In order to provide documentation of compliance pursuant to Section 8a (1) of the BSI-Act, an operator must ensure that its scope covers – as a minimum – all KRITIS facilities and all systems, processes and components required for their correct function. Experience from document verification has shown that this is not always the case. This can be because the scope of the ISMS at the operator is incomplete or vague. Industry-specific security standards (B3S), which model an industry-specific reference architecture, are a solution to this problem.

Scope

In the context of information security for Critical Infrastructures, the scope of the Information Security Management System (ISMS) plays a prominent role. It defines which systems, processes and components are covered and safeguarded and which areas are not covered. The scope should be meaningful, described in detail and clearly differentiated from other information domains. In particular, the technical and organisational interfaces with external parties, such as service providers, customers or suppliers, must be clear. The scope of the ISMS also provides a basis for defining the extent of the document verification pursuant to Section 8a (3) of the BSI-Act. For this reason, it is absolutely essential for the ISMS scope to cover all KRITIS facilities included in the documentation of compliance. This also includes all systems, processes and components required to operate the facility.

The methodology described below for developing a scope on the basis of the BSI IT-Grundschutz is suitable both for developing a scope in specific terms when creating documentation of compliance for an operator, and in abstract terms when creating an industry-specific security standard (B3S). This is also referred to as a reference architecture.

When defining the scope, the BSI recommends taking a top-down approach starting with an overarching, generic process analysis, along the lines of the methodology used in the IT-Grundschutz. This approach ensures that all necessary systems, processes and components of the critical service are included in full when applied by KRITIS operators.

Critical service (kDL) as a starting point

Operators of Critical Infrastructure have the task of guaranteeing supply of the critical service to the public. The BSI Kritis Regulation (BSI-KritisV) defines the relevant critical services (kDL) for the sectors and their industries. For example, in the food sector, “supplying the public with food (food supply)” is crucial due to its importance in ensuring the proper functioning of the community. In order to analyse the guarantee of security of supply in full, it therefore makes sense to take the critical service as a starting point for developing the scope. When creating the reference architecture for Critical Infrastructure, the kDL should be seen as the central process from which all other objects are derived.

Modelling an industry-specific reference architecture

Defining the scope with a generic illustration of the reference architecture forms a central pillar of industry-wide standards. Based on the reference architecture, reference models and methods for the KRITIS and IT security objectives can be developed, as well as a determination of protection needs and the risk analysis.

Industry-specific reference architecture serves as a blueprint and support for individual implementation of the scope of the ISMS for an operator. The generic reference architecture is less detailed than the architecture of an individual operator. Nevertheless, efforts should be made to achieve a high level of detail so that this architecture can provide effective support to as many operators as possible.

Based on the critical service, the following (industry-typical) objects should be structured and gradually identified:

1. All business and support processes and sub-processes required to provide the kDL
2. All applications and services required for the processes
3. All IT systems and components required for the applications and services
4. All buildings and rooms in which IT systems and components are installed
5. All interfaces with other information domains and third parties

In order to reduce complexity, similar target objects/assets should be grouped together. In addition, processes relating to expansion of/deviations from the reference architecture should be explained. This becomes particularly important when the existing IT systems, components and applications or the processes of an operator differ from the reference architecture.

To illustrate the partial results, visualisations such as network structure plans (simplified) or process modelling should also be used. These results should then be incorporated into the creation or further development of industry-specific security standards.

Workshops on reference architecture as a model for success

A reference architecture should be developed jointly by several industry representatives to ensure that it has the greatest possible relevance and acceptance across the entire industry. It is advisable for the group to be as heterogeneous as possible, comprising representatives from companies of different sizes and structures.

There have been several cases in which industry representatives have successfully defined reference architectures for their industries in workshops (e.g. in the corresponding industry working groups of UP KRITIS) and integrated them into the initial B3S. These workshops should be scheduled to take place over one to three days, depending on the level of prior knowledge and the required level of detail.

The focus of this process is on specifying the common features of an industry and its operators, without restricting specific individual characteristics. In the workshop, the appropriate level of joint structures and overarching specific features for the industry should be identified.

Summary

The creation of industry-specific reference architectures based on the BSI-Grundschutz Methodology in conjunction with industry-specific security standards enables operators to build upon this and develop the scope of their ISMS efficiently and in conformity with the requirements for Critical Infrastructure.

The BSI has had very positive experiences with this approach in recent years. The major benefit is the generic mappying of the KRITIS scope in a reference architecture for the industry. This allows individual operators to adapt the reference architecture in their ISMS to their individual organisational structure and IT structure.

Initial empirical evidence from the BSI also shows that in industries in which a B3S is available with a meaningful scope, the quality of the submission of documentation has been improved and follow-up requests from the BSI as part of the document verification for operators have been minimised.