Critical infrastructures (KRITIS) provide electricity and water, secure traffic and medical care. They include all the facilities and systems that a community needs to function. Failure to do so can lead to supply and public safety problems.
The digital threat situation is intensifying
Critical infrastructures are increasingly threatened worldwide, especially by cyber attacks. For the year 2022, the damage caused by them in German companies is estimated at more than 200 billion euros. Martin Voss, Professor of Crisis and Disaster Research at Freie Universitat Berlin, sees the situation critically: "We have made the weak points in the digital infrastructure so that cyber attacks are largely underestimated. All the data that has already leaked out can be stored in the usually tell no one."
One problem: threat scenarios are constantly changing. In so-called DDoS attacks, servers are overwhelmed with so many requests that they collapse. A much more complex method is an APT, an "advanced persistent threat". Hacker collectives may be behind this, penetrating targeted IT networks and spying on them over the long term. Probably the greatest threat, however, comes from ransomware: Malware penetrates the system by calling up a corrupted link in an e-mail. This then encrypts all data, for example, and only releases it again after a ransom has been paid. Greater damage can usually only be averted if you comply with the blackmailer's demands.
Regulation chaos should be eliminated
The IT Security Act 2.0 has been in force since May 2021. It significantly expands the cyber security requirements for KRITIS. Precautions that automatically identify and combat threats using patterns are mandatory from May 1, 2023. In addition, KRITIS companies must provide the BSI, the Federal Office for Information Security, with information on troubleshooting in the event of serious disruptions. The reporting obligations and powers of the BSI have therefore been expanded.
However, these regulations do not affect all areas of critical infrastructure. According to the German definition, a total of ten sectors are summarized under KRITIS. The BSI, on the other hand, reserves the right to divide KRITIS into only eight sectors. State and administration as well as media and culture are not included. A confusion of definitions that is not necessary for compliance with uniform standards and is intended to be eliminated with the help of the new umbrella law on critical infrastructure.
Thresholds in criticism
In its KRITIS regulation, the BSI also defines threshold values that determine when a company is even paid for critical infrastructure. Manuel Atug, expert for IT security, says in the new documentary series ARD knowledge "Germany in an emergency": "The BSI-KRITIS regulation defines exactly according to which threshold value, according to which scale someone is critical infrastructure. Supply For example, if I supply 500,000 people with fresh water, I am a critical infrastructure from the water sector."
Atug, these threshold values are too general, because: If only a little less than 500,000 people are affected by the water supply, the company does not have to comply with the specifications.
Research against cyber attacks: an early warning system for everyone
How to react better to cyber attacks in the future is also a research topic, for example at the TU Darmstadt. An early warning system called CYWARN was recently developed there. One project partner is the federal state of Hesse. CYWARN creates a cyber threat situation picture that collects all publicly available information. With the help of this vulnerability report, IT emergency teams then receive all relevant data on the security situation from state authorities. After a test phase, the so-called hessenWARN app is to make the information available to the population in the future.
The digital threats are unlikely to decrease anytime soon. But they should at least not catch critical infrastructure and citizens unprepared.