KuppingerCole Report
Whitepaper
By Matthias Reinwarth, Christopher Schütze

KRITIS – Understanding and protecting critical infrastructure

Organizations or institutions that are essential for the public are called Critical Infrastructure (KRITIS = “Kritische Infrastrukturen”). As such, they are subject to comprehensive and strict legal regimes consisting of laws and regulations. Their failure or significant impairments result in sustained supply shortages, significant disruptions to public safety or other drastic consequences. Their protection and the safeguarding of the public require appropriate concepts, processes and technologies.
By
mr@kuppingercole.com
By
chs@kuppingercole.com

Content of Figures

  1. Figure 1 Two areas and nine sectors currently define the overall structure of critical infrastructure
  2. Figure 2 Overview of functional components for managing privileged users
  3. Figure 3 Solutions and Products of CyberArk

Commissioned by CyberArk

1 Introduction

The subject of a society being dependent on networked systems is becoming increasingly important for citizens, companies and the government. The techn ...

Login Get full Access

2 Critical Infrastructure defined

The definitions and requirements concerning critical infrastructure as they exist at an European and, in particular, German level can be regarded as e ...

The currently valid conceptual structure for the protection of the supply and service facilities central to the supply of state, economy and society n ...

Login Get full Access

3 Critical infrastructure across industries

Based on the BSI’s definitions for critical infrastructure, the BBK (“Bundesamt für Bevölkerungsschutz und Katastrophenhilfe” – German Feder ...

Login Get full Access

3.1 Refining requirements: B3S

The definition of industry-specific requirements is the responsibility of the industries, their industry associations and key corporations as exemplar ...

Login Get full Access

3.2 Energy

A key industry is energy supply, which includes electricity, gas and oil. An emergency in this area directly affects virtually any other critical infr ...

Login Get full Access

3.3 Nutrition, Food and Water

Maintaining nutrition is subject to the provisions of KRITIS. Reliable food production and the supply of food to the population via food trade are ess ...

Login Get full Access

3.4 Transport

One of the most significant critical areas is transport. Transport is divided into six major critical infrastructure areas: air, water, sea, water, ra ...

Login Get full Access

3.5 Healthcare

Medical care with all its dependencies to other critical areas is classified as critical infrastructure. The health sector refers to the health system ...

Login Get full Access

3.6 Finance and Insurance

While other critical infrastructure still involves tangible goods and services, the area of financial and insurance sectors is almost completely contr ...

Login Get full Access

4 Transport specific threat scenario (railroad)

Potential attacks on information technology and communications are important to understand. The DB (Deutsche Bahn - German Railway) is chosen as a rep ...

Login Get full Access

4.1 Scenario Definition

DB consists of several companies that cover the various areas of transport, control and logistics. There are companies for long-distance passenger tra ...

Login Get full Access

4.2 Analysis and controls

This example contains many processes that are IT-supported and therefore need to be adequately protected. These include authentication processes for c ...

Login Get full Access

4.3 Scenario-based risk analysis

The above given example shows, that continuously conducting an adequate risk assessment is a key challenge for protecting critical infrastructure. Usi ...

Login Get full Access

5 Protecting IT within critical infrastructure

Critical infrastructures differ considerably in their respective core business elements. The knowledge and experience of experienced engineers and a m ...

Login Get full Access

5.1 IT is critical to KRITIS

IT-based systems are essential elements for controlling and monitoring systems of all kinds. Today, many essential processes in logistics or modern en ...

Login Get full Access

5.2 ISMS at the core of KRITIS compliance

A common denominator of all relevant guidelines, including the B3S documents and e.g. the “IT security catalog for electricity and gas networks” i ...

Login Get full Access

5.3 Threat intelligence and modern Security Operation Centers

Beyond the necessary measures for a pure KRITIS-check-list compliance, the measures mentioned so far are increasingly not regarded as sufficient. The ...

Login Get full Access

5.4 Privileged Access Management integrated with IAM

The cause of most documented attacks is compromised privileged user accounts. This is usually facilitated by the fact that these accounts are not subj ...

An organization's IAM system is the basis for managing identities and assigning authorizations. The Access Manager is responsible for reviewing and im ...

Login Get full Access

6 Protecting critical infrastructure with CyberArk’s security solutions

Cyber security requirements for critical infrastructure often have a different focus than the protection of traditional enterprise IT. A solid cyber s ...

Login Get full Access

6.1 Overview

CyberArk provides an end-to-end solution for privileged access security on a single, well-integrated platform. It provides a critical layer of IT secu ...

  • Privileged Account Security (PAS) offers a multi-level core portfolio, including privileged password management, session isolation and recording, ...
Login Get full Access

6.2 Protecting the endpoint

Although this fact is often overlooked, Privileged Access Security starts at the endpoint, no matter whether it is the desktop workstation or a backen ...

Login Get full Access

6.3 Privileged credential management, session management and privileged threat analytics

The protection and control of credentials is literally one of the central challenges in any critical infrastructure. The close integration of KRITIS w ...

Login Get full Access

6.4 Protecting secrets with Application Access Manager

A particular challenge in critical infrastructure is the multitude of centralized and decentralized applications, systems and components. Critical inf ...

Login Get full Access

6.5 Cloud and hybrid environments

Even for operators of critical infrastructure, the move of processes, tasks and workloads to the cloud brings considerable opportunities for optimizat ...

Login Get full Access

7 Five Key Privilege Access Security Takeaways for Ensuring KRITIS

Implementing cyber resiliency as the basis for achieving compliance to KRITIS requirements is not entirely congruent with the measures that the requir ...

Login Get full Access

8 Related Research

Leadership Compass: Privilege Management - 72330
Leadership Compass: Adaptive Authentication - 79011
Architecture Blueprint: Hybrid Cloud Security - 72552
Advisory Note: GRC Reference Architecture - 72582
Advisory Note: Big Data Security, Governance, Stewardship - 72565
KuppingerCole Hot Topic Area Privilege Management

Endnotes

  1. Translated from https://www.bbk.bund.de/DE/AufgabenundAusstattung/KritischeInfrastrukturen/kritischeinfrastrukturen_node.html
  2. Translated from the B3S document
  3. https://www.bafin.de/dok/10445406

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top