadlines.

For operators of energy supply networks and energy systems: Demonstrate the use of attack detection systems

Process flow

Requirements

Which documents are required?

What are the fees?

What deadlines do I have to pay attention to?

Processing duration

Legal basis

Applications / forms

What else should I know?

Professionally released on