Definition of critical infrastructures and their sectors
Critical infrastructures (CRITIS) are, according to the German Federal Ministry of the Interior, for Construction and Homeland, “organizations and facilities of major importance to the state community, the failure or impairment of which would cause lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.” [1] This means that a failure of these infrastructures can have a major impact on the population and the state and must therefore be avoided at all costs.

In the face of increasing IT dangers, the German parliament published the BSI Act on the Tasks of the Federal Office for Information Security in 2009, according to which CRITIS must meet increased requirements in the area of IT. However, this law does not define which companies, organizations and institutions are CRITIS. For this purpose, the Ordinance on the Determination of Critical Infrastructures under the BSI Act, also known as the BSI Criticality Ordinance, was drawn up. This regulation defines that companies in the sectors shown in the figure can be designated as CRITIS if they fulfill corresponding characteristics. Currently, the BSI Act is being revised to include other sectors and special interest companies as CRITIS.

The requirements for CRITIS are described in the annex to the BSI Criticality Ordinance by means of asset categories, assessment criteria and threshold values. By way of example, hospitals as part of the healthcare sector are only considered to be CRITIS if they perform at least 30,000 full inpatient treatments per year. This threshold value is to be considered quite high in comparison with German hospitals and their case numbers, so that many smaller hospitals do not fall under the regulations for CRITIS. Such a distinction should be reconsidered in the long term, because even a small hospital can be essential for the care of the population if there are no other medical facilities nearby. On the basis of the definition for CRITIS alone, these hospitals should therefore also be assessed as Critical.

The energy sector includes both plants for the generation of energy, e.g. electricity, but also plants for the distribution of energy. Increasing dependence on electricity not only causes problems in companies when suppliers or power generators suddenly fail. The population also shows an increasing dependency, so that the preparation of food and especially the storage of refrigerated food in the event of a power outage already pose major challenges.

The health sector is essential to ensure medical care for the population. Both family doctor care and medical care for chronically ill people in home care as well as the functioning of hospitals are necessary to ensure the health care of the people. The dependencies on the other sectors of the CRITIS are particularly noticeable here, because a power failure brings most doctors’ practices to a standstill, whereas hospitals are required by DIN VDE 0558-507:2008-12 to maintain an emergency power generator for 24 hours and thus to be able to maintain the functionality of the facilities. Therefore, only hospitals above the above-mentioned threshold are assessed as CRITIS in the healthcare sector. Other CRITIS in the healthcare sector include pharmacies and suppliers of medical materials required for medical treatment.

The information technology and telecommunications (IT and ICT) sector is an important area in communications. In addition to the functionality of IT, the securing of telephone services can also be found among these CRITIS. Primarily providers of access or transmission networks, but also other areas such as switching can be defined as CRITIS.

Transportation and traffic are also important components of public life. The COVID-19 pandemic demonstrated that even as protective measures are implemented and many businesses are closed, business sectors whose employees rely on public transit or transportation infrastructure remain active. Maintaining basic needs can therefore also be seen as important for the common good.

Media and culture are not defined as CRITIS according to the BSI Criticality Ordinance, but are to be classified as essential for informing the population. Warning people, but also passing on information, are thus in any case among the tasks that are necessary to ensure the common good.

The water sector includes, among others, the suppliers of drinking water, as well as plants for the production of drinking water. A failure of these companies can bring many challenges, especially if it is prolonged.

The finance and insurance sector is of particular importance to the state community. In the event of a failure in this sector, payment bottlenecks occur, which affect not only the state but also the population and can have a major impact. Thus, if payment transactions fail, it can be assumed that increased procurement crime will occur, since people without money will not be able to obtain the food they need to live. Further effects due to this are to be expected as a consequence.

Nutrition is one of the most important issues for the population. Very few households have sufficient reserves to last several days or individual weeks without making a purchase. Securing supplies is thus imperative, as demonstrated by the sudden hamster purchases during the COVID-19 pandemic. Despite announcements that food would continue to be available without restriction, certain foods were purchased in larger quantities and the population’s food stocks were expanded. In principle, there is nothing wrong with stockpiling, but panic buying can also lead to looting as the population fears not having enough food. Access to food and drinking water must therefore also be assessed as CRITIS.

The government and administration sector comprises all activities performed by the federal government, the federal states or municipal administrations. A failure of the federal government, e.g. due to illness or the death of a large number of those responsible, can restrict its ability to act and thus have a wide range of consequences. For example, civil defense falls under the responsibilities of the federal government, which may be used ineffectively or not at all in the event of a lack of capacity to act, and thus the protection of the population may be lacking. This sector is also not defined according to the BSI Criticality Ordinance, but must also be assessed as a CRITIS. Maintaining the ability to govern is essential for the state to function.

The BSI Act 2.0 also aims to include the waste disposal sector as a CRITIS. This primarily includes waste disposal so that the population can continue to live without restriction.

For the healthcare sector, it has already been explained that there is a dependency between the sectors. This dependency can vary in intensity and in some cases be limited to individual sectors, but this increases the risks that the failure of one company can have an impact on other sectors. For example, hospitals are dependent on electricity, but also IT, water, food, finance and also waste disposal. In addition, staff use transportation infrastructures to reach the facility and provide medical care. In emergencies, additional staff members are requested via the media in order to have additional personnel capacities available, and without the state-organized rescue service, the population must seek out hospitals on its own.

Exceptions
In the sectors, all companies that meet the criteria of the BSI Criticality Ordinance are generally assessed as CRITIS. However, exceptions are also defined in the BSI Act. These include, as shown below, that the requirements for CRITIS do not have to be met if companies have already initiated comparable measures or have their initial headquarters in another EU country. The latter companies are subject to the applicable country requirements. However, exceptions are also defined for licensees under Section 7 (1) of the Atomic Energy Act, as well as for operators of public telecommunications networks and telematics infrastructures. The exact provisions of the exceptions can be found in Section 8d of the BSI Act.

Law to be complied with
Ensuring the functionality of the CRITIS is sought through various requirements. In addition to general laws, such as the Occupational Safety and Health Act and the Federal Performance Act, sector-specific laws must also be complied with. These are shown for the sectors in the figure below.

These laws stipulate requirements that must be complied with in order to ensure the provision of services by the companies and thus the common good. One example is the Water Security Act, which stipulates that the vital need for drinking water and process water must be available for firefighting work, for example. The other laws to be complied with are comparable with this law and describe in each case for the sectors that a safeguarding of the service is obligatory.

Certification
In summary, all companies that are considered to be CRITIS have to fulfill different requirements and laws. The BSI Standard 100-4 was developed for the IT sector as a guideline for ensuring the functionality of the critical enterprises, which provides for increasing the resilience of the enterprises. Transferability to the other sectors has so far only been considered partial, as this standard focuses on IT. The new BSI Standard 200-4 recommends certification in accordance with DIN EN ISO 22301, which describes business continuity management. This standard is not only applicable to IT, but also to all other business sectors. This enables certification that can be implemented regardless of the company’s form and size and, in the long term, can replace multiple certification of the various company departments (IT, QM, etc.).

If you would like to learn more about DIN EN ISO 22301 and Business Continuity Management, we recommend our Business Resilience Blog. This covers many different exciting topics of crisis management and gives an insight into the most common standards, which include DIN EN ISO 22301, as well as business continuity management.

 

Literature
[1] German Federal Ministry of the Interior, for Construction and Home Affairs (2009): National Strategy for Critical Infrastructure Protection ( CRITIS) Strategy. (german: Bundesministerium für Innere, für Bau, und Heimat (2009): Nationale Strategie zum Schutz Kritischer Infrastrukturen (KRITIS-Strategie)). Available online at https://www.bmi.bund.de/SharedDocs/downloads/DE/publikationen/themen/bevoelkerungsschutz/kritis.pdf; jsessionid=977C43722CACC70E88EC2530B9ADAA9A.1_cid287?__blob=publicationFile&v=3, last checked on 06.10.2021.

 

An article written by Anna Müller, published on 10 September 2020
Translated by Charlotte Ley