In Germany, special regulations apply to operators of critical infrastructures under the Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI) Act. But who counts as an operator and when are infrastructures classified as critical?
What is a critical infrastructure?
Critical infrastructures (KRITIS) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences. Which of these are to be regarded as critical infrastructures is regulated by the KRITIS Ordinance within the BSI Act. According to this definition, organizations and facilities from the energy, transport and traffic, water, finance and insurance, food, media and culture, state and administration, health, information technology and telecommunications sectors are considered critical infrastructures.
Who is affected?
However, in reality, the circle of affected companies is much wider than one might assume. As a result, many operators of critical infrastructures run the risk of not realizing that they have to comply with the legal requirements of the BSI Act. This is because a number of thresholds for different sectors are specified in this set of regulations. This applies to both state-owned but also private-sector companies. To illustrate these abstract terms, have a look at the following three examples:
- From the sector energy, area distribution of district heating, the supply of 25.000 connected households already falls under the regulation. In the energy sector, this also applies to a service station network that distributes 420.000 million liters of fuel per year.
- In the food sector, the regulation sets a limit of 434.500 tons of food per year and 350 million liters of non-alcoholic beverages.
- In the health sector, the area of pharmacies: from 4.650.000 dispensed packages per year, pharmacies also fall under the CRITIS regulation.
However, only a case-by-case assessment can answer with certainty whether a company is ultimately critical infrastructure or not. This is because it is important to understand that KRITIS also means that and to what extent a company’s IT must be involved in the handling of these goods. For example, a large retail company need not be critical infrastructure if it operates IT-autonomous sites. But if it has a centralized IT operation, the infrastructure must be classified as critical. To answer this question, various industry associations have already developed industry standards and coordinated them with the BSI.
What requirements must critical infrastructure companies meet?
If it has been determined on the basis of a review that a company is clearly to be assigned to the critical infrastructure, it must fulfill the following requirements in accordance with the regulations of the BSI Act:
- Report to and register with the BSI as a critical infrastructure operator.
- Establish a point of contact as an interface to the BSI
- Reliably detect critical security incidents and report them immediately to the BSI
- Implement IT security in accordance with the state of the art
- Conduct an IT security audit every two years
All relevant regulations and answers to frequently asked questions can be found on the official website of the German Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik at www.bsi.bund.de.