What can operators of critical infrastructures expect this year? Quite a lot, if the requirements of the new KRITIS Umbrella Act and the IT Security Act 3.0 are anything to go by. One of the most important innovations: A reassessment will increase the number of infrastructures rated as critical. All KRITIS operators will also have to fulfill significantly higher requirements – even if the exact legal requirements have not yet been determined. For operators, this initially means more costs and effort for acquisition, installation and monitoring. Can the legal requirements for physical security be met easily and in a way that conserves resources?
Operators of critical infrastructures will face enormous challenges in 2023. After all, the crises of recent months have clearly shown that critical infrastructure is vulnerable and open to attack. Ever since the acts of sabotage on Deutsche Bahn and the Baltic Sea pipelines, it has been clear that the physical security of vital sectors and structures such as energy supply, telecommunications and mobility is not in good shape.
It is not only the supply of essential goods such as energy, water and food that is at risk. In our globally networked world, entire supply chains can be immensely disrupted by negative incidents. Critical and economically debilitating supply bottlenecks are the result.
Politicians take action – new laws and requirements are in the works
A cross-sector and cross-hazard legal basis that explicitly regulates the physical protection of critical infrastructures is still completely lacking. The only law that exists in Germany is the IT Security Act (IT-SiG), which has been in place since 2015. This regulates, at least in part, the requirements for physical security of the IT infrastructure to be protected. The current version, IT-SiG 2.0, has regulated the sectors defined as critical as well as corresponding threshold values since May 2021. The IT-SiG 3.0 is due to come into force in 2024 at the latest. And this will change a lot for KRITIS operators. Many new sectors will then count as critical infrastructures, probably including aerospace, chemicals, industry, digital services, ICT services (managed service/security providers), public administration and research.
Lower thresholds for identifying CRITIS companies and organizations will also be implemented and stronger sanctions (similar to the GDPR) will come into force. What is new is that the thresholds will in future be based on company size and turnover. In plain language, this means that there are currently around 1,600 KRITIS operators in Germany. This figure will increase significantly by 2024. The new KRITIS umbrella law is also due to come into force before the summer of this year. The German government already adopted a corresponding key issues paper last December. (The key issues paper can be downloaded here.)
How can companies in the KRITIS sector prepare?
The design of the specific requirements remains to be seen, but access controls, detection systems and monitoring of the system status are at the forefront. In order to meet the legal requirements, companies have to make investments. This is because more physical security requires additional planning and implementation work, especially at the beginning. As the number of security systems increases, so does the number of personnel required to monitor them. Depending on the size of the company, the costs can be enormous. If you know your requirements early on, you can secure the appropriate resources in good time before they are no longer available on the market in sufficient quantities and at a reasonable price.
Costs and effort can be minimized with IoT technology
Is there a way to fulfill the legal requirements and improve internal processes at the same time? The answer lies in a fully digitalized IoT system that monitors as many sources of danger as possible with as few components as possible and collects as much data as possible. An unbeatable advantage: an IoT-based system is also suitable for distributed infrastructures. If all components use the same software, the size of the area to be monitored is irrelevant, as the system can be expanded as required.
For more information, read the related technical article here: “KRITIS in 2023 – new and higher requirements for physical security”:
