The effects of the KRITIS Umbrella Act from a research perspective

A scientific look at the KRITIS umbrella law and perimeter protection

Dr. Kai Nürnberger and Prof. Dr. Elmar Padilla from Fraunhofer FKIE in Bonn are laying important foundations for the protection and monitoring of critical systems and infrastructures with their research. In this interview, we want to find out how the new KRITIS umbrella law contributes to technological innovation according to the experts' personal assessment and what challenges still need to be overcome for improved perimeter protection.

New technologies

To what extent has the KRITIS Umbrella Act led to new developments or the use of new technologies in the monitoring and protection of critical infrastructures?

Prof. Dr. Elmar Padilla: Laws formulate requirements and specifications. In this sense, the KRITIS umbrella law provides guidance for operators. The new EU NIS 2 directive for cyber security will lead to significantly extended obligations for companies and thus also promote the use of innovative technologies.

Dr. Kai Nürnberger: We are seeing that “electronic security” is getting more and more attention from the industry. This can also be seen, for example, at trade fairs such as Perimeter Protection or in the positioning and range of services offered by security service providers. As is so often the case, technology will quickly lead to improved solutions, especially for newly planned properties. However, surveillance technology, which is often the focus of attention, is only one component. Intelligent, near-real-time data processing with integration into control systems is also important in order to be able to react quickly and appropriately.

Cooperation between disciplines

The law requires close cooperation between different disciplines. What can this interdisciplinary cooperation look like in practice?

Dr. Kai Nürnberger: Cooperation between different parties involved in the process is essential. We often talk about integrated security solutions that, for example, combine perimeter protection, the IT security situation and the operational situation in order to detect security-related anomalies in good time. However, this data is usually collected by different companies, service providers and organizational units. They are sometimes sensitive with regard to the capacity utilization of systems, the consumption of raw materials or operational processes. Good solutions for sharing data while taking stakeholder interests into account are therefore important. For example, system suppliers of network technology, monitoring sensors and operational control rooms could exchange data via interfaces.

Prof. Dr. Elmar Padilla: In order to promote cooperation between different disciplines, Fraunhofer has set up the “Fraunhofer Center Digital Energy”, for example. Here, electrical engineers, computer scientists, economists, ergonomists and IT security experts work on new solutions.

Protection of critical infrastructures

What new technologies or methods do you see as promising for further improving the protection of critical infrastructures?

Dr. Kai Nürnberger: A multi-level approach is certainly required here, starting with physical protection against attacks, e.g. drone detection against espionage or sabotage. However, the protection of IT systems against criminal or state perpetrator groups, the further development of authorization concepts (the issue of internal perpetrators, service providers with access to systems / access to facilities) and concepts for rapid countermeasures must also be included in a comprehensive strategy.

Prof. Dr. Elmar Padilla: Process documentation and modeling are particularly important in this context. They enable a well-founded risk assessment that takes into account both the effects of disruptions and possible intervention options. In the field of IT security, the threat situation is very dynamic: you are never really “finished”.

What challenges or limitations do you see in current legislation with regard to the protection of critical infrastructure and how could these be overcome?

Dr. Kai Nürnberger: We are not experts in legislation, but we see the umbrella law as a crucial framework for enforcing minimum standards. Economic incentives are an effective way of promoting the implementation of requirements.

Prof. Dr. Elmar Padilla: We provide technical expertise to support the development of requirements. Another way is to check the implementation of specifications through tests, such as penetration testing, or the hardening of IT infrastructure by identifying and closing vulnerabilities. A third point is the cooperation of various stakeholders in the compliant collection and evaluation of data while safeguarding individual interests.

How do you see the future of critical infrastructure security in Germany? What trends or developments should we keep a particularly close eye on?

Prof. Dr. Elmar Padilla: We must by no means be naive. Germany potentially has a lot to lose (or has already lost a lot). Attacks will continue to develop in terms of quality and quantity. Digitalization is both a blessing and a curse. Cooperation between government agencies, industry partners and research is important. Keywords such as resilience and redundancy relate to many facets, e.g. technical, organizational or personnel.

An important component is the controllability of new technologies. The decision must always remain comprehensible and justifiable despite high automation and AI. In this context, the design of the human-machine interface – i.e. teaming – also plays an important role. In our view, this is criminally neglected in many cases.

Dr. Kai Nürnberger: The price of security should include a social discourse. This applies not only to financial costs, but also to the handling of data and information.

Thank you very much for the interview, Dr. Nürnberger and Prof. Dr. Padilla.