The 3rd network meeting of the KRITIS industry focused on modern and sustainable solutions for securing critical infrastructures.
The background to the invitation: Operators of critical infrastructures are facing immense challenges. The crises of recent months have clearly shown that critical infrastructure is still vulnerable and open to attack. At least since last year’s acts of sabotage, many of which made it into the media: “We are living in turbulent times,” said Kentix CEO Thomas Fritz, opening the event with a brief overview of the current situation. One thing is clear: the physical security of vital sectors and structures such as energy, telecommunications and mobility is not in good shape. The IT Security Act (IT-SiG) has been in force in Germany since 2015. However, a cross-sector and cross-hazard legal basis that explicitly regulates the physical protection of critical infrastructures is still completely lacking. Politicians have recognized the need for action and are now making up for this with the upcoming KRITIS umbrella law.
A law on the physical protection of KRITIS is completely missing – politicians are now making improvements
A key points paper was adopted by the Bundestag in December 2022. A corresponding law is to follow shortly. The basic tenor: Critical infrastructures must be better physically protected in future. The exact requirements of the new IT Security Act 3.0 and the KRITIS Umbrella Act are currently still open. However, it is clear that many more companies and organizations will be part of the critical infrastructure in the future. Holger Berens, Chairman of the Board of the German Association for Critical Infrastructure Protection (BSKI), demonstrated this in his presentation. This is because threshold values and definitions will also be adjusted with the new laws. This means that “medium-sized and large facilities from a range of sectors that do not belong to the so-called critical infrastructures (Kritis) will fall within the scope of application,” says Berens. “In future, the requirements will include providers of public electronic communication services and digital services, wastewater and waste management, manufacturers of critical products such as medical devices, machinery and vehicles, postal and courier services and public administration at central and regional level.”
The sanctions for failing to implement the new laws are tough. Authorities will be able to issue instructions to operators, issue public warnings and appoint a supervisory officer. If improvements are not made even then, certifications or even the operating license could be withdrawn. Another important novelty is that managing directors or board members of operators can be held personally liable for violations.
One topic, many approaches
The conclusion of the day is correspondingly reflective. “It has become clear to me that the KRITIS market offers huge potential for us as a security integrator – much greater than assumed and politically supported or promoted,” says Jens Möller, Director Business Development at e-shelter security. “The event once again highlighted how important the protection of critical infrastructures is,” summarizes Mario Lukas from TÜV Informationstechnik GmbH and emphasizes: “Operators of such infrastructures will face further far-reaching regulatory requirements in the future. TÜVIT is definitely ready.” For Kentix CEO Thomas Fritz, the key message of the event is that “physical security is becoming part of IT security. Liability will also be exciting in the future. We really are living in turbulent times!”
