Critical infrastructure and B3S
The German Federal Government defines critical infrastructure as follows:
“Critical infrastructures (KRITIS) are organizations or facilities of vital importance to the state community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety or other dramatic consequences.“1
Operators of critical infrastructures (KRITIS) have been confronted with high minimum requirements for IT security since the IT Security Act came into force in 2015. With the entry into force of the IT Security Act 2.0, these will increase even further.
KRITIS operators: Requirements increase
In addition to the obligation to prove to the BSI every two years that the KRITIS regulation (IT Security Act) has been implemented appropriately, e BSI must be notified on an ongoing basis of KRITIS-relevant security incidents or changes/adjustments to the KRITIS scope. In addition, KRITIS operators incur expenses due to the identification of security incidents. These must be carried out by the operator on its own responsibility. Any existing ISO 27001 certificate (native or in accordance with IT basic protection IT basic protection) is recognized as a component of proof. However, in dealing with risk acceptance and insurability of risks in particular, requirements must be met that go beyond the standard requirements of ISO 27001.
By far the greatest challenge, however, is the implementation of effective IT security measures in their KRITIS-relevant facilities. Accordingly, appropriate "state of the art" technical and organizational measures must be implemented. IT in particular is subject to a high degree of short-livedness and dynamism. Furthermore, an "attack detection system" in combination with "immediate notification" will be required in the future.
ISMS and BCMS as the means of choice
Management systems such as an ISMS and Business Continuity Management System (BCMS) are the means of choice to ensure information security in KRITIS facilities and to map the organizational measures. The technical aspect of the requirements can be achieved by protective measures (state of the art) for the IT, OT operating infrastructure in the KRITIS facility.
A Security Operation Center (SOC) or Computer Security Incident Response Team (CSIRT), where systems and processes for detection” such as a Security Incident Event Management (SIEM) or Intrusion Detection System (IDS) are used, cover the demanded attack detection.
A major hurdle for KRITIS operators is therefore the high interdisciplinary complexity and the resulting dependencies.
How we can support you
Our KRITIS experts provide support with tailored concepts and approaches for the preparation, design, planning and implementation of security measures in accordance with the applicable KRITIS requirements. They work with the necessary level of detail, while maintaining an overview. In doing so, they draw on tried-and-tested solutions and established methodologies that are customized.
1 Source: KRITIS - Einführung (bund.de)
B3S – Industry-Specific Security Standards
Operators of critical infrastructures can develop industry-specific security standards (B3S) in industries and their professional associations and have their suitability for industry-specific definition of the "state of the art" recognized by the BSI. There is no regulatory obligation to do so. However, this gives the industries the opportunity to set out their own specifications for the state of the art based on their own expertise. This makes the implementation of rather abstract and above all dynamic “state of the art” requirement much more tangible and concrete.
Source: BSI - Übersicht der B3S (bund.de)
The security advisors also assist KRITIS operators with the implementation of B3S.
