Critical infrastructures must be protected now

Germany needs to be better prepared for disasters and security risks. To this end, a draft law to strengthen the resilience of critical infrastructure (KRITIS), the so-called KRITIS umbrella law, was introduced last year. The new government now has a duty to address the issue promptly and protect critical infrastructures with a solid KRITIS umbrella law.

"In the area of critical infrastructure, we can see that the risk situation with the war in Ukraine and other threats is now completely different to ten or fifteen years ago. As a result, operators are confronted with new tasks - in the area of cybersecurity, but also in the physical protection of plants against prolonged power outages, for example," says Hans Koopman, Managing Director of TÜV NORD EnSys. Koopman is therefore calling for the EU Critical Entities Resilience (CER) Directive to be transposed into national law in the short term. There should be no unnecessary delays due to the change of government.

The KRITIS umbrella law provides operators of critical infrastructure facilities with a guideline that can be used to create a standardised high level of security throughout Germany; this includes system security, but also emergency plans and processes to reduce downtimes in the event of damage and much more.

In Germany, KRITIS is divided into ten sectors that are of crucial importance to the functioning of society and the economy. Specifically, these are energy and water supply, food production and distribution, information technology and telecommunications, transport and traffic, medical and pharmaceutical supply, finance, social security services and basic security, the protection of space infrastructure and the disposal and recycling of waste. If they are impaired or fail, this can have a significant impact on public safety, the economy and social life. "At TÜV NORD, we have a lot of experience in this area because we have been looking after high-risk technology such as nuclear facilities for decades. With our expertise in functional safety and systematic risk analyses, the assessment of human-technology organisation and cyber security, we support operators in actively creating a high level of resilience and security of supply," emphasises Hans Koopman. There are still no regulatory requirements. It is up to operators to protect their systems adequately.

The planned umbrella law will oblige operators of critical infrastructures to regularly carry out a risk assessment of their facility and implement suitable measures to minimise risks. This also includes the physical security of the facility "Some data centres are already setting standards here, whose operators want to demonstrate a high security standard and a corresponding level of physical security in their own interest," says Lars Wilke, Lead Expert Physical Security of Infrastructures and Data Centre Lead Auditor at TÜV NORD. An interdisciplinary team has therefore long been dealing with environmental risks such as geological hazards, explosion risks or flood hazards, structural safety, fire alarm and security systems, physical protection of data cabling and the availability and protection of power and cooling supply systems. "There are numerous levers for greater security that we can analyse and also apply to other critical infrastructure properties."

Another aspect of the KRITIS umbrella law is the extended reporting obligation in the event of incidents that could affect the resilience of critical facilities. This should enable a faster response and better coordination between the stakeholders concerned, both nationally and at EU level.

And finally, it will be about protecting sensitive information. "Strict security and data protection measures are essential, especially for critical infrastructures, when artificial intelligence (AI) applications are used," says Hans Koopman. "With analyses and risk assessments, we contribute to the secure, efficient and compliant integration of AI technologies in Germany's industry and critical infrastructures." This involves, for example, issues relating to the application of AI solutions in line with requirements; standard solutions are usually not enough here, says Koopman. The experts at TÜV NORD can make a statement on whether the implementation of a particular AI system is risky and provide support in the implementation of data protection measures and security protocols to ensure compliance with the GDPR and protection against cyberattacks.