In top-level motorsport, any error can have serious consequences and any attack from an opponent can put you out of the race. At the same time, every component is based on state-of-the-art systems that undergo continuous development and must work reliably under extreme conditions.

Given the enormous development of digitalisation, the picture is much the same when it comes to information technology in the context of critical infrastructures. Critical infrastructure (KRITIS) refers to facilities that are of great importance to the proper functioning of the community, since there would be significant supply bottlenecks if they were impaired. A cyber attack on a hospital could cause the medical care for patients to fail, putting their lives at immediate risk. A serious IT security incident at a telecommunications provider would impact the availability of numerous types of infrastructure or the ability to control them, indirectly causing the failure of this infrastructure while preventing emergency calls from being made. A power failure (caused by a cyber attack) would have a far-reaching impact with restrictions in all areas of life, since all other types of infrastructure require electricity to work.

Just like engines in motorsport, the highly complex and IT-intertwined information infrastructure must be reliable and available at all times. In particular, appropriate organisational and technical precautions must be taken on the basis of state-of-the-art technology in order to protect them. These precautions must undergo regular review and assessment – whether as part of a planned pit stop or based on the requirement to submit compliance documentation introduced in Section 8a (3) of the BSI-Act (BSIG) for KRITIS operators, which must be implemented every two years. For this reason, the KRITIS department of the BSI assesses the submitted documentation of compliance and reviews the correction of any deficiencies identified. Operators and auditors also receive support from the BSI in the form of consultations, workshops and orientation guides.

The first document verification cycle has now concluded. The fundamental framework conditions and processes in the BSI have been established and evaluated. The findings show that the quality of audits and documentation of compliance varies significantly. In some cases, these differences make it difficult for the BSI to evaluate the situation at a KRITIS operator without the need for follow-up enquiries. In turn, this can increase costs and the time required for all parties.

Three initiatives to improve the quality of documentation of compliance

The KRITIS department at the BSI is planning three initiatives to ensure that documentation of compliance achieves a consistent quality level and to make the submission of this documentation more structured and efficient for KRITIS operators:

1. Formulate overarching requirements in the process for documentation of compliance
2. Define state-of-the-art technology for selected KRITIS sectors
3. Promote KRITIS-specific qualification of auditors

The overarching goals of these three initiatives are to counteract divergent developments in the submission of documentation, to improve comparability between operators and to make the submission of documentation for KRITIS operators more structured and efficient.

Initiative 1: "Formulate overarching requirements in the process for documentation of compliance"

The first step in this project is to define the instructions in the orientation guide to documentation of compliance, as well as other requirements for the documentation process aimed at increasing the quality of documentation in all KRITIS sectors, and to develop them in a user-friendly way. In addition, supporting documents should be published to make it easier for operators and auditors to implement these requirements. KRITIS operators and their committees are involved so that requirements can be identified and the documentation process can be optimised for all parties involved.

Initiative 2: "Define state-of-the-art technology for selected KRITIS sectors"

Pursuant to Section 8a (1) of the BSI-Act, KRITIS operators are required to take appropriate organisational and technical precautions on the basis of state-of-the-art technology. For operators and the BSI, there is a fundamental need to define the abstract requirement for “state-of-the-art technology”. The goal of the second initiative is to give operators clear orientation with regard to the fulfilment of the legal requirements. Documentation of compliance that is more structurally homogeneous should also make internal BSI processing more efficient.

While sector-specific security standards (B3S) have been established and continuously developed in certain sectors for many years, there is still no B3S available for other industries. The goal of the BSI is therefore to define the abstract requirements, particularly for sectors with no B3S. This is to be achieved by providing instructions on creating KRITIS-Grundschutz profiles (IT-Grundschutz profiles focused on providing a critical service). There are also plans for selected sectors to support the application of these instructions in order to provide an example of how to create a KRITIS-Grundschutz profile of this type for operators or sector associations.

Initiative 3: "Promote KRITIS-specific qualification of auditors"

The findings from the evaluation of documentation of compliance have also shown that the qualification of auditors has a significant impact on the quality of the audit and thus on the documentation submitted. For this reason, the BSI is planning to identify a standard (minimum) qualification level for KRITIS auditors, taking account of KRITIS-specific findings relating to audits for documentation pursuant to Section 8a (3) of the BSI-Act that go beyond other audits. The BSI aims to achieve a higher quality of audits and greater standardisation of the documentation received this way.

This initiative will include operators, auditors and training providers, who will contribute their experience and best practices.

Improving the quality of documentation helps operators, auditors and the BSI

The three initiatives of the KRITIS department presented above aim to improve IT security in critical infrastructure, thereby helping to maintain the engines of the community and ensure a reliable supply of electricity, water, food and other essential goods and services to society.