The remit for the Directorate-General OC -- 'Operative Cyber Security' at the BSI includes the task areas of threat 'Detection', 'Response' and 'Situation', plus associated activities. The objective of the 'Detection' task area is to ensure the timely and reliable detection of security-relevant events. Examples of such security-related events include cyber attacks that have been detected or reported, vulnerabilities in IT products that have come to light and security-relevant deficiencies in website configurations. Where necessary, the BSI then takes appropriate action as part of the 'Response' task area. Such actions include warning individuals and organisations affected by cyber incidents, for example, and also providing support for restoring secure operations on a case-by-case basis. Insights gained by the BSI about cyber risks -- especially threats, vulnerabilities and incidents -- are collected, analysed and processed as part of the 'Situation' task area. Uses and operating companies can utilise these insights in order to ensure they have the best-possible protection against cyber risks.

The nature and scope of the BSI's activities in the field of operational cyber security are defined in the BSI Act. Key points of focus here include protecting the federal administration and critical infrastructure. In these areas, the Directorate-General OC works together closely with the Directorate-Generals BL, "Consulting Services at Federal, State and Municipal Levels" and WG, "Cyber Security for Business and Society".

Sections in the Directorate-General OC

Section OC 1, 'Detection'

The BSI's OC1 Section operates the Federal Security Operations Centre (BSOC) to protect government networks and federal IT systems against cyber attacks. The tasks assigned to the BSOC include services for the collection and analysis of log and sensor data, as well as for the detection of and defence against malware in e-mails and web traffic. To manage this remit, the BSI has developed a range of systems, which are continuously modified to match the threat situation. Department OC 1 is also tasked with the development and updating of the various antivirus signatures, detectors and technical platforms required for this work. By achieving the greatest possible degree of automation by using modern products and AI-driven procedures, the aim is to create enough space for the indispensable manual analyses, which are conducted in compliance with stringent legal provisions.

Another responsibility assigned to the OC 1 Section is the design and execution of penetration tests, short audits and web checks in relation to federal information security. These services are performed in order to detect vulnerabilities, security-relevant misconfigurations and other security deficiencies while also helping the respective federal client to continue to improve their level of security. Section OC 1 also provides support to the BSI's Directorate-General SZ for the certification of penetration testers and IT security service providers. To help raise the awareness regarding cyber risks, supportive events -- such as hacking demonstrations -- are also organised and held.

Last but not least, Department OC 1 is also responsible for the topic of internet infrastructure and internet services. Activities here focus in particular on techniques for the detection and analysis of and defence against botnets, as well as attacks targeting internet infrastructure. Other work in this area covers security audits and the publication of research articles, as well as cooperation with operating companies and regulatory authorities. In addition, the BSI is also an active member of the Internet Engineering Task Force (IETF) and the Réseaux IP Européens (RIPE), where it works to improve the security of the internet as a whole.

Section OC 2, 'Response'

Section OC 2 works on the two closely related task areas of 'Response' and 'Situation'. In terms of the national IT security situation, the National IT Situation Centre is primarily responsible for observing and assessing the current IT threat situation and initiating measures to manage security incidents -- also in its role as the Central Reporting Office for such incidents. The department draws on additional analysis and assessment capacities to prepare the long-term and strategic national IT security situation map, and makes it available to several stakeholders. A public version of this map is provided in the BSI report, 'The State of IT Security in Germany'. This situational information is augmented by warnings provided by the BSI on current cyber threats. Depending on the occasion, the BSI provides these warnings both to federal stakeholders and operators of critical infrastructure as well as a wider circle of users and operating companies.

The response mounted to cyber attacks is a joint effort on the part of various teams, who work on many tasks aimed at containing cyber security incidents. Incident support for affected parties in the various groups to whom the BSI provides its services is provided jointly by CERT Bund, the experts in the mobile response teams (MIRTs) and the technical analysts brought in on an ad hoc basis. In special cases and during critical IT incidents, the National IT Situation Centre expands into a National IT Crisis Response Centre, with the aim of restoring security or the functional capability of IT systems. In such cases, the Centre is supported locally by many expert teams drawn from all divisions, as appropriate to the situation. This provides direct access to the BSI's consolidated technical expertise while also ensuring this level of engagement can be sustained for crisis situations that take longer to resolve