IT Security of Critical Infrastructures – Draft Statutory Instrument to Determine Critical Infrastructures

In July 2015, the German IT Security Act came into force, obliging operators of Critical Infrastructures to implement minimum security standards and to report IT security incidents. However, these duties have only applied to a limited group of operators so far. The full effect of the provisions still depends on the specification by statutory instrument. This statutory instrument is intended to define in more detail the term of Critical Infrastructures. The Federal Ministry of the Interior has now published a corresponding draft.

The draft performs a three-step test in order to determine which facilities provide a significant level of supply for society. First, it defines the services deemed critical (e.g. electricity supply). These can also be split into subcategories (e.g. electricity distribution). In a second step, the draft identifies categories of facilities that are necessary for providing these services. Finally, the draft specifies quantitative thresholds above which a facility counts as significant for the supply of society.

An example from the energy sector:

Step 1: Electricity supply / distribution
Step 2: Distribution grid
Step 3: 3,700 GWh utilised per year

An example from the IT sector:

Step 1: Data storage and processing / housing
Step 2: Data centre
Step 3: Computing power of 5 MW on annual average

The determination of the thresholds is principally based on 500,000 persons supplied. Below this figure, outages could generally be handled by the Agency for Technical Relief (THW) and the Armed Forces using emergency capacities, according to the Federal Ministry of the Interior.

The latter estimates that the draft will classify around 650 facilities in Germany as Critical Infrastructures.

The draft only deals with the energy, water, food and the IT and telecommunications sectors. According to the Federal Office for Information Security (the BSI) it will be enacted in the spring of 2016. The sectors of transport and traffic, healthcare, as well as finance and insurance are to follow by the end of 2016.

The draft’s entry into force will set in motion certain deadlines for operators of Critical Infrastructures. For example, the BSI has to be notified within six months of a point of contact for communication in crisis situations. Notification duties must be fulfilled via this point of contact. Within two years, “appropriate organisational and technical precautions to avoid disruption of the availability, integrity, authenticity and confidentiality of the information technology systems, components or processes” must be taken using the latest technology, and proof of their fulfilment has to be provided.

While the statutory instrument on Critical Infrastructures will contribute to more legal certainty regarding the applicability of the provisions introduced by the IT Security Act, uncertainties will still exist. There is still too much room for interpretation as to whether IT security measures can be considered “appropriate” or whether a disruption is to be classified as “significant”. Operators of Critical Infrastructures should therefore consider the option of formulating industry-specific security standards themselves or via industry associations and have these approved as suitable by the BSI (as provided for in the BSI Act, section 8a(2)). Also, any current debates and publications on IT security standards should be followed closely.

Setting up an overarching sector-specific contact point in accordance with the BSI Act, section 8b(5) can also facilitate the communication with the BSI.

See the full draft here (in German):

Entwurf einer Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz (BSI-Kritisverordnung – BSI-KritisV)