The BSI defines: "Kritische Infrastrukturen (KRITIS) are organizations and facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences."
Since our founding more than 25 years ago, we at SerNet have known and observed the specifications of the IT Baseline Protection, the ISO 27001 or TISAX. If our customers' wishes for the establishment of IT infrastructure cannot be brought into line with these specifications, we expressly point this out.
The customer is king - and the customer is also queen - so that for SerNet there are almost always conflicts of objectives in creating economically attractive offers and at the same time making no compromises at all or only urgently necessary compromises when it comes to security, which we then have to carefully explain and document.
But sooner or later, our KRITIS customers will have to demonstrate successful certification. And that's why good advice is sometimes a bit more expensive - and implementation is also in the interest of protecting critical facilities.
SerNet supports numerous hospitals nationwide in matters of IT security (references). For many years, the healthcare industry has had to cope with considerable cost pressure and tight requirements for cost management.
In many hospitals, the question of IT security has been a secondary issue in the past. First and foremost, it was a matter of security of supply and economic issues in everyday hospital life. The requirements from the IT Security Act for the CRITIS sector healthcare have therefore been a significant challenge for many hospitals.
In addition to complying with many regulatory requirements, cost-intensive procurement for the IT infrastructure is necessary, such as next-generation firewalls, network access control, and much more, as well as considerable reconstruction in the work organization in order to be able to guarantee secure IT-supported processes.
On these pages, we at SerNet pick out the energy sector, because we not only have years of experience with customers from this sector:
Many municipal utilities are nevertheless subject to the KRITIS requirements as small municipal entities because, as energy providers, there are no thresholds for size of operation. SerNet provides support here in setting up and operating firewalls and other security systems, which are audited annually in accordance with KRITIS.
SerNet, as the manufacturer of the tool verinice, is continuously engaged in the implementation of industry-specific standards into concrete rules and catalogs of measures for tool-based compliance management. The tool is in use at a large number of major utilities.
So the colleagues at SerNet can excellently assess and support this sector from both the IT security and compliance perspectives.
Securing control centers poses special challenges. The protection goals of IT security are confidentiality, integrity and availability. Especially in control centers, there is very often a demand for 100% availability - without compromising confidentiality and integrity.
SerNet has experience in setting up and operating Next-Gen firewalls. For normal data communications to and from the Internet, this can still be solved with a manageable amount of effort.
The situation becomes more challenging with telephony: While ISDN lines can already be designed to be highly available and sufficiently secure at carrier level, this is quite different with modern VoIP telephony. IP telephony arrives at the control center via Internet lines in the same way as e-mail or browser data - but with high demands on real-time handling.
The same applies to control centers in the energy sector, which SerNet can also equip with firewalls and which also successfully pass the audit according to KRITIS standards.