Commissioned by CyberArk
1 Introduction
The subject of a society being dependent on networked systems is becoming increasingly important for citizens, companies and the government. The technology thriller and global bestseller "Blackout - Tomorrow Will Be Too Late" by Austrian author Marc Elsberg was not the first work of fiction to draw the attention of a wider public to this topic. Using the example of a large-scale and long-lasting power failure in Europe, the dynamics of such a situation are explored in a stunning novel of suspense.
But not only entertainment and fiction looked at this topic more closely. In 2010 the “Büro für Technikfolgen-Abschätzung beim Deutschen Bundestag“ (Office for Technology Assessment at the German Parliament) together with the „Karlsruher Institut für Technologie (KIT)“ (“Karlsruhe Institute of Technology”) published a comprehensive report entitled “Gefährdung und Verletzbarkeit moderner Gesellschaften – am Beispiel eines großräumigen Ausfalls der Stromversorgung“ (Threats and vulnerabilities to modern societies - taking the example of a large-scale power failure). This study described the power outage as a striking example of "cascading damage effects". The report concluded that, despite a low probability of occurrence, the triggered consequences could not be "controlled" and could, at best, be mitigated. The recommendation was to increase the resilience of the critical infrastructure sectors in the short and medium term.
Criticality is the relative degree to which an infrastructure is important in terms of the consequences that a disruption or malfunction has for the security of supply of important goods and services to society.
The term „KRITIS“ as an abbreviation of „KRITische InfraStrukturen“ (“critical infrastructure”) is closely linked to the Federal Republic of Germany, its legislation and its efforts to reduce potential vulnerability by improving protection and resilience of critical infrastructure as a result of the increasing extent of pervasiveness and dependence of almost all areas of life with and from critical infrastructure.
This is reflected in a large number of initiatives, laws and regulations, illustrated by the following European and German examples:
- In 2006, the European Union initiated the European Programme for Critical Infrastructure Protection (EPCIP)
- In 2008, the Council Directive 2008/114/EC “on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection” was issued on an EU level.
- In 2016, the “Directive on security of network and information systems (NIS Directive)” formed an important building-block of EU-wide legislation on cybersecurity aiming at imposing legal measures to improve the overall level of cybersecurity in the EU.
- On a national German level, the BSIG – „Gesetz über das Bundesamt für Sicherheit in der Informationstechnik“ (“Law on the Federal Office for Security in Information Technology”) laid the foundation for the legal and regulatory requirements for critical infrastructure.
- In July 2015, the IT-SiG - “Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz)“ („Act to increase the security of information technology systems (IT Security Act)”) was issued to secure IT systems and digital infrastructures, including critical infrastructure in Germany. It has been augmented with the BSI-KritisV – “BSI-Kritisverordnung” (“Kritis regulation”) in 2016.
- All have been updated and expanded over time, e.g. by including finance and insurance, health, transport and travel into the scope of the KritisV in 2017.
Beyond Europe, this is of course, also considered a highly critical topic. In 2015 “Business Blackout” , a joint report by Lloyd’s insurance and the University of Cambridge’s Centre for Risk Studies, looked at the same scenario from a different angle as it examined the insurance implications of a cyber-attack on the US power grid. The total impact to the US economy was then estimated at $243bn, with the impact of the so-called “most extreme version” of the projected scenario totaling more than $1trn.