What sector-specific requirements do KRITIS operators need to be aware of?
There are specific thresholds for all sectors to ensure that really only those companies that are relevant to social life are classified as critical. As a rule, the thresholds are tailored to serve a lower limit of half a million inhabitants. In the energy sector, for example, this is the amount of electricity, heating oil, aviation fuel and the like provided; in the water sector, it is the amount of drinking water, but also the number of households connected to the sewer system. In the IT and TC sector, different factors are relevant depending on the service: Network subscribers, instances, domains, qualified certificates and server certificates, and in the case of data centers also power consumption - here a new lower limit of 3.5 instead of the previous 5 MW applies. Companies themselves are responsible for finding out whether they fall under the KRITIS rules and must take the appropriate steps. The lead and transition periods have now expired.
That means it would be important to keep KRITIS relevance in view on an ongoing basis?
Exactly. The law was passed in August 2021 and came into force on January 1, 2022. Affected facilities had to be registered by April 1 – and by the same date, KRITIS companies must also comply with the associated cybersecurity measures. This is likely to catch one or two new entrants among the KRITIS operators by surprise, not least because there is a threat of severe penalties. They will have to provide proof of implementation through KRITIS audits by April 1, 2024 at the latest, so there is at least a little time left. But even those who are not affected by the current classifications cannot sit back and relax. Further changes to the IT Security Act or the KRITIS Regulation are also planned for the current year. This means that a new delimitation of KRITIS relevance can occur at any time. So you should always keep an eye on the industry-specific thresholds. To be safe, it is advisable to consult experts here. Rosenberger OSI offers a non-binding quick check as an orientation aid as to whether KRITIS relevance exists. The focus of the check is the examination of the affiliation to KRITIS sectors, the classification with regard to threshold values and the evaluation of industry-specific peculiarities.
The KRITIS regulation requires IT to be adequately secured in line with the “state of the art”. What does this mean?
With the term "state of the art", the legislator avoids static specifications that soon become obsolete - because technical development is faster than legislation. What constitutes the current "state of the art" can be derived from various national and international standards, such as DIN, ISO, DKE or ISO/IEC. In addition, models for the respective area that have been successfully tested in practice can also be consulted. The goal is taking appropriate precautions to prevent disruptions, for example, this refers to the availability, integrity, authenticity and confidentiality of the information technology systems, components or processes. The measures taken must be certified and proven to the BSI (German Federal Office for Information Security) within two years of the KRITIS regulation coming into force and renewed every two years. However, classic certifications such as ISO 27001 or BSI IT-Grundschutz alone are not sufficient for this.
Which KRITIS requirements must be observed for data centers and server rooms?
This depends on the need for protection and the availability requirements for the data center or server room. This can be the need for high availability, but also that certain requirements must be met for the location of the data center. With the certification according to the self-developed TSI.STANDARD, TÜViT has created a system that differentiates between four different levels, which reflect the quality of the supply systems as well as all other elements. It builds on the TSI (Trusted Site Infrastructure) methodology for testing and certifying the physical security and availability of data centers, which has been established since 2001. The TSI.STANDARD is continuously developed to reflect the current state of the art and standards - just as the BSI requires of KRITIS operators.
How does the infrastructure in data centers with high availability and protection class have to be optimized?
To build data centers with high protection class and availability, it is not enough just to optimize the IT infrastructure accordingly. The main vulnerabilities and risks in and around the data center, as well as the associated services - for example, DNS or certification services - should be considered in detail. And this should be done in a repeated process.
What exactly does this mean for the testing and evaluation of new data center buildings as well as existing data centers? In and around the data center?
In concrete terms, this means not only looking at the structure of the cabling or the power supply and the redundancies designed for it, but also the data center environment or aspects such as building construction, fire protection or security systems. In order to fulfill the KRITIS obligations, Rosenberger OSI checks how the valid requirement catalogs fit with the existing structural and physical security of the IT infrastructure. This analysis and evaluation results in technical and/or organizational lists of measures which, when implemented, can then guarantee the required level of security in accordance with the protection requirements to be met for the IT.
What does this mean for companies that are in the process of modernizing their infrastructure and fall under the BSI requirements?
The question of CRITIS relevance may come up in the middle of the IT modernization movement. If a company is an operator of critical infrastructures, then it is advisable to conduct an inventory and an analysis of the IT infrastructure. To fulfill the KRITIS obligations, the catalog of requirements should first be examined in an assessment. More information on further steps in the video.