Application area and measures
KRITIS refers to critical infrastructure whose failure would have a lasting impact on the community. These include institutions and organizations from the energy, water, food, IT, health, finance, insurance, and transportation and traffic sectors.
Not all infrastructure in these sectors is necessarily considered critical infrastructure. Therefore, these sectors are in turn subdivided into industries in which critical services may be provided. The IT Security Act and related regulations focus on physical facilities that provide critical services to more than 500,000 people. The basis for assessment differs from sector to sector. These could be case numbers in hospitals or food rations produced, for example.
Should a facility be classified as critical, then under the BSI Act, this means that there are additional obligations for protecting critical infrastructure. These include, in particular, the obligation to report impairments, and the implementation of IT security in accordance with the current state of the art, along with biennial verification (e.g., through an audited ISMS).
Innovations as a result of the IT Security Act 2.0
A few weeks ago, the German Bundestag and Bundesrat passed the IT Security Act 2.0. The main changes include an expansion of the BSI’s powers, further obligations for operators of critical infrastructure, and stronger penalties on a par with those of the GDPR.
In the future, the federal office is to exercise control and audit powers over the federal administration, by, for example, being allowed to process federal communications technology data if this serves to avert danger. A farther-reaching step is that, in the future, the BSI will also be allowed to actively detect security vulnerabilities in public telecommunications networks with port scans.
Companies that operate critical infrastructure will also be required to deploy attack-detection systems. In addition, the scope among critical infrastructure operators is to be expanded. For example, companies that are of particular public interest (e.g., armaments), process classified information, have special economic significance due to the high degree of value they create, or that are subject to regulation under the Hazardous Incident Ordinance are to be added.
KRITIS in the EU
At the European level, the EU has been planning to revise both the previous NIS Directive and the 2008 European Critical Infrastructure Protection Directive since 2020. In the future, there will be uniform minimum requirements for critical infrastructure throughout Europe. The requirements are to be increased, for example, by including all sectors in the regulations rather than just energy and transportation (as has been the case to date). It is not yet possible to predict conclusively whether and to what extent changes at the European level will affect German operators.
The threat situation
The requirements imposed by regulators do not contrast with the interests of critical infrastructure operators; rather, they do just the opposite. Every company must expect to be a victim of a security incident and must be able to respond accordingly. Current events such as the increased occurrence of ransomware attacks make it clear that this danger is not abstract. The average cost of a data breach is estimated by IBM to be USD 3.86 million. One of the most common vulnerabilities is, incidentally, the employee. For example, phishing is the cause of data theft in around 20 percent of cases.
With regard to critical infrastructure in Germany, the threat remains high. The electricity and power sector is of particular interest, and port scans, in particular, stand out in this area. In the finance and insurance sector, DDOS attacks on banking systems led to significant disruptions in payment transactions in early 2020. In addition to DDOS attacks, ransomware incidents were common between 2019 and 2020.
In May 2021, for example, The Colonial Pipeline was affected. Attackers managed to compromise the operator’s IT through encryption. As a result, more than 8,000 kilometers of pipelines along the East Coast of the United States were taken out of service. This vulnerability in United States infrastructure led to intermittent gasoline supply shortages. Due to the uncertainty about the duration and success of the recovery, the operator decided to pay a ransom equivalent to EUR 3.6 million.
Another example of how IT security in critical infrastructure can protect lives is the incident at a Florida water plant where attackers tampered with drinking water treatment in February 2021, rendering the water undrinkable. Read more in our article, “Unprotected utilities ─ how an attack on a Florida water plant put lives at risk.”
Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.
Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.