What companies need to consider when working with CRITIS operators

In this article you will read about,

• which industries count as critical infrastructures (CRITIS) and what risks they are exposed to,
• what will change with the IT Security Act 2.0,
• why suppliers and service providers must also meet CRITIS requirements, and what companies need to consider.

"Critical infrastructures (CRITIS) are organizations and facilities of vital importance to the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety, or other dramatic consequences." This is how the German government defines critical infrastructures in its CRITIS strategy and, in the past, it classified nine sectors as indispensable for social coexistence: food, energy, and water supply, healthcare, transport and traffic, the state and administration, IT and telecommunications, media and culture, as well as finance and insurance. The IT Security Act 2.0 (IT-SiG 2.0), which came into force in May 2021, adds the area of waste disposal. For companies and organizations from these sectors, the following applies: failures are hardly or not at all tolerable, at least as soon as the operations in question exceed defined thresholds for supplying a larger number of citizens.

For the CRITIS operators, this in turn means that their infrastructures are particularly vulnerable due to their vital importance for people and society. And that they must provide them with special protection. Among the greatest threats to critical infrastructures, the German Federal Ministry of the Interior (BMI) lists natural disasters such as storms, fires, and earthquakes, as well as technical and human failure. Attacks, crime, and war are also among the dangers that CRITIS operators must take into account in their risk analyses, as well as prevention and protection concepts.

Source: Federal Interior Ministry

In addition, the organizations in the individual CRITIS sectors are in some cases highly interdependent. Failures in one of the sectors can lead to a domino effect and also affect facilities in other sectors. In the highly technologized and digitalized German industrial society, this is a particular risk for services from the IT and telecommunications sectors. For this reason, the IT Security Act regulates the requirements not only for CRITIS operators, but also for their service providers and suppliers. At the same time, it describes the duties and powers of the state. The CRITIS Regulation 2.0 (KRITIS-V 2.0), which has also been updated, specifies which companies are affected by the law and their size. It expands the circle of CRITIS organizations and defines new threshold values.

The IT Security Act 1.0 was already aimed at several addressees, and the new version now adds additional companies:

• Operators of critical infrastructures, for which no exemption applies, must secure their IT according to a level that is "state of the art" and have it audited every two years.
• Telecommunications companies must take security precautions and both report incidents to the BSI and warn their customers in the event of vulnerabilities and show them how to eliminate them.
• Operators of web products and services such as online platforms or cloud computing services.
• With the IT-SiG 2.0, the Federal Office for Information Security (BSI) is given extended powers to check security in the CRITIS sector.
• New: companies in the special public interest, even if they do not belong to any of the defined CRITIS sectors.
• New: Suppliers and service providers to CRITIS operators.

Accordingly, companies that work with hospitals, energy providers, or public administration bodies should also comprehensively put their IT security to the test. The IT Security Act 2.0 also applies to them – including when they use the cloud. For example, if they use company apps or an ERP system from the cloud and process maintenance data there that could indicate vulnerabilities of a CRITIS operation. 

These are the criteria that a company’s cloud strategy should meet when working with CRITIS operators:

• The company's own cloud strategy and use is embedded in a comprehensive information security management system (ISMS).
• A reliable incident management system also covers cloud-related incidents and defines a clear procedure.
• The company's own systems and infrastructures are regularly checked for vulnerabilities and reported to the BSI in accordance with the criticality level specified by the IT Security Act.
• Communication and data exchange with the client and the cloud provider can be carried out cryptographically.
• The contracts with the cloud provider are reviewed by a data protection lawyer for compliance violations and international dependencies as standard.
• The cloud provider's systems must be adequately protected against the above-mentioned dangers – for example, fires, storms, or third-party access.
• The cloud provider has a reliable backup strategy that consistently prevents data loss and offers comprehensive defense strategies, including anti-DDoS, WAF, IDS, firewall-as-a-service, and backup-as-a-service.
• The cloud service provider provides a hardened operating system and ensures data portability.
• All system accesses and network connections are logged seamlessly to identify unauthorized access attempts.
• The services of the data center operator, service provider, network provider, and cloud provider come from a single source, so that it is clear where responsibilities lie in the event of an incident.
• The cloud infrastructure used is operated geo-redundantly in data centers in Europe, so that data and applications are available at all times – even if one site fails.

To be prepared in the event of an incident or disaster, companies should draw up a comprehensive disaster recovery plan. Together with their service provider, they should define all the necessary steps for restoring networks, servers, and data, as well as end devices and connectivity. In this way, operations can continue almost without interruption even if infrastructures, information, or services are deleted, encrypted, or unusable.

To ensure that data and applications are available even if there are outages at a data center location – for example, due to forces of nature – cloud providers such as Open Telekom Cloud offer geo-redundancy. For example, the Open Telekom Cloud's twin-core data centers in Amsterdam mirror the German facility in Magdeburg/Biere. The two locations are located more than 500 kilometers apart. This puts the Open Telekom Cloud well above the BSI's recommendation for critical infrastructures. This stipulates a minimum distance of 200 kilometers between the sites. 
Functionalities such as the Storage Disaster Recovery Service from the Open Telekom Cloud additionally protect users from data loss through continuous data synchronization between two availability zones.