On around 270 operators of critical infrastructures (critis), there are increased requirements in the field of it security. This provides for a speaker design for the reform of the kritis regulation from the federal ministry of the federal interior (bmi), the our site exists. For these companies, a decision of the initiative applies special reporting and certification obligations. In addition, they had to comply with minimum standards and provide for example it security concepts and maintain.
Above all, power generators affected
So far, the regulation relates around 1600 operators. With the amendment it became around 1870, the bmi estimates. Of these alone, 150 in the field of power generation tatig, 34 were responsible "intelligent traffic system". There were also seven data centers and three operators of internet nodes such as de-cix. This is within the scope of the expectations of the it security act, which is currently also underway, so that no additional cost calculation is necessary.
To protect the functionality of critical infrastructures, the law provides for the federal office for safety in information technology (bsi) that operators must secure their it systems through adequate organizational and technical arrangements for the prior art and report significant disturbances of the author. Which facilities, equipment or parts thereof in the sectors of energy, it and telecommunications, transport and transport, health, water, diet and financial and insurance as critis within the meaning of the law shall be determined by the federal government with the regulation.
As criteria, the executive attracts for thresholds as the function of an operation or technology in the production process. Also key figures such as sales or production scope play a role. Here the bmi wants to rotate with the design on many set screws.
Danger of a power failure significantly larger
Moving significantly down should, above all, the threshold value in power generators should. The interior class she wants to classify art with a maximum capacity or capacity of 36 megawatts as critis, while the border is 420 mw so far. It funding this with an evaluation of existing regulations. Let me come out, "that in the area of power supply so far some generating plants that contribute to maintaining a stable network operation" and so "important elements for the stability of the power supply system are", until now "not sufficiently considered".
In this area, there are already a short-term imbalance between generation and consumption lead to a storage of supply, the bmi leads out. Then threatened "frequency deviations that – if no suitable countermeasures are taken – can also drive through the extension of protective systems to shut down power plants and a long-lasting power failure". The federal association of energy and water management (bdew) described the project against the "daily mirror" as "earnable and little profitably for operative it security". The german energy supply is already strictly regulated and pay for the safest world.
For the first time too "software and it services that are necessary for the provision of a critical service" in the definition "critical facilities" be included. This allowed developers of it as well as manufacturers of production facilities with integrated systems to be taken stronger in the responsibility for the security.
In the field of information and communication technologies, the threshold for the agreed performance of data centers also sink from funf to 3.5 megawatts. News are redefined like "server farms" as "two or more physical or virtual computers that provide services in the it network". Thus, the ministry wants to clarify that these systems "actually provided for use by third parties".
As an internet node (ixp) should "a network device independent of the connected autonomous systems (as)" which allows the interconnection of more than two independent as. For them, a lower threshold of 100 connected self-standing systems is also considered an annual average. It often deals with plants, "the for the functioning of the internet is of central importance".
Included are the draft of certain numbers of use in the area of the publicly accessible internet "dns resolver" in the form of a plant or system in the access network of a provider "to answer requests for naming triggers, which pass on the requests to urzed dns instances for ignorance of the answer. Add to this top-level domain registries, "authoritative dns server", content delivery networks as well as systems for trust services, which certify the respective identity of the communication partner in networks.
Bvg lucke closed
After the huawei rule in the it security law 2.0 if the bmi wants to introduce a bvg clause to the regulation: the previous threshold for critical infrastructures in the transport sector was "125 million tracks" per year. Now it should be 125 million "business-related passenger rides" will. The berlin verkehrsbetriebe (bvg) had previously argued that at its vehicles worked on a billion, only around 30 million different natural persons were required and therefore did not fall under the conditions. In the appropriate dispute with the bsi, the company has meanwhile stated.
In general, processes to the disposition of personnel and maintenance operations should also be recorded in the transport sector. These are essential and often time-critical, so that the use of it systems is required, it is called. Especially in the corona pandemic has been in this area "repeats the high importance of the staff and thus the functioning personal disposition".
In the health sector, the bmi defines a new category of critis operators with the laboratory information association. This aims for a merger of equipment or systems that provide it services for more than one laboratory in human medicine for more than one laboratory in human medicine for more than one laboratory". The threshold is a total of 1.5 million applications per year.
Vibration can now first comment on the paper until 17. May comment. Previously, the ministry had brought the stakeholders at the it security act on the tin, as they sent them new dewy partly with request to comment within 24 hours. For the 26. May is then planned an internal bidding anhoroidation via videoconference. If other resorts have no contradiction, the regulation could enter into force in principle the day after their wedding.