The renewed KritisV affects more than 1,850 companies in Germany. Lead and transition periods have already expired. Violations result in severe penalties. Nevertheless, questions often remain unanswered, for example about the concrete meaning of “secure” or the obligations that KRITIS operators must fulfill. In addition, the dynamic nature of the adjustments in the KritisV poses challenges for companies during implementation.
In the following interview, Matthias Reidans, Senior Project Manager Services of the fiber and infrastructure specialist Rosenberger OSI, answers important questions and explains which points are now important for CRITIS operators.
- Which Companies Belong to The Critical Infrastructure?
- What Sector-Specific Requirements Do CRITIS Operators Need to Be Aware Of?
- That Means It Would Be Important to Keep KRITIS Relevance in View on An Ongoing Basis?
- The KRITIS Regulation Requires It to Be Adequately Secured in Line with The “state of The Art”. What Does This Mean?
- Which KRITIS Requirements Must Be Observed for Data Centers and Server Rooms?
- How Must the Infrastructure in Data Centers with High Availability and Protection Class Be Optimized?
- What Are Important Steps on The Path to Acceptance of The Statutory KRITIS requirements?
Which Companies Belong to The Critical Infrastructure?
The official definition is: “Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in sustained supply bottlenecks, significant disruptions to public safety, or other dramatic consequences.”
The BSI Act (“Federal Office for Information Security”) identifies the following critical sectors for a functioning state polity: Information Technology & Telecommunications, Health, Energy, Water, Food, Finance & Insurance, Government & Administration, Transportation & Traffic, Media & Culture, and – newly included after the last amendment – Municipal Waste Disposal. The IT Security Act 2.0, on which the CRITIS Regulation is based, is aimed at companies that rely on digital infrastructures in the sense of “facilities”.
This includes machines and devices in the broadest sense, as well as software and IT services that are necessary for the provision of a critical service.
What Sector-Specific Requirements Do CRITIS Operators Need to Be Aware Of?
There are specific thresholds for all sectors to ensure that really only those companies are classified as critical that are relevant to social life. As a rule, the thresholds are tailored to serve a lower limit of half a million inhabitants. In the energy sector, for example, this is the amount of electricity, heating oil, aviation fuel and the like provided; in the water sector, it is the amount of drinking water, but also the number of households connected to the sewer system.
In the IT and TC sector, different factors are relevant depending on the service: Network subscribers, instances, domains, qualified certificates and server certificates, and in the case of data centers also power consumption – here a new lower limit of 3.5 instead of the previous 5 MW applies. Companies themselves are responsible for finding out whether they fall under the CRITIS rules and must take the appropriate steps. The lead and transition periods have now expired.
That Means It Would Be Important to Keep KRITIS Relevance in View on An Ongoing Basis?
Exactly. The law was passed in August 2021 and came into force on January 1, 2022. Affected facilities had to be registered by April 1 – and by the same date, CRITIS companies must also comply with the associated cybersecurity measures. This is likely to catch one or two new entrants among the KRITIS operators cold. This is because there is a threat of severe penalties. They will have to provide proof of implementation through CRITIS audits by April 1, 2024 at the latest, so there is at least a little time left.
But even those who are not affected by the current classifications cannot rest on their laurels. Further changes to the IT Security Act and the CRITIS Regulation are also planned for the current year. This means that a new delimitation of KRITIS relevance can occur at any time. So you should always keep an eye on the industry-specific thresholds. To be on the safe side, it is advisable to consult experts here. Rosenberger OSI offers a non-binding quick check as an orientation aid as to whether KRITIS relevance exists. The focus of the check is the examination of the affiliation to KRITIS sectors, the classification with regard to threshold values and the evaluation of industry-specific peculiarities.
The KRITIS Regulation Requires It to Be Adequately Secured in Line with The “state of The Art”. What Does This Mean?
With the term “state of the art”, the legislator avoids static specifications that soon become obsolete – because technical development is faster than legislation. What is the current “state of the art” can be derived from various national and international standards, such as DIN, ISO, DKE or ISO/IEC. In addition, models for the respective area that have been successfully tested in practice can also be consulted.
The goal must be to take appropriate precautions to prevent disruptions, for example, this refers to the availability, integrity, authenticity and confidentiality of the information technology systems, components or processes. The measures taken must be certified and proven to the BSI within two years of the KRITIS regulation coming into force and renewed every two years. However, classic certifications such as ISO 27001 or BSI IT-Grundschutz alone are not sufficient for this.
Which KRITIS Requirements Must Be Observed for Data Centers and Server Rooms?
That depends on the need for protection and the availability requirements for the data center or server room. This can be the need for high availability, but also that certain requirements must be met for the location of the data center.
With the certification according to the self-developed TSI.STANDARD, TÜViT has created a system that differentiates between four different levels, which reflect the quality of the supply systems as well as all other elements. It builds on the TSI (Trusted Site Infrastructure) methodology for testing and certifying the physical security and availability of data centers, which has been established since 2001. The TSI.STANDARD is continuously developed to reflect the current state of the art and standards – just as the BSI requires of CRITIS operators.
How Must the Infrastructure in Data Centers with High Availability and Protection Class Be Optimized?
To build data centers with a high protection class and availability, it is not enough just to optimize the IT infrastructure accordingly. The main vulnerabilities and risks in and around the data center, as well as the associated services – for example, DNS or certification services – should be considered in detail. And this should be done in a repeated process.
What exactly does this mean for the testing and evaluation of new data center buildings as well as existing data centers? In and around the data center?
In concrete terms, this means not only looking at the structure of the cabling or the power supply and the redundancies designed for it, but also the data center environment or aspects such as building construction, fire protection or security systems.
In order to fulfill the KRITIS obligations, Rosenberger OSI checks the fit of the valid requirement catalogs with the existing structural and physical security of the IT infrastructure. This analysis and evaluation results in technical and/or organizational lists of measures which, when implemented, can then guarantee the required level of security in accordance with the protection requirements to be met for the IT.
What Are Important Steps on The Path to Acceptance of The Statutory KRITIS requirements?
The first step is to examine the BSI requirements catalog in order to record and evaluate in detail any deviations between the actual and target state of the IT infrastructure. This initially involves identifying the level for protection requirements and for availability as well as examining the criteria areas for IT operations, depending on the required protection requirement level.
As part of the inventory, the complete IT infrastructure is recorded and its status evaluated. This is followed by a classification of the risks and a prioritization of the challenges to be overcome. Based on this, a catalog of measures is created, which includes a detailed recommendation for the protection requirement. In addition, targeted technical and/or organizational measures are derived to achieve the industry standard required by the BSI.