Best Practices for Security in Critical Infrastructures: A Comprehensive Guide for Suppliers

In an effort to enhance the security of critical infrastructures, a set of best-practice recommendations has been introduced to outline essential security requirements for suppliers of products and services. These recommendations aim to be a guiding document for agreements between operators of critical infrastructures and their suppliers, encompassing service providers and manufacturers.

The document, developed by UP KRITIS, incorporates a perspective on cloud services within the definition of “suppliers” or “contractors.” The guidelines highlight the importance of aligning security measures with the specific needs and risks associated with critical infrastructures, urging operators to conduct a thorough protection needs analysis based on industry-specific guidelines.

Operators are encouraged to use these recommendations flexibly, either excluding or modifying requirements based on their unique circumstances. The document emphasizes that the operator of a critical infrastructure is always considered the client in these agreements.

Diverse Operating Forms Covered

The best-practice recommendations recognize various operating forms that can take on flexible and mixed structures. Two primary operational forms are discussed:

  1. Self-operation of IT Products: This involves the client’s responsible and in-house IT operation. Recommendations cover areas such as vulnerability management, patch management, system hardening, and more.
  2. Operation with Third-Party Support (Contractors): This includes outsourcing IT operations, whether in parts (e.g., PaaS, IaaS) or in full (e.g., SaaS) to third parties. Additional requirements for contractors providing various services, including IT operation, remote support, and cloud services, are outlined.

Clear Roles and Responsibilities

The document outlines a structured approach to the phases of a contractual relationship, presenting a 5-phase model: Planning (including risk assessment), Contract Award, Integration/Commissioning, Productive Use, and Decommissioning.

The client, or operator of the critical infrastructure, is responsible for ensuring that all relevant requirements outlined in the document are clearly requested and, if necessary, reviewed and documented in each phase. Service Level Agreements (SLA) and, specifically for critical services, Security Level Agreements (SecLA) are recommended for establishing a secure and mutually understood framework between the client and the contractor.

In the context of cloud usage, the document acknowledges the shift in the dynamics of contract negotiation, where cloud service providers set standard rules. It underlines the challenges of adjusting these standardized functionalities and suggests careful consideration of the risks associated with operating critical IT infrastructure in a cloud environment.

Incorporating Cloud Services Responsibly

The document stresses the importance of including existing certificates of cloud service providers when evaluating the security level. Standards such as the Cloud Computing Compliance Criteria Catalog (C5) and other relevant certifications can be utilized to assess the security level for cloud usage by the client. Caution is advised to evaluate whether a reasonable operation of critical IT infrastructure is feasible within the parameters set by the cloud service provider.

Ultimately, these best-practice recommendations aim to provide a comprehensive and adaptable framework to enhance the security of critical infrastructures, ensuring a robust and secure environment for essential services.