KRITIS Implementation: Still improvable

03.05.2017

First practical experience from implementation of KRITIS-regulation reveals where companies encounter challenges.

The IT-SiG (IT-Sicherheitsgesetz) is mostly defined. On the 3rd of May, 2016, the first part of the regulation for KRITIS (kritische Infrastrukturen) came into effect. Companies from the areas of energy, IT, TC, water and nutrition are affected. The second part, for all sectors of finance, transport. traffic and health, is coming into effect soon. However, realization started already. The first reviews show that both small and large companies do not have it easy because a key claim is realization and proof of an ISMS (Informationssicherheitsmanagementsystem). One thing became very clear: Security in the building technology, one part of the requirements catalog which plays a minor role in the ISO 27001 and a bigger role in the EN 50600, had been underestimated by most DC-operators. How important this part really is, show certifications by TÜV or different testing institutes when it comes to "The best security systems do not help you when the door is open". Additionally, the implementation of ISMS is complicated by an improvable communication between facility managers and IT-managers. All in all, certain challenges appear, which require support. 

Downtime Costs are Just a Rough Estimation

The overall risk analysis for data centers is a serious task for KRITIS. It consists of occurrence and business risk analysis. Occurrence risk analysis covers external dangers like fires, air crashes, bomb attacks or burglary and is a standard in the realization nowadays. However, during a business risk analysis, DC-operators usually notice for the first time that they put too little thought into the economic consequences of an IT-malfunction because the servers all shut down in case of a blackout. And this is where the business risk analysis creates in interface between IT-hardware, IT-software, building technology and sales. After all, people who are in charge of data centers have to be able to define downtime costs for the certification according to ISO 27001 at least roughly. 

This is fairly easy when the entire IT shuts down. Then, no business processes are available anymore and the company can estimate quite well, when it is insolvent or when it has to face serious consequences. This analysis is much harder when only a few IT-systems shut down. Yet, it is expected that each company calculates the downtime for every single component. In other words, which damage emerges in case of a single failure? This calculation turns out to be nearly impossible in real life. Only a handful of people know which virtual IT-service is running on which physical server, even less could determine the downtime costs. So, in order to receive a certification after ISO 27001, the cost for the business risk is roughly estimated. 

Since EN 50600 there is a standardized categorization for the availability and security classes of data centers regarding the breakdown and protection from external dangers. It also regulates the building technology including the power supply. These parts have to be part of a risk analysis as well. However, DC-operators rarely combine this analysis with the analysis for ISO 27001. Apart from that, they are often overwhelmed by the interfaces between facility-technology and IT. From the organizational point of view, those two worlds have been separated all along. Therefore, one of the main tasks for the realization of the KRITIS regulation is finding an "interpreter". And ISO 27001 from the IT field and EN 50600 from the field of building technology offer fantastic opportunities to bring the two organizational units together. 

Between Theory and Practice

In general, the potential non-availability of power is being criminally neglected. Admittedly, professional operators prepare very well in this field. However, many data centers seem to be overwhelmed by the actual operation of the redundant power supply. On top of that, existing data centers are confronted with other challenges as well. For example, many have a hard time implementing the security concept which is also defined by the standard EN 50600. A new data center can be planned quite easily, whereas it is so much harder to shift walls inside an existing building or adjust it to the latest standards for fire protection. 

The special case of care facilities brings along even more problems. Part of the KRITIS regulation is the infrastructure outside the data center, including all nodes and distributors. Yet, those distributor nods are spread over the entire facility - small racks in often no less than 50 rooms. They are crucial nods for many terminal devices, e.g. in operating rooms. Nevertheless, they are usually neither secured nor cooled nor equipped with a backup system. Hence, these rooms are absolutely extradited to unauthorized access and thus opens the doors to theft of data, manipulation of data and damage of data. 

The biggest insecurities, however, are in the emergency and company management. Especially medium-size companies that operate the data centers on their own, hardly ever have a specific plan for emergencies albeit the KRITIS regulation was made for the exceptional case. This is where companies are looking for the help of consultants these days. And it is not for nothing that emergency manuals for the building structure of data centers are ordered which are not standardized but created individually. It is because the dependence of the equipment or of the building technology in the data center are still rarely documented because it involves defining alarms, giving a detailed overview of all the communication paths or record concrete measures. In a next and bigger step, workshops for all employees are required in which tasks should be assigned among other things. Hence, new customers that have a data center built, often order the emergency manual at the same time. They make use of the fact that the working steps and the structure are familiar to the contractor in all detail and that the production of such a manual is fast and easy. 

Marc Wilkens

About the Author

Marc Wilkens is a Senior Consultant with SECUrisk, a subsidiary of the DATA CENTER GROUP. As auditor for ISO 27001 and an expert in the standardization committee of EN 50600, he gives talks on security, availability and energy efficiency in data centers. Additionally, he consults operators of data centers regarding a holistically optimized operation, especially for the interfaces between IT and building technology.