Between regulation and resilience, the KRITIS sector remains vulnerable

Current disruptions show that the critical infrastructure is too vulnerable. More stability and resilience are needed, say experts. The "how" is being debated. Meanwhile, hopes are pinned on the NIS2 Implementation Act.

Written by Uwe Sievers

Judge's gavel shown with binary code against a blue background

Massive failures in the KRITIS sector despite European regu-lations

The Potsdam cybersecurity conference focuses on widespread power outages and disrupted communication. Greater resilience could help to avoid outages and emergency situations. However, this will be expensive and is therefore unlikely to work without further regulatory measures. NIS2 could help.

Critical infrastructure is the basis for the functioning of society and the survival of the population. This is why all over Europe numerous regulatory measures deal with critical infrastructure (CI). In Germany this is first and foremost the KRITIS Umbrella Act (KRITIS-Dachgesetz), the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Infor-mationstechnik, BSIG) and also the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0). In addition, there is the KRITIS Legal Ordinance (KRITIS-Rechtsverordnung, BSI-KritisV) and the implementation of the European NIS2 Directive is in Germany also long overdue. It must be implemented by all EU countries. All this to ensure the security and stability of critical infrastructure. However, current incidents show that despite all the requirements and precau-tions in Europe, massive disruptions and failures regularly occur in the CI sector. Most recently, spectacular acts of sabotage in the south of France caused quite a stir. Firstly, a major power outage paralysed an entire region. This even affected the film festival in Cannes, where the power supply was restored just in time for the award ceremonies. A day later, the southern French city of Nice was hit. A few weeks earlier, the power went out in Spain and Portugal, but not due to sabotage. However, these countries had to deal with the consequences of the extensive power outage for several days. These events caused unrest also in Germany, as the effects can be transnational.

As different as the causes were, the effects were the same. Failed traffic lights caused traffic chaos, local public transport came to a standstill, people got stuck in lifts, ATMs stopped working, shops had to close because checkout systems, door openings and alarm systems were out of order. The communications infrastructure was also affected, cell towers were left without power and mobile phone reception was lost. Apps and digital assistance systems on smartphones were no longer available. Many people were now disorientated on street corners or unable to pay.

Find out more about how you can master IT regulation

Sabotage of the critical infrastructure

Such examples point to the fragility of critical infrastructure. This includes elec-tricity and water supplies, hospitals and local public transport. These are facilities and systems that are crucial to maintaining a functioning society. Failures or disruptions would have a significant impact on the population, such as supply bottlenecks, disruptions to public and economic life or jeopardising public safety. It should be noted that although state institutions such as law enforcement agencies or the military, districts and municipalities are classified as KRITIS, in Germany they are generally excluded from the CI-legislation.

In addition, threats to these elementary foundations of civil life are increasingly coming from other sources. Power and data cables were severed in the Baltic Sea by ship anchors dragging along the bottom. You can read more about this in the article "Critical Infrastructure: Global communication at risk - Rethinking cybersecurity". The scale of these incidents suggests sabotage. This becomes more obvious when ship and air traffic is obstructed by disrupted GPS signals. These systems, which are important for navigation, have repeatedly caused problems for scheduled flights in the Baltic Sea region. Such massive disruptions are caused by jamming transmitters and are therefore directly categorised as sabotage.

The overall situation has led to calls for greater resilience and stability in these vital areas. These calls were most recently heard at the end of May during this year's Potsdam Conference on National Cyber Security. Suitable strategies and methods are needed to better deal with damage and failures in the CI-sector and to minimise the impact. This was the conclusion of this high-level event or-ganised by the Hasso Plattner Institute (HPI), which brings together representatives from politics, business, science and, in particular, security authorities and intelligence services. The German Federal Office for Information Security (BSI) was represented there by its President Claudia Plattner. Her assessment of the situation was that Germany is an attractive target for cyber attacks, both for economic and geopolitical reasons. She called for "a more robust security struc-ture for the energy infrastructure".

Press conference of the Hasso Plattner Institute. — Big press hype at the Potsdam Cybersecurity Conference © Uwe Sievers

Great expectations for NIS2

This is likely to lead to further regulatory action. The European directive NIS2 will play a special role in the future. This requires its own implementation law, but this was not passed by the old German federal government. With the change of government, the draft bill presented no longer has any formal rele-vance. The same applies to the adaptation of the CI umbrella law required by NIS2. It is currently unclear what ideas the new federal government will bring to the implementation of NIS2. Plattner merely said: "I hope that NIS2 will now be implemented very quickly". However, experts were sceptical of this timing during the conference. They do not expect NIS 2 to be implemented until 2026.

At the same time, other legislative amendments are being held up, as the im-plementation of NIS2 also requires the amendment of various other laws, including the CI Umbrella Act or the KRITIS Legal Ordinance (BSI-KritisV), which specifies requirements from the BSIG. Among other things, threshold values are defined here that determine whether operators are affected by regulation or not.

The question therefore remains as to how more resilience and stability can be realised in the CI-area in the short and medium term. Resilience describes the ability to withstand disruptions and external influences or, in other words, the ability of a technical system not to fail completely in the event of disruptions and failures. Resilience therefore means that malfunctions, failures and attacks do not result in crisis situations. This can be achieved, for example, through redundancy, which means that if one system fails, another takes over.

Cloud as a stability and security factor?

"In terms of security and resilience, there is no way around using cloud sys-tems," says Wilfried Karl, President of the Centre for Information Technology in the Security Sector (ZITiS) in Germany, with conviction. This would allow cen-tralised communication systems to be designed redundantly by duplicating them in the cloud. However, this creates other problems, such as the security and reliability of cloud providers. Karl is also aware of this: "As authorities, we need to think about how we can make cloud use more secure". One aspect of this is the dependence on US providers. Efforts have been underway for some time to become independent of these, for example by using European providers. Initial successes have already been achieved: "We have our own cloud that is certified as classified information," reports the President of the Federal Criminal Police Office (BKA), Holger Münch. The head of the BKA was referring to the cloud solution from German security specialist Secunet. It was recently authorised by the BSI for classified information up to "secret" classification. This reduces the dependency on foreign cloud providers, at least for German authorities. However, Patrick Hennies, Chief Security Officer (CSO) at Deutsche Bahn, Germany's railway transportation provider, warned: "If no internet, then no cloud".

However, resilience through redundancy also means significantly higher costs, as a duplication of infrastructure elements usually requires a duplication of costs. As long as there is insufficient resilience in the CI-sector, comprehensive emergency planning will therefore remain fundamentally important in order to mitigate emergencies such as those that occur in exceptional situations, for example during outages.

Our overview shows how you can master regulation in IT security.

At a glance: Current information on IT regulation

Sources:

BSI: Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz - BSIG)

BSI: Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI-Kritisverordnung - BSI-KritisV)

BSI: Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz 2.0)

EUR-Lex: European NIS2 Directive

Hasso Plattner Institute (HPI): Potsdam Conference for National Cyber Security

Author

Uwe Sievers

Journalist

Medien