Consulting for KRITIS Operators
Neutral consulting from the BSI
Pursuant to Section 3 (3) of the BSIG, the BSI can provide operators of critical Infrastructures (KRITIS) with advice and support in securing their information technology on request. The BSI provides its consulting on a confidential and manufacturer-neutral basis. The BSI is obliged to invoice KRITIS operators for the costs incurred in accordance with the BMI fee ordinance..
Consulting objective
The consulting provided by the BSI focuses on the specific information security challenges in each customer's particular operational scenario. The consulting regularly comprises recommendations on using products to strengthen information security.
With the help of BSI consulting, customers gain the ability to find – either independently or along with other external service providers – the best possible solutions for their purposes and specific circumstances and put them into practice on a long-term basis.
Distinguishing consulting from supervision and document verification
Pursuant to Section 8a (3) of the BSIG, KRITIS operators are obliged to demonstrate to the BSI that they have put suitable security safeguards in place. In this context, the BSI acts as a supervisory authority, whereas in relation to consulting, the BSI takes a cooperative approach.
For all parties involved, it is important that the role being carried out by the BSI be clearly defined in each individual situation.
Above all else, it must be ensured that there is no overlap between the consulting the BSI provides to operators regarding information security design (cooperation) and the assessment the BSI undertakes regarding security safeguards (supervision).
This distinction is achieved in particular through strict separation of the staff the BSI deploys for consulting and verification activities. BSI employees who have provided consulting to a KRITIS operator may not be employed to assess or verify the security safeguards put in place for the same KRITIS operator.
In contrast to consulting, the regular supervision of KRITIS operators is carried out at a higher level of abstraction and is less personal. It comprises the following fields of activity:
- Providing orientation guides, guidelines, recommendations, interpretation aids and application notes regarding the implementation of the abstract requirements of the BSIG
- Holding information events and workshops for KRITIS operators
- Responding to requests from KRITIS operators regarding problems in implementing the BSIG and discussing possible solutions
- Communicating with KRITIS operators or their associations to discuss current projects, challenges and possible solutions. This includes in particular exchanging information about plans and innovations relating to KRITIS facilities and their potential effects on the information security of the critical services (kDL) in question.
BSI and KRITIS operators benefit from targeted supervision
The continuous communication that takes place as part of the supervision provided by the BSI also helps to deepen the BSI's sector expertise in and specialist knowledge of critical infrastructures in close cooperation with KRITIS operators.
The targeted supervision of KRITIS operators leads to considerable benefits for both the BSI and KRITIS operators. KRITIS supervision also does not involve any costs for KRITIS operators, as the resulting improvement in the quality of their compliance documentation helps reduce the resources deployed by the BSI to assess and verify said documentation.
