Critical infrastructure

Definition and delimitation

Critical infrastructures are organisations and facilities that are of outstanding importance for the security of supply of society ^[1]. Restrictions in the supply or even a failure of the same would thus lead to considerable supply bottlenecks and a far-reaching impairment of the functioning of the state and society ^[2]. The specific characteristic of critical infrastructures is therefore criticality, which assesses the effects and consequences of a disruption or failure of the infrastructure ^[3].

In Germany, the following sectors are classified as critical infrastructures:

Energy
Food
Finance and insurance
Health
Information technology and telecommunications
Media and Culture
State and Administration
Municipal Waste Disposal
Transport and Traffic
Water

Individual industries are assigned to each sector. In the energy sector, these are electricity, gas, mineral oil and district heating. A critical infrastructure operator is one who exceeds a specific threshold of people to be supplied. This threshold can vary depending on the sector. The sectors of state and administration as well as media and culture are subject to different legislation than the other seven sectors. This is due to the fact that the government and administration sector cannot be regulated by a competent authority. In the media and culture sector, the legislative competence lies with the Länder and is thus not regulated by the federal government.

History

The importance of infrastructure became apparent as early as during the First and Second World Wars, when it was exposed to targeted attacks ^[4]. However, the fact that infrastructure should also be protected in peacetime was emphasised in the 1990s by a US expert commission when it defined sectors in the USA that were particularly worthy of protection. This was followed in 1997 by the first interdepartmental working group in Germany, which defined sectors as critical infrastructures, worked out threat scenarios, identified weak points and pointed out possibilities for preventing damage.

The classification of critical infrastructure as such changed over time. Among other things, this has been influenced by increasing privatisation, as today around 80% of critical infrastructures in Germany are in private hands ^[5]. In addition, the security situation has changed. The terrorist attacks of 11 September 2001 in particular brought the threat to critical infrastructures to the attention of the general public. Furthermore, the increasing digitalisation of recent years has made the threat of cyber attacks on critical infrastructures more likely. The external circumstances as well as the constant threat assessment make a continuous evaluation of the classification of critical infrastructures necessary ^[6].

Application and examples

Increasing digitalisation as well as automation have an impact on critical infrastructures. On the one hand, digitalisation enables better and easier monitoring of critical systems. For example, temperatures in power generation reactors can be monitored automatically.

On the other hand, individual sectors are becoming increasingly interconnected through digitalisation. But cybercrime is also on the rise, so cyberattacks on the digital infrastructure will become more likely in the future. The greater networking thus increases the vulnerability of the systems, and economies of scale become more likely when a critical infrastructure fails ^[7].

To illustrate the relevance of critical infrastructures for society and the economy, the scenario of a nationwide power blackout can be used. A nationwide blackout would result in all private households, commercial enterprises and state institutions without emergency generators or their own supply being without electricity. Large parts of the national economy would come to a standstill. Banks would no longer be able to make disbursements, supermarkets would not be able to access their cash register systems and would no longer receive food deliveries because the petrol pumps at petrol stations would no longer work. At the same time, the water supply would come to a standstill over a large area, as the water pumps in houses without electricity would no longer work. Numerous heating systems would also fail. Health care would also be affected: Pharmacies would no longer be able to provide medicines, as the fully automated logistics and storage system would not function without electricity. Hospitals, most of which have an emergency generator, would still be able to operate, but would have to reduce their capacities. De facto, the entire social and economic life would come to a standstill. To prevent this scenario, the protection of critical infrastructures and the guarantee of IT security are of great importance.

Criticism and problems

Criticism of the current categorisation of critical infrastructure sectors in Germany includes the fact that important sectors and industries have not yet been included with their criticality. For example, there are calls for the chemical industry and large-scale research facilities to be classified as critical infrastructures. Furthermore, it is criticised that the classification as operators of critical infrastructures is too undifferentiated due to the definition of threshold values of persons to be supplied ^{[8, 9]}.

Research

Among other things, the bidt is funding the dissertation project “Secure lightweight authenticated encryption for critical infrastructures in the Internet of Things”, which is based at the Technical University of Munich and the East Bavarian Technical University of Regensburg. The project deals with cryptographic methods that are particularly suitable for use in networked systems.

Further links and literature

Information on critical infrastructures:

Bundesamt für Bevölkerungsschutz und Katastrophenhilfe

Recommended reading:
Schulze, Tillmann (2006): Bedingt abwehrbereit. Schutz kritischer Informations-Infrastrukturen in Deutschland und den USA. Wiesbaden: VS Verlag für Sozialwissenschaften/GWV Fachverlage GmbH Wiesbaden.

Sources

^[1] Wiater, Patricia (2013): Sicherheitspolitik zwischen Staat und Markt. Der Schutz kritischer Infrastrukturen. Baden-Baden: Nomos (Sicherheit und Gesellschaft. Freiburger Studien des Center for Security and Society, 6).

^[2]Bundesministerium des Innern (2009): Nationale Strategie zum Schutz Kritischer Infrastrukturen (KRITIS-Strategie).

^[3] Krings, Susanne (2020): Doppelt relevant: Kritische Infrastrukturen der Daseinsvorsorge, Raumforschung und Raumordnung / Spatial Research and Planning, ISSN 1869-4179, Sciendo, Warsaw, Vol. 78, Iss. 6, pp. 575–593.

^[4]Folkers, Andreas (2018): Was ist kritisch an Kritischer Infrastruktur? Kriegswichtigkeit, Lebenswichtigkeit, Systemwichtigkeit und die Infrastruktur der Kritik. In: Engels, Jens-Ivo & Nordmann, Alfred (Hg.) (2018): Was heißt Kritikalität? Zu einem Schlüsselbegriff der Debatte um Kritische Infrastrukturen, S.123–154.

^[5] König, Wolfgang; Popescu-Zeletin, Radu; Schliesky, Utz; Beck, Roman (eds.) (2014): IT und Internet als kritische Infrastruktur. Vernetzte Sicherheit zum Schutz kritischer Infrastrukturen. Kiel: Lorenz-von-Stein-Inst. für Verwaltungswiss. an der Christian-Albrechts-Univ. zu Kiel (Schriften zur Modernisierung von Staat und Verwaltung, 19).

^[6] Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (2020): 10 Jahre „KRITIS-Strategie“.

^[7]Nye, Joseph S. (2017): Deterrence and Dissuasion in Cyberspace. In: International Security 41 (3), pp. 44-71.

^[8] Marburger Bund (2019): Alle Krankenhäuser besser vor Hacker-Angriffen schützen.

^[9] AG KRITIS (2021): Stellungnahme für die Anhörung des Bundestagsausschusses für Inneres und Heimat – Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit Informationstechnischer Systeme 2.0 (IT-Sicherheitsgesetz 2.0).