Our webtalk “The right strategies to cope with increasing requirements placed on critical infrastructures” met with very considerable interest. This is also shown by the number of questions that we received after the live webtalk.
ISO 27001 certification itself involves a very extensive catalogue of checks. Does this not itself already in principle meet the KRITIS requirements?
The answer is “yes” and “no”. Naturally, ISO 27001 certification involves compliance with a number of requirements, which the statutory auditors are then able to tick off their list. However, in the B3S, in the sector-specific catalogues, there are a number of very different and wider-ranging requirements. This means that ISO 27001 certification only ensures compliance with a number of the requirements. In other words: Certification is in no way a “free pass” to a successful KRITIS audit. In the audit, it is necessary to apply a much more stringent list of requirements.
What is the future for Cloud providers to companies with KRITIS obligations and what sort of quality do they offer? Because critical services are also provided from the Cloud.
Naturally, critical services are also provided from the Cloud. All companies with obligations under the KRITIS regulations obviously ask themselves whether each of their processes and each individual application is KRITIS-compliant. Ultimately, companies are investing a lot of money in the digital transformation. This means that, in this area, they are genuinely dependent on the Cloud providers complying with the C5 (Cloud Computing Compliance Criteria Catalogue) requirements catalogue. Of course, C5 will undoubtedly be subject to further revisions. It is also to be assumed that the Cloud providers will perform further adaptations in terms of transparency and, ultimately, resilience. For example, with regard to the location of the Cloud provider - only in Germany or only in Europe. The data protection and other requirements placed on Cloud providers are constantly growing. The Cloud providers have already reacted. A lot has already been done. This means that we can assume that the Cloud providers themselves are attempting to expand their market share. However, this is also an opportunity for the Euro-Cloud to make its mark and provide some competition for the hyperscalers. The keyword here is GAIA-X. These are initiatives that can successfully implement their Cloud transformation despite the KRITIS requirements.
How does a KRITIS pre-audit work in practice?
The pre-audit is an opportunity to draw up a list of potential weaknesses before meeting the authorized auditor. Rosenberger OSI provides pre-auditing in accordance with the DIN EN 50600 guidelines. This comprises a stock-take of the current situation as well as an analysis of the technical aspects of your information security and of the structural and physical security of your IT infrastructure. It determines whether and what changes are needed in order to comply with the requirements imposed by the BSI’s regulations (BSI = German Federal Office for Information Security). From this, we derive a catalogue of measures containing concrete technical and/or organizational actions to be taken.
How many colocation providers do you consider to be in a position to offer KRITIS-compliant services?
A lot has happened in the world of colocation providers. For example in terms of fulfilment of the requirements regarding sustainability, redundancy and tier level. As the requirements in terms of critical infrastructures continue to grow, it can be assumed that the colocation providers will also be working hard to move ahead. Otherwise, they will have to worry about keeping hold of their clients.
Can you tell us something about the question of the “control centre of the future”?
If a dangerous situation arises, the control centre initiates the emergency response and coordinates the associated services. These are for example, the fire service, police or rescue service. Control centres are also impacted by the digital transformation. They have to be extended and are also subject to the KRITIS requirements. There is a working group dedicated to the question of the digitalization of control centres. This is particularly important in the light of the growth in potential threat scenarios that we have witnessed. In the past, for example, there were terrorist attacks. Then there came tornadoes and floods and now, it is also necessary to consider possible war scenarios.
What is the scope of application of KRITIS?
The scope of the legislation is defined in the corresponding documents. For more information, please refer to the Federal Network Agency’s statement regarding the scope of application in the light of the amendment (“Notification on certification in accordance with IT security catalogue § 11 paragraph 1a and 1b EnWG (Energy Act) in the event of third-party management operations”) and also consult the BSI.
The limit values have been reduced in many areas. What you think the effects of this will be on ongoing KRITIS audits?
Because the limit values became binding as of the start of 2022 when the amendment came into force, audits that are already in progress will also be affected. What is important is that the required performance is actually provided in practice and that the parameters that are relevant for verifying compliance are satisfied. What counts is not, for example, the fiscal year or anything like that but exactly when a system that is subject to KRITIS requirements or multiple systems of this sort brought together under the same operator identity reached or exceeded this limit value. See also the BSI’s concept of “joint control”. Here, the term does not refer to the physical control or guidance mechanisms. Instead, it means that two systems are only considered to be a joint system if they are under the control of one and the same operator.
How long is KRITIS certification valid for?
According to § 8a paragraph 3 of the Law on the Federal Office for Information Security, operators of critical infrastructures must prove their compliance at least every two years. They must prove that they have reached “state-of-the-art” level. This means that appropriate organizational and technical protective measures must have been introduced and implemented.
The new period for providing evidence of this runs until Q1 2024 (01.04.2024). What consequences do you expect in the case of failure to meet certain individual protection targets?
The legislation has set out a catalogue of financial penalties (§ 14 BSIG). However, it is not at present really possible to foresee how this will be implemented in practice. In some cases, companies will have to consult their legal specialists and carefully formulate the reasons for non-compliance. In the implementation level model, the level-3 “MANDATORY” requirements clearly have to be “completely” fulfilled. However, the title “Orientation guide to the provision of proofs in accordance with § 8a.”) is also qualified as a “Recommendation for action” and this has led to irritation in some quarters. In this area, we will undoubtedly very soon gain greater clarity regarding the consistent, concrete cooperation between auditors, operators and consultants.