A definition.

Critical infrastructures are organisations and facilities of major importance for society whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order, safety and security or other dramatic consequences. In 2011, these were classified into nine sectors. In 2021 Municipal Waste Disposal was added, but this still requires cross-sector coordination.

The risks.

Critical infrastructures have to be protected from all kinds of dangers, including storms, floods, droughts, earthquakes, pandemics or anthropogenic catastrophes, which includes terrorism, war, sabotage and malware.

The Federal Office for Civil Protection and Disaster Assistance (BBK) writes: “Besides terrorist attacks, cyberthreats are also on the rise and endangering our critical infrastructures.” There’s a focus being placed on the interdependencies of the sectors and industries that dramatically increase the risk of failure of critical infrastructures. In this context, the BBK says: “In what is a complex meshwork of critical infrastructures, the energy, information technology and telecommunications sectors play a crucial role. […].” In other words, IT and cybersecurity play a central role when it comes to protecting critical infrastructures.

Politics.

Recently, protection of critical infrastructures has been gaining momentum. In July 2022, the Federal Ministry of the Interior introduced its new cybersecurity agenda, before stating in October that: “The security of our critical infrastructure has the highest priority”. At the beginning of December, the German government passed a new law  governing critical infrastructures, preceding the decision of the European Parliament and Council from 14 December.Directive (EU) 2022/2557 on the resilience of critical entities.

The deal was sealed on 27 December, when the NIS-2 directive “on measures for a high common level of cybersecurity across the Union” was published. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.

The eight most important updates at a glance.

1. All organisations that fall under the 18 sectors defined in NIS-2 with at least 50 employees and €10 million turnover will be regarded as critical. 

2. The sectors are divided into the categories “essential” (11) and “important” (7). All “essential” organisations will be regulated regardless of their size. This also applies to special cases (monopolies, companies of special importance or with cross-border dependencies).

3. New sectors – Space, public administration, energy (hydrogen), health (medical research and technology), research (research institutes) and ICT service management will be classed as critical infrastructures in future.

4. Supervisory and implementation measures will be tightened.

5. Higher fines – For “essential” facilities a maximum of €10 million or two percent of the annual global turnover. For “important” companies up to €7 million or 1.4 percent of their annual turnover.

6. Risk analysis and information security concepts have to be created as well as the establishment of measures for dealing with security incidents and maintaining operations.

7. Supply chains are gaining in importance – Zero trust principle, network segmentation, identity and access management as well as trainings for employees must be introduced.

8. In the framework of the German IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), companies that are classified as critical have to implement systems for attack detection as early as 1 May 2023.

Questions & answers.

Mr Grusemann, what impact will the changes of the NIS-2 directive have on companies?

Christian Grusemann: One thing is sure and that is that in future more organisations will be classified as critical infrastructures. For one because new sectors have been added, for two, because the previous thresholds have been replaced with new ones that are oriented towards turnover and employee numbers.

EU member states will have until October 2024 to incorporate the provisions into their national law. That still leaves quite some time, right?

Not at all. Complex projects related to the cybersecurity of critical infrastructures always have to consider three things – organisational measures, technology that is state of the art—for example modern systems for attack detection—and the human factor – The employee as a first line of defence against attackers.

Christian Grusemann, Business Manager Security, Bechtle.
Sounds extensive.

Absolutely. Organisations affected need to implement management systems for information security (ISMS) and business continuity (BCMS) as well as a whole raft of technological measures. These also include network segmentation, identity and access management as well as the introduction of sensors and technologies for attack detection and defence by means of the security operation centre (SOC/SIEM). Also, the measures concerning attack detection will already be put into effect as early as 1 May 2023 as part of the German IT Security Act 2.0. The systems in place will face auditing by the BSI.

How can Bechtle help?

Across the board—organisation, technology, attack detection and defence. The Bechtle Group prides itself on having more than 300 security specialists that accompany our customers in ISMS projects from gap analysis to introducing and maintaining evaluation and in identity and access management, mail and cloud, workplace or network security. Also, we have colleagues who are specialised in cyber defence, prevention, detection and reaction by means of Bechtle’s very own SOC (Security Operation Centre).

Bechtle and Cybereason develop innovative on-premise solution to protect end devices.

Composed of a hardware appliance and software, the plug-and-play solution allows organisations such as government agencies or critical infrastructure providers, which are restricted in their ability to leverage cloud services, to reap the benefits of a highly-modern AI-driven security platform.

Press Release