KRITIS is the abbreviation for critical infrastructure. This classification of infrastructures includes facilities or organizations that are of high importance to the community and whose failure would have serious consequences for society and the state order. KRITIS operators must meet minimum IT security requirements, which are regulated in the IT Security Act, among other things.
What is KRITIS?
The abbreviation KRITIS stands for critical infrastructures. These infrastructures are facilities, organizations, plants, and systems that are of high importance to the state community. A failure of these infrastructures has serious consequences for society and the state order. If critical infrastructures are disrupted, this can lead, for example, to supply bottlenecks, disruptions in public safety, problems in the healthcare system, or negative influences on social and economic well-being.
In Germany, critical infrastructures include infrastructures in the sectors of information technology and telecommunications, water, energy, transportation and traffic, food, government and administration, media and culture, finance and insurance, and health.
Due to the high importance of these infrastructures to society, the state exercises important control functions with the help of laws. Several federal authorities are responsible, such as the Federal Ministry of the Interior, for Construction and Home Affairs (BMI), the Federal Office of Civil Protection and Disaster Assistance (BBK) and the Federal Office for Information Security (BSI). Among these authorities, the BSI assumes primary responsibility for KRITIS protection at the federal level.
KRITIS operators must meet minimum requirements with regard to IT security and have legal obligations described in the IT Security Act. These include, for example, the obligation to report security incidents or the special protection of networks. In 2021, there was a revision of this security law, which is now referred to as the IT Security Act 2.0 (IT-SiG 2.0).
The various critical infrastructure sectors
In Germany, infrastructures in these sectors belong to the critical infrastructures:
- Energy: for example, energy supply with heating oil, fuels, electricity, gas, or district heating
- Transport and traffic: for example passenger traffic, freight traffic, air traffic, road and rail traffic, shipping, local passenger transport, logistics
- Information technology and telecommunications: for example, data transmission, voice transmission, data processing, data storage
- Health: for example, inpatient medical care, supply of medical products, laboratory diagnostics, supply of pharmaceuticals
- Food: for example food production, food processing, food trade
- Water: for example drinking water supply, waste water disposal
- Finance and insurance: for example, cash supply, payment transactions, settlement of foreign exchange and securities transactions, insurance services
- Media and culture: for example, broadcasting, press, cultural assets, and buildings
- Government and administration: for example, government, parliament, justice, rescue services, emergency services, disaster control.
The IT Security Act
The first IT Security Act was passed in 2014 and came into force in 2015. In this law, CRITIS operators are required to implement minimum security standards. In addition, the law defines an obligation for operators to report IT security incidents to the BSI. BSI Criticality Ordinances were issued to further specify the law. These ordinances enable infrastructure operators, for example, to use criteria to check whether their infrastructures fall within the scope of the Act.
In 2021, a new version of the law will come into force with the IT Security Act 2.0. Among other things, waste management will become a critical sector. In addition, infrastructures in the special public interest are defined, which are also to be treated as critical infrastructures.
Other innovations in IT-SiG 2.0 include significantly higher fines for violations, the need to set up security information and event management systems (SIEM systems) to detect and deal with attacks, and minimum standards for KRITIS core components in the form of trustworthiness declarations by component manufacturers and BSI security marks.