BSI workshop on cybersecurity for critical infrastructure

The workshop was organised in close collaboration within the German - Mexican Digital Dialogue, commissioned by the German Federal Ministry for Digital and Transport (BMDV), the Digital Transformation Centre in Mexico, and the Trust4Cyber project; both commissioned by the German Federal Ministry for Economic Cooperation and Development (BMZ). Representatives from the Mexican industry, academia, and government such as the Ministry of Economy (Secretaría de Economía – SE) and the Ministry of Infrastructure, Communications and Transport (SICT) actively participated.

Dr Frederic Raber from the Technical Centres of Excellence at BSI, Dr Mani Swaminathan from Critical Infrastructure Principles at BSI, and Joshua Breuer from BSI’s International Relations represented the federal office. They illustrated BSI’s role as a federal body and shared the mechanisms as well as the legal framework behind its cybersecurity approach for critical infrastructure. Among others, they addressed the following questions: How is the risk of cyberattacks managed in Germany? Is the EU Cybersecurity Act relevant to foreign companies?

Protection of critical infrastructure in Germany

The BSI experts explained that critical infrastructure includes facilities or systems belonging to different sectors, such as energy, information technology and telecommunications, transport, and municipal waste management, among others. In Germany, the focus is on the criticality of supply parts within these sectors; companies in this area, whose operators are above certain thresholds are regulated by law (the BSI-Act) and have a legal obligation to report their security measures to the BSI per Section 8a of the BSI-Act.

In this sense, BSI is the Federal Cyber Security Authority that shapes information security in digitalisation through prevention, detection and reaction for government, business, and society. According to BSI experts, due to the growing relevance of digitalisation, production systems are increasingly connected to the IT infrastructure, which can be controlled remotely; but this also represents major vulnerability in production and IT systems to cyberattacks through remote attackers, particularly owing to the accelerated growth of malware variants in recent times.

How does the BSI enhance the security of cloud-based infrastructures?

The motivation of BSI in the Technical Centres of Excellence Division is to obtain the benefit from the cloud computing in a secure way. Therefore, catalogues such as Security Criteria for Cloud Computing (C5), Security Criteria for Artificial Intelligence in a Cloud (AIC4) have been developed; to establish an approach with companies, through security criteria and an audit framework that can also be useful for companies in other states.

Cybersecurity of critical infrastructures

In Germany, the IT Security Act is a regulation that considers the interplay of the three important aspects, detection, prevention, and reaction for ensuring cybersecurity of critical infrastructures; according to Dr Swaminathan, this entails a delicate balance between supervision and support of operators of critical infrastructures through the BSI.

The BSI-Act in conjunction with the BSI Kritis Regulation, is the legal framework used for identification and supervision of critical infrastructure operators; complemented by supportive public and -private partners, such as Alliance for Cyber Security (ACS) and UP Kritis. The ACS is a BSI initiative that provides a basis for cooperation between public administration, scientific research, and industry across several sectors, while UP Kritis focuses on such cooperation within critical sectors.

Regulatory framework from a European perspective

According to Joshua Breuer, in many cases, German regulations are dependent on European-level regulations. But in any of them, security is a common responsibility.

The BSI expert highlighted the importance of the Cybersecurity Act, which is divided in two main parts, the European Union Agency for Cybersecurity (ENISA) and the certification framework, that is recognised by all member countries. The Act provide; also, foreign countries or companies can apply for a certification, supported by the Cybersecurity Act,  and they can choose in which EU member country they would like to obtain their certificate.

Exchange is key: next steps

We thank the BSI experts for their valuable input, both sides welcome a follow up session within the Digital Dialogues in upcoming events on IT security and data policy.

Workshops like this allow our partners and stakeholders to exchange on best practices and experiences in different sectors. The International Digital Dialogues of BMDV will continue to provide a platform for the international exchange on common challenges and framework conditions for the digital economy.

Stay informed about the activities of the Digital Dialogues and subscribe to our newsletter.