The Critical Day
On 25 April 2018 the first Critical Day took place at the SRC Conference Centre. This was the premiere of a series of events that offers a top-class platform for exchange. This is primarily aimed at representatives of companies that operate a critical infrastructure (KRITIS). The Critical Day serves above all to establish personal contacts and to exchange experiences and best practices on IT and physical security of critical infrastructures.
The Schedule
After the arrival of the first participants, a lively exchange on the topics began. At the start of the Critical Day, the fully booked hall documented the participants’ need for information.
Top-class speakers gave an overview of the topic KRITIS. Isabel Münch, Head of CK3 and representative of the Federal Office for Information Security (BSI), explained the procedures and processes in the supervisory authority. Randolf Skerka, Head of SRC and responsible for the topic of auditing according to §8a (3) BSIG, described the first experiences from the perspective of the auditing body. The Klinikum Lünen was the first to provide proof of the audit according to §8a (3) BSIG. Ralf Plomann, Head of IT at Klinikum Lünen, gave impressive insights into the development of hospital organisation in preparation for the audit. Prof. Dr. med. Andreas Becker, who made it clear that sound industry expertise is an essential and indispensable cornerstone of a meaningful examination, rounded off the morning.
The expert presentations gave the participants a 360° view of the requirements of the BSI audits, which were largely and with good reason vaguely formulated.
At the end of the morning the visual artist Frank Rogge described his view on the questions of criticality in the field of artistic creation.
The afternoon was completely dedicated to the main interests of the participants. Under the moderation of Jochen Schumacher, co-organiser at SRC, the afternoon was arranged.
The participants independently organized the various contents for nine sessions.
The most significant results of the afternoon
From the session ” Submitting certification findings to the BSI ” it became clear that the BSI does not expect, for example, any “classical” findings or deviations formulated down to the last technical detail. A roughly described framework of deviations and a description of a course of action in the test report is useful. Nevertheless, an appropriate measure must be in place for each risk within a critical infrastructure. This is of enormous importance for the BSI.
The BSI wishes to cooperate closely with the various Kritis companies. The aim is to strengthen the security of IT in Germany.
In the session ” IT Security Awareness in the company ” Ralf Plomann presented the method and implementation of measures at the Lünen Hospital. The individual approach would be very important here. Every individual in the company would be responsible for IT security. In the individual address, every employee would have to be picked up where he is at the moment. According to Plomann, this is especially the case because almost no one would read guidelines any more. Therefore, more creative approaches should be chosen. Ralf Plomann’s wish for the future: “Awareness for IT security should start at school from upper secondary level”. In the course of the next session, a clear trend towards e‑learning platforms for improving awareness emerged.
In another session, the participants focused on the safe and simple definition of the scope. The pyramid model was particularly favoured in the discussion. The service classified as critical is the best starting point for defining the scope. For example, when it comes to the critical infrastructure of a sewage treatment plant, the definition of the scope requires identifying and determining which systems clarify the water, what effects a failure would have and how this failure can be compensated by other methods to maintain the critical service.
With this method you systematically move to the outer perimeter. If you get to systems that are no longer critical, the limit of the scope is reached.
Conclusion of the first “Critical Day” from SRC’s point of view
An example of the fascinating atmosphere was the continuation of the bilateral communication of the participants between the individual sessions. The feedback proved that the participants were able to make many new contacts and gain insights from other KRITIS projects.
The overall positive response of the participants shows us as SRC that the Critical Day is a useful hub for the exchange of information on KRITIS projects between the participants. Our thanks goes to all participants who contributed fundamentally to the success of the Critical Day with their open-mindedness and commitment.
We regard the Critical Day as a successful experiment. This motivates us to start preparing for a follow-up event.