Satellites naturally count as critical infrastructure – however, only a small part of their ground stations are regulated by law as “critical infrastructures” (known as “KRITIS “in Germany). The eco met the DLR event in April, which shed light on the future legal implications of the NIS2 and the German KRITIS Umbrella Act and provided concrete examples of how to best prepare for attacks.
There is no waste collection in space. Astronauts take the waste that accumulates on the International Space Station (ISS) to one of the supply modules that regularly dock at the station. When the module is full, it is allowed to burn up in the Earth’s atmosphere.
Just like waste disposal, information technology (IT) must also function reliably and under control – this applies on Earth and in space. Both are part of the critical infrastructure (KRITIS), which is indispensable for the provision of services of general interest in our society. Therefore, this infrastructure must be resilient, as demanded by both the EU and the German federal government: The KRITIS Umbrella Act and the NIS2 Implementation Act (NIS2UmsuCG) call for more resilience and physical security for critical infrastructures and a strengthening of cybersecurity.
What level of protection is appropriate for critical infrastructures?
The legal situation is currently very complex, as the KRITIS Umbrella Act and the NIS2UmsuCG are two legislations that ensure more cybersecurity and resilience. The NIS2UmsuCG is due to come into force in autumn 2024. It will transpose the EU-wide cybersecurity requirements of the EU NIS2 Directive into German regulation and will affect tens of thousands of companies in Germany. At the meeting of the eco KRITIS Competence Group on 9 April at the German Aerospace Center (DLR), Dr Daniel Lichte, Head of the Resilience and Risk Methodology Department at the DLR Institute for Terrestrial Infrastructure Protection, provided an overview of the current status of the KRITIS Umbrella Act. “In the current situation, KRITIS operators are forced to wait for the final draft law. At the same time, they should already strengthen their internal risk expertise on risk management. It is also important for KRITIS operators to participate in legislative procedures through their industry associations and contribute to resilience standards,” says Daniel Lichte.
Five To-Dos for critical infrastructure operators
“Now is the time when operators of critical facilities are well-advised to ensure greater cyber resilience,” stated Ulrich Plate, nGENn GmbH and Leader of the eco KRITIS Competence Group. By the implementation deadline in October 2024, the approximately 29,000 companies and institutions directly affected in Germany should ideally be NIS2-ready. Because in the future, numerous new organisations will also fall under regulation that have not yet been counted among operators of critical infrastructures, and this is not easy for everyone. At the same time, the requirements are becoming much more demanding. “Violations of obligations such as insufficient implementation of security measures or missed reporting and registration deadlines could result in hefty fines and, above all, personal liability risks for Managing Boards,” says Plate.
What is also new, however, is that the law provides concrete guidelines on how companies must behave. From the future binding catalogue of measures, Ulrich Plate gives five tips for cybersecurity compliance:
- Implement a Business Continuity Management (BCM): Invest now in technical and organisational tools to protect your operations from crises and threatening disruptions – and if something does happen, recover quickly and in a controlled manner.
- Manage your cybersecurity risks: Analyse your IT structure – internally and with service providers – and derive protective measures that meet the state of the art. This ranges from attack detection systems to cyber hygiene, which not only means sufficient length of passwords, but also, for example, securely segregated network segments.
- Check your supply chain security: If you are an operator of critical facilities, it is your duty to ensure the compliance of your suppliers, including software manufacturers and infrastructure providers. This applies not only to cloud and service providers, but also to the procurement, development and maintenance of your IT systems.
- Install comprehensive IT baseline protection: In addition to technical aspects, infrastructural, organisational and personnel issues are also considered. This includes procedures for the use of cryptography and all measures that reduce IT security risks due to the human factor. Use multi-factor authentication and secure communication systems, even in an emergency: printed emergency manuals and classic radios are a blessing if your IT fails completely.
- Training, education and awareness: Empower your staff and management bodies and raise awareness of security risks. Particularly vulnerable target groups should be familiarised with social engineering and other tricks that are not always IT-related before, for example, an AI-altered voice on the phone can successfully impersonate a CEO.
Sandro Cumini from the Swiss IT Security Group reported on the world’s most common business risks – ranging from cyber incidents to fire or climate change – and how organisations can prepare themselves through Business Continuity Management (BCM). “Business Continuity Management is a strategic approach to ensure that an organisation is able to maintain essential business processes even under extreme conditions,” said Cumini. This obliges operators of critical infrastructures to take appropriate organisational and technical precautions – such as in the form of BCM.
Pentesting makes cybersecurity realistically assessable
Pentests also contribute to more resilience, as demonstrated by Benjamin Tiggemann and Daniel Bergers from NetCologne IT Services. They explained different penetration tests and why these should be a critical component of a company’s cybersecurity strategy. “Pentests cannot be replaced by anything else, as they show whether security measures are effective and transparently reveal how vulnerable I really am,” says Benjamin Tiggemann. The cyber attackers’ bag of tricks, for example in the area of social engineering, is huge. Purple team exercises, for example, are helpful in simulating real attacks. A red team acts as the attacker, while the blue team defends the IT infrastructure.
After a refreshing lunch break, DLR offered a tour of the DLR campus with many interesting impressions – including the training area for future astronauts. In a replica of the Columbus module of the ISS, astronauts in Cologne-Porz can train and experience how vital critical infrastructure is in space and on Earth – whether it’s about waste disposal or optimal protection of IT components.