Here are the keys to critical infrastructure

The two EU directives, NIS2 and CER, aim to make Europe’s critical infrastructure more robust in challenging times. Not least, CER demands greater physical security within a range of new sectors, where 41 grams of electronics can make a significant difference.

Explore our latest Technical Partner Magazine

Gone are the days when what was decided ‘down in the EU’ seemed distant. In recent years, the security policy situation has been turned upside down, and European countries are rethinking a future where EU members and EEA countries are far more on their own than before. Concepts like hybrid warfare have set the spotlight on robustness of critical infrastructure, as reflected by the two EU directives, NIS2 and CER. Meeting these requirements could literally be at hand, but more on that later.

NIS2 – A High and Uniform Level of Security

First, let’s look at NIS2, which is an update of the existing NIS directive. It imposes stricter requirements on companies and organisations that handle core services or large amounts of personal data. NIS stands for Network and Information Security, and the directive includes among other things:

Enhanced management requirements
Minimum requirements for managing cyber risks
Obligation to report security incidents
Regular risk assessments
High security standards among suppliers
Contingency plans etc.

The goal is to ensure a high and uniform level of cybersecurity across all EU member states, particularly within sectors such as health, utilities, transportation, and finance. But NIS2 is not alone.

CER – Special Prioritization of Physical Security

CER has been called a ‘sister directive’ to NIS2. It stands for Critical Entities Resilience Directive and will particularly influence the physical securing of critical infrastructure. It also expands the scope of sectors considered critical from energy and transportation to areas such as health, drinking water, digital infrastructure, and similar.

The goal is to ensure the greatest possible resilience against various attacks and a greater awareness of risk, not only within individual organisations but throughout the entire supply chain. Here, Hans Følsgaard A/S comes into the picture as a supplier to utility companies.

The Small, yet Crucial Detail in our Defense

Although there is much focus on cybercrime that occurs digitally and over long distances, vulnerabilities in infrastructure also have a physical dimension. On a large scale, we have seen the damage when massive sea cables are cut, but modern technology is also available on land in the form of transformers and pump stations, substations and cabinets for electrical connections and fiber. Developers and suppliers are aware of this.

“We are a technical partner for operators and utility companies, with whom we develop
complete substations, roadside cabinets, and similar installations with,” explains Mikkel Møller Jørgensen, Head of Cables and Telecom Nordics at Hans Følsgaard. “For the same reason, we are aware of the implementation of NIS2 and especially CER, which are important directives when utility companies ask for plug-andplay solutions for their networks."

Mikkel Møller Jørgensen highlights a detail that can make life difficult for unauthorized indivi-duals trying to access cabinets and substations.

“The lock! The actual physical lock can make the difference between a network that works and a network that risks being sabotaged. If a company chooses a simple standard key that all employees can carry in their keyring, it’s too easy for unauthorized people to gain access to cut cables or spy on data traffic. I have no doubt that electronic keys with integrated access control will be a hot topic in the near future with NIS2 and CER,” states Mikkel Møller Jørgensen, bringing us back to the 41 grams of electronics mentioned at the beginning.

Intelligent Key for a Future with Hybrid Threats

From Mikkel Møller Jørgensen, the journey continues to Birepo to zoom in on a specific solution that can help companies and organisations meet the strict requirements for physical security set out in the CER directive. The key and access control system CyberKey® has been used and developed over 20 years, and thanks to the adoption of the CER directive, it is more relevant than ever.

“CyberKey® turns things upside down compared to many other key systems,” explains Gert Petersen, Director of BIREPO A/S with headquarters in Greve. “The electronic cylinder is available in over 400 different versions and can be used for all common systems. It is easy to install and can be quickly rolled out on a large scale. The big difference lies in the electronic key. Because it is the key rather than the lock that is intelligent.”

The key weighs just 41 grams, but it weighs all the heavier in practice when technicians and others need access to perform tasks in, for example, cabinets along rail lines. Thanks to central task management by the key, it can grant access to a specific location in a specific time frame.

“The key provides the necessary power to the lock cylinder and is loaded with the day’s tasks and permissions from home. When an employee checks in on the task, the key is involved in task management and thus constitutes an active and intelligent access control. And should one be unlucky enough to lose their CyberKey®, it grants access to nothing and is automatically deleted,” explains Gert Petersen.

A More Secure, but also more Flexible Circuit

The work with physical security faces some of the same challenges as working with IT security: the more secure the system, the more restricted its everyday use risks becoming. Therefore, great importance is placed on CyberKey®, being part of a flexible system with simple administration, so that daily routines and the freedom of employees are accommodated.

This includes full integration with task management systems, and the key can be quickly updated via Wi-Fi. The comprehensive access control platform becomes an important and operational piece in the overall security strategy for a company or organisation.

“We are pleased that a total supplier of substations and cabinets like Følsgaard is aware that the security of critical infrastructure can be compromised if every single crucial detail is not in place. We also feel that the requirements contained in NIS2 and CER are starting to sink in when we are at trade fairs, where interest in intelligent access control systems is large and increasing. There is no doubt that locking systems in more than one sense are key to infrastructure protection,” concludes Gert Petersen.