====== 3.5 Critical Infrastructure ====== PQC requirements for critical infrastructure((Critical Infrastructures: https://www.bsi.bund.de/EN/Topics/KRITIS/kritis_node.html)) operators. ===== Definition ===== Critical infrastructures are organizations and facilities of significant importance to the community, whose failure would have dramatic consequences. ===== Sectors According to NIS2 ===== The NIS2 Directive((EU Directive 2022/2555 (NIS2): https://eur-lex.europa.eu/eli/dir/2022/2555/oj)) defines the following sectors: **Essential Entities:** * Energy (Electricity, Gas, Oil) * Transport (Air, Rail, Water, Road) * Banking * Financial Market Infrastructures * Healthcare * Drinking Water * Digital Infrastructure **Important Entities:** * Postal and Courier Services * Waste Management * Chemical * Food * Manufacturing * Digital Services ===== Special Requirements ===== * Early PQC migration (before 2030) * Documentation obligations * Incident reporting requirements (within 24h) * Regular audits * Risk management according to ENISA((ENISA Risk Management: https://www.enisa.europa.eu/topics/risk-management)) guidelines ===== "Harvest Now, Decrypt Later" Risk ===== Especially critical for critical infrastructure((ENISA PQC Report: https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation)): * Long-term sensitive data (>10 years) * Infrastructure control data * Key material * Authentication data ===== BSI Recommendations ===== The Federal Office for Information Security((BSI: https://www.bsi.bund.de/EN/Home/home_node.html)) recommends: * Immediate inventory of cryptography * Prioritization by data sensitivity * Hybrid solutions as transitional measure * At least FIPS 203/204/205 compliant algorithms ===== Sources ===== * [[https://eur-lex.europa.eu/eli/dir/2022/2555/oj|NIS2 Directive (EUR-Lex)]] * [[https://www.bsi.bund.de/EN/Topics/KRITIS/kritis_node.html|BSI: Critical Infrastructures]] * [[https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation|ENISA: Post-Quantum Cryptography Report]] * [[https://www.enisa.europa.eu/topics/risk-management|ENISA Risk Management]]