The protection of critical infrastructure is becoming increasingly important. Energy supply, water management, healthcare, transport systems and communications networks are essential to social and economic life. At the same time, the demands placed on their security are growing: in addition to cyberattacks, physical threats such as sabotage, vandalism and tampering are also coming under greater scrutiny.

New regulatory requirements such as NIS2, CER, the planned KRITIS-Dachgesetz and standards such as IEC 62443 are creating additional pressure to act. Operators of critical infrastructure must therefore further develop their security concepts holistically and consider digital, physical and organisational risks together.

Protection of Critical Infrastructure – A Brief Overview

The protection of critical infrastructure involves measures to ensure the continued operation of essential systems such as energy supply, water management, transport and communications.

The most important security aspects include:

• Cybersecurity for the protection of digital systems

• Physical security for the protection of critical infrastructure

• Organisational measures such as risk analysis and emergency management

Regulatory requirements such as NIS2, CER, the CRITIS Framework Act and standards such as IEC 62443 require operators to systematically assess risks and implement appropriate security measures.

The requirements for protecting critical infrastructure are rising significantly for three reasons: Firstly, the threat landscape is becoming more severe. Critical facilities are attractive targets for sabotage, vandalism and targeted attacks because any disruption can have far-reaching consequences for supply, security and the economy.

Secondly, digitalisation is increasing the attack surface. The increased interconnection of OT and IT systems, remote maintenance and IoT-based sensor technology is creating new dependencies and additional potential vulnerabilities.

Thirdly, the demands on resilience are growing. Operators must not only prevent disruptions, but also be able to detect incidents at an early stage, respond appropriately and maintain critical services.

The growing threat landscape is also reflected in regulatory requirements. Operators of critical and particularly important facilities must now systematically assess risks, implement appropriate measures and document their security plans in a transparent manner.

NIS2 Directive

The NIS2 Directive significantly expands the European cybersecurity requirements and affects far more organisations and facilities than before. The aim is to raise the overall security level of critical and important facilities within the European Union and to establish a more consistent understanding of risk and security management.

Central to this is the obligation to establish security measures not merely on an ad hoc basis, but as a structured management approach. Operators must identify and assess risks and implement appropriate technical and organisational measures. These include, in particular:

• Risk analysis and security management to systematically identify threats and prioritise them appropriately

• Technical and organisational measures tailored to the institution’s actual risk profile

• Incident response processes to ensure that security incidents can be detected, assessed, reported and handled

• Business continuity and crisis management, to ensure that critical services can be maintained even in the event of a disruption

• Security requirements throughout the supply chain, as vulnerabilities among service providers or suppliers can also pose significant risks

CER Directive and KRITIS-Dachgesetz

The CER Directive (Critical Entities Resilience) supplements NIS2 by addressing the issue of critical infrastructure resilience. It focuses on the ability to maintain essential services even in the event of disruptions, attacks or failures. Unlike NIS2, the CER Directive explicitly takes physical and infrastructural risks into account, thereby establishing the central framework for critical infrastructure resilience at European level.

The key requirements of the CER Directive include:

• Risk assessments for critical facilities and sites, including physical and infrastructural risks

• Implementation of appropriate protective measures, particularly in the area of physical security

• Resilience strategies and contingency planning to ensure the continuity of critical services

• Taking account of cross-sectoral interdependencies, as disruptions often affect several sectors

In Germany, the CER Directive is being transposed into national law through the planned KRITIS-Dachgesetz. The KRITIS-Dachgesetz sets out the European requirements in concrete terms and establishes a uniform framework for the protection of critical infrastructure at national level. It translates the requirements of the CER Directive into binding regulations for operators in Germany and supplements existing security requirements.

The focus is particularly on the following aspects:

• Mandatory implementation of resilience measures for critical infrastructure

• Greater consideration of physical security requirements

• Clear responsibilities and obligations to provide evidence for operators

• Improved cooperation between public authorities and operators

• Structured preparation for crisis and failure scenarios

IEC 62443

The IEC 62443 series of international standards is a key reference framework for the security of industrial automation and control systems. It plays a particularly important role where Operational Technology (OT), industrial control systems and networked facilities form part of critical infrastructure.

The series of standards considers security not just at a single level, but across various roles and system components – from operators and integrators to component manufacturers. Of particular practical relevance is the fact that IEC 62443 provides a structured approach to OT security and translates security requirements into industrial environments.

These include, amongst others:

• Zoning and segmentation of systems to separate security-critical areas from one another

• Definition of security levels, depending on protection requirements and threat profile

• Requirements for secure system architectures, ensuring that risks are taken into account at the design stage

• Policies for access control, user management and rights management

• Requirements for maintenance, updates and secure operation

• Taking into account physical security aspects, for example where access to facilities may have a direct impact on their integrity and operational safety

Why these sets of rules should be considered together

In practice, these regulatory frameworks are interlinked: NIS2 strengthens cyber risk management, CER focuses on resilience and physical robustness, the KRITIS umbrella law establishes the national framework, and IEC 62443 provides guidance for OT environments. For operators, this makes it clear that effective KRITIS security requires a combination of cybersecurity, physical security and organisational resilience.

The protection of critical infrastructure is based on a combination of various security measures.

Organisational measures

• Risk analyses and safety concepts

• Emergency and crisis management

• Staff training and awareness-raising

Technical safety measures

• Network segmentation

• Access controls

• Security monitoring

• Intrusion Detection Systems

Physical security measures

• Access control systems

• CCTV

• Alarm systems

• technical tamper detection on equipment

Depending on the type of facility and its risk profile, these measures must be combined in an appropriate manner. Physical security measures are a key component of comprehensive security strategies, particularly for decentralised and unmanned facilities.

Traditional security approaches often rely on access control, video surveillance and alarm systems. Whilst these measures remain important, they reach their limits when it comes to detecting technical tampering with systems at an early stage or integrating physical events into digital security processes. This often results in a security gap, particularly in decentralised infrastructures.

Modern security strategies are increasingly moving towards cyber-physical security concepts. They combine digital security mechanisms with the monitoring of physical changes to critical infrastructure, thereby creating an additional layer of security. This enables tampering to be detected earlier, physical events to be integrated into security processes, and the condition of critical infrastructure to be monitored with greater transparency.

One example of such an approach is PHYSEC SEAL. The solution complements traditional security measures with technical tamper detection and is particularly relevant for unmanned or decentralised facilities where physical changes need to be detected at an early stage.

Systematically integrating physical security into KRITIS security concepts

To ensure that physical security is effectively integrated into KRITIS security concepts, a structured approach is recommended:

1. Identifying critical assets: Relevant assets and infrastructure components are identified.

2. Assessing risks: Threats such as tampering, sabotage or unauthorised interference are analysed.

3. Developing measures: Technical, physical and organisational safeguards are defined in line with the risk profile.

4. Integrate into existing security processes: Physical events are incorporated into monitoring, alerting and response processes.