KuppingerCole Report
Whitepaper
By Matthias Reinwarth, Christopher Schütze

KRITIS – Understanding and protecting critical infrastructure

Organizations or institutions that are essential for the public are called Critical Infrastructure (KRITIS = “Kritische Infrastrukturen”). As such, they are subject to comprehensive and strict legal regimes consisting of laws and regulations. Their failure or significant impairments result in sustained supply shortages, significant disruptions to public safety or other drastic consequences. Their protection and the safeguarding of the public require appropriate concepts, processes and technologies.
By Christopher Schütze
chs@kuppingercole.com

1 Introduction

The subject of a society being dependent on networked systems is becoming increasingly important for citizens, companies and the government. The techn ...

Login Free 30-day Select Access Get full Access

2 Critical Infrastructure defined

The definitions and requirements concerning critical infrastructure as they exist at an European and, in particular, German level can be regarded as e ...

The currently valid conceptual structure for the protection of the supply and service facilities central to the supply of state, economy and society n ...

Login Free 30-day Select Access Get full Access

3 Critical infrastructure across industries

Based on the BSI’s definitions for critical infrastructure, the BBK (“Bundesamt für Bevölkerungsschutz und Katastrophenhilfe” – German Feder ...

Login Free 30-day Select Access Get full Access

3.1 Refining requirements: B3S

The definition of industry-specific requirements is the responsibility of the industries, their industry associations and key corporations as exemplar ...

Login Free 30-day Select Access Get full Access

3.2 Energy

A key industry is energy supply, which includes electricity, gas and oil. An emergency in this area directly affects virtually any other critical infr ...

Login Free 30-day Select Access Get full Access

3.3 Nutrition, Food and Water

Maintaining nutrition is subject to the provisions of KRITIS. Reliable food production and the supply of food to the population via food trade are ess ...

Login Free 30-day Select Access Get full Access

3.4 Transport

One of the most significant critical areas is transport. Transport is divided into six major critical infrastructure areas: air, water, sea, water, ra ...

Login Free 30-day Select Access Get full Access

3.5 Healthcare

Medical care with all its dependencies to other critical areas is classified as critical infrastructure. The health sector refers to the health system ...

Login Free 30-day Select Access Get full Access

3.6 Finance and Insurance

While other critical infrastructure still involves tangible goods and services, the area of financial and insurance sectors is almost completely contr ...

Login Free 30-day Select Access Get full Access

4 Transport specific threat scenario (railroad)

Potential attacks on information technology and communications are important to understand. The DB (Deutsche Bahn - German Railway) is chosen as a rep ...

Login Free 30-day Select Access Get full Access

4.1 Scenario Definition

DB consists of several companies that cover the various areas of transport, control and logistics. There are companies for long-distance passenger tra ...

Login Free 30-day Select Access Get full Access

4.2 Analysis and controls

This example contains many processes that are IT-supported and therefore need to be adequately protected. These include authentication processes for c ...

Login Free 30-day Select Access Get full Access

4.3 Scenario-based risk analysis

The above given example shows, that continuously conducting an adequate risk assessment is a key challenge for protecting critical infrastructure. Usi ...

Login Free 30-day Select Access Get full Access

5 Protecting IT within critical infrastructure

Critical infrastructures differ considerably in their respective core business elements. The knowledge and experience of experienced engineers and a m ...

Login Free 30-day Select Access Get full Access

5.1 IT is critical to KRITIS

IT-based systems are essential elements for controlling and monitoring systems of all kinds. Today, many essential processes in logistics or modern en ...

Login Free 30-day Select Access Get full Access

5.2 ISMS at the core of KRITIS compliance

A common denominator of all relevant guidelines, including the B3S documents and e.g. the “IT security catalog for electricity and gas networks” i ...

Login Free 30-day Select Access Get full Access

5.3 Threat intelligence and modern Security Operation Centers

Beyond the necessary measures for a pure KRITIS-check-list compliance, the measures mentioned so far are increasingly not regarded as sufficient. The ...

Login Free 30-day Select Access Get full Access

5.4 Privileged Access Management integrated with IAM

The cause of most documented attacks is compromised privileged user accounts. This is usually facilitated by the fact that these accounts are not subj ...

An organization's IAM system is the basis for managing identities and assigning authorizations. The Access Manager is responsible for reviewing and im ...

Login Free 30-day Select Access Get full Access

6 Protecting critical infrastructure with CyberArk’s security solutions

Cyber security requirements for critical infrastructure often have a different focus than the protection of traditional enterprise IT. A solid cyber s ...

Login Free 30-day Select Access Get full Access

6.1 Overview

CyberArk provides an end-to-end solution for privileged access security on a single, well-integrated platform. It provides a critical layer of IT secu ...

  • Privileged Account Security (PAS) offers a multi-level core portfolio, including privileged password management, session isolation and recording, ...
Login Free 30-day Select Access Get full Access

6.2 Protecting the endpoint

Although this fact is often overlooked, Privileged Access Security starts at the endpoint, no matter whether it is the desktop workstation or a backen ...

Login Free 30-day Select Access Get full Access

6.3 Privileged credential management, session management and privileged threat analytics

The protection and control of credentials is literally one of the central challenges in any critical infrastructure. The close integration of KRITIS w ...

Login Free 30-day Select Access Get full Access

6.4 Protecting secrets with Application Access Manager

A particular challenge in critical infrastructure is the multitude of centralized and decentralized applications, systems and components. Critical inf ...

Login Free 30-day Select Access Get full Access

6.5 Cloud and hybrid environments

Even for operators of critical infrastructure, the move of processes, tasks and workloads to the cloud brings considerable opportunities for optimizat ...

Login Free 30-day Select Access Get full Access

7 Five Key Privilege Access Security Takeaways for Ensuring KRITIS

Implementing cyber resiliency as the basis for achieving compliance to KRITIS requirements is not entirely congruent with the measures that the requir ...

Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top