Inhaltsverzeichnis

3.5 Critical Infrastructure

3.5 Critical Infrastructure

PQC requirements for critical infrastructure¹⁾ operators.

Definition

Critical infrastructures are organizations and facilities of significant importance to the community, whose failure would have dramatic consequences.

Sectors According to NIS2

The NIS2 Directive²⁾ defines the following sectors:

Essential Entities:

Energy (Electricity, Gas, Oil)
Transport (Air, Rail, Water, Road)
Banking
Financial Market Infrastructures
Healthcare
Drinking Water
Digital Infrastructure

Important Entities:

Postal and Courier Services
Waste Management
Chemical
Food
Manufacturing
Digital Services

Special Requirements

Early PQC migration (before 2030)
Documentation obligations
Incident reporting requirements (within 24h)
Regular audits
Risk management according to ENISA³⁾ guidelines

"Harvest Now, Decrypt Later" Risk

Especially critical for critical infrastructure⁴⁾:

Long-term sensitive data (>10 years)
Infrastructure control data
Key material
Authentication data

BSI Recommendations

The Federal Office for Information Security⁵⁾ recommends:

Immediate inventory of cryptography
Prioritization by data sensitivity
Hybrid solutions as transitional measure
At least FIPS 203/204/205 compliant algorithms

Sources

¹⁾

Critical Infrastructures: https://www.bsi.bund.de/EN/Topics/KRITIS/kritis_node.html

²⁾

EU Directive 2022/2555 (NIS2): https://eur-lex.europa.eu/eli/dir/2022/2555/oj

³⁾

ENISA Risk Management: https://www.enisa.europa.eu/topics/risk-management

⁴⁾

ENISA PQC Report: https://www.enisa.europa.eu/publications/post-quantum-cryptography-current-state-and-quantum-mitigation

⁵⁾

BSI: https://www.bsi.bund.de/EN/Home/home_node.html