Which areas do you consider to be critical infrastructures?
Peter Lauwe: The definition and sectors are laid out in a National Strategy for Critical Infrastructure Protection. Critical infrastructures include, for example, the energy supply, information and communication technology as well as the parliament, government, public administration and judicial institutions. These examples show that both private companies and public authorities operate critical infrastructures.
Which of these are particularly sensitive?
Peter Lauwe: There are very high dependencies on the power supply, on information and communication technology (ICT) and directly or indirectly on transport services. These three areas thus have a function that cuts across all of the other critical infrastructures to a high degree.
Where do you see the greatest need for action to protect critical infrastructures from external attacks?
Peter Lauwe: Critical infrastructure operators have been sensitized to many areas and implement numerous measures to secure their services. However, in our view there is still a lot of work to be done, as both critical infrastructures and risks are constantly changing.
For example, we see a great need for action in increasing systematization of collaboration between state actors and operators of critical infrastructures in risk management (integrated risk management).
Communication between state and non-state actors in the event of a crisis is also of great importance. If communication options such as telephone or the internet fail, emergency systems must be used. These are currently limited in their capability to meet the prerequisites for adequate communication. There is a need for complementary solutions to ensure information exchange.
Against the backdrop of increasing complexity in critical infrastructures, we need to create more simple fallback systems, which can be accessed if the functionality of critical infrastructures is significantly impaired.
And as a final example I’d like to mention in particular the area of emergency planning. Against the background of potential long-term and large-scale damage scenarios, measures have been initiated in recent years by local authorities as well as by the federal and state governments. Possible massive power outages, for example, have been studied intensively. There is still a need for clarification and action in some areas. For example, in the distribution of important goods such as fuel or medicines in the event of a major disaster.
How can actors in risk management improve collaboration?
Peter Lauwe: Stakeholders increase the exchange of insights and findings from their respective risk management systems. In a project that we supervised, a critical infrastructure operator marked the areas within a county in which its service would no longer be available in the event of a power failure. This was valuable emergency planning information for the fire brigades located in this county.
What developments are planned for the future? And where do you see future support opportunities from research institutes such as the Fraunhofer FKIE?
Peter Lauwe: The complexity of the individual infrastructures and the complexity of the interaction between infrastructures will steadily increase. The risks are also changing and, in some cases, increasing. We have to learn how to deal with these changes in order to assure the protection of critical infrastructures in the future.
In my view, two developments are important in this regard. On the one hand, despite or because of the complexity, we should continue to improve the reliability of systems and, in doing so, take the aspect of system resilience into consideration from the planning phase onwards.
On the other hand, we need simple fallback systems in critical infrastructures, which in the event of serious disruptions make it possible to maintain supply to parts of the population.
There is certainly a great need for support from all of the actors involved. Further, many questions can only be answered with the help of the scientific community. On this point, as well, I can only mention a few examples of questions that have not yet been sufficiently clarified for us:
- How will critical infrastructures change in the future?
- What role does artificial intelligence play in this development?
- What do these changes mean for supply security?
- How can forecasting capabilities for potential impacts be improved in practice?
- What is the increasing role of data use in critical infrastructure protection?
- How must/should the legal framework be further developed?
- How must/should standards be further developed?