KRITIS · Critical Infrastructure · BSI

KRITIS pentest:
Security for critical infrastructure

Operators of critical infrastructure are in the crosshairs of professional attackers. The BSI requires regular security reviews according to the state of the art. We conduct these reviews: structured, documented, and tailored to the specific requirements of KRITIS environments.

Request KRITIS pentest now View sectors
BSI-compliant documentation Experience in critical environments Free initial consultation
What you get
Audit evidence to the state of the art
Our report documents compliance with BSI requirements under Paragraph 8a BSIG - usable for internal and external audits.
IT and OT security covered
KRITIS environments combine classical IT with industrial control systems. We understand both worlds and test with appropriate care.
No operational disruption
Clear scope boundaries, complete logging, immediate stop if unexpected impacts occur. Your operations stay protected at all times.
Prioritised remediation plan
Every finding with a concrete recommendation, prioritised by risk and feasibility in your operational context.
Our final report is suitable for BSI audits, internal compliance obligations, and board-level reporting.
Affected KRITIS sectors

Does KRITIS apply to your organisation?

The BSI Act defines nine critical sectors. Operators of essential facilities above defined thresholds are required to undergo regular security reviews.

Energy (power, gas, oil, district heating)
💧Water & Wastewater
🏥Health (hospitals, laboratories)
🍀Food (production, retail)
🏦Finance & Insurance
🚆Transport & Traffic
💻Digital infrastructure & ICT
📊Government & Public administration
🗺️Media & Culture

Why KRITIS is a particularly high-value target

Attacks on critical infrastructure pursue geopolitical goals - state-sponsored actors are more active here than in other sectors
OT systems (SCADA, ICS) are often decades old and were never designed for network connectivity - classical IT security concepts do not apply
A successful attack can endanger not just data but the physical supply of essential services to the population
Ransomware groups have explicitly identified KRITIS operators as lucrative targets
Legal framework

What the BSI Act requires of KRITIS operators

Paragraph 8a BSIG requires KRITIS operators to implement appropriate technical and organisational measures. A penetration test is the recognised instrument for providing this evidence.

§ 8a BSIG

Appropriate protective measures

KRITIS operators must secure their systems according to the state of the art. A pentest demonstrates that this requirement is taken seriously.

Infra, physical, AD pentest
§ 8a BSIG

Regular verification

Security measures must be demonstrated to the BSI every two years. A pentest report is a central piece of evidence for this.

All pentest modules
§ 8b BSIG

Incident reporting obligation

To correctly classify and report incidents, the attack surface must be known. A pentest creates this transparency.

OSINT, infra pentest
§ 8a BSIG

Access and entry control

Physical access to server rooms, control rooms, and technical areas requires special protection. We test whether your access controls hold up.

Physical pentest
§ 8a BSIG

Network and system security

IT/OT segmentation, firewall configurations, privileged accounts: we test whether your network is a real barrier.

Infrastructure pentest
§ 8a BSIG

Employee awareness

Social engineering is one of the most common entry points. We test how well your staff recognise and deflect manipulation attempts.

Social engineering
Our approach

KRITIS pentest in 5 steps

KRITIS pentests require special care: clear scope definitions, close coordination with operations, and complete documentation for BSI evidence.

SCHRITT 01

Scoping & risk alignment

Joint definition of the test scope with explicit consideration of operationally critical systems. Exclusion zones and no-go areas are binding.

SCHRITT 02

Reconnaissance & attack planning

Information gathering from public sources, network footprinting, and planning of realistic attack paths against your environment.

SCHRITT 03

Controlled test execution

Manual testing within the agreed scope. We work closely with your operations team and communicate critical findings immediately.

SCHRITT 04

Analysis & risk assessment

Assessment of each finding by technical severity and operational business impact - with focus on the specific characteristics of your KRITIS environment.

SCHRITT 05

BSI-compliant final report

Complete documentation of all findings with recommendations, management summary, and BSI evidence documentation per Paragraph 8a BSIG.

2 years
BSI evidence interval for KRITIS
9
Critical sectors in Germany
1,600+
KRITIS operators nationwide
100%
Of our reports BSI-ready
KRITIS-Pentest Report · Energieversorger XY BSI-konform ✓
Control room: direct access without badge control
Paragraph 8a BSIG
OT network directly reachable from IT
Paragraph 8a BSIG
Phishing: 41% of employees affected
Paragraph 8a BSIG
SCADA system: default password active
Paragraph 8a BSIG
VPN: no MFA for remote access
Paragraph 8a BSIG
5 findings - remediation plan included Evidence per Paragraph 8a para. 3 BSIG
Relevant pentest modules

Which tests do KRITIS operators need?

KRITIS environments have special requirements. These three modules cover the most critical attack vectors and deliver the strongest BSI evidence.

Physical pentest

Control rooms, server rooms, technical areas: physical access is often the underestimated attack vector for KRITIS operators. We test whether your access controls hold up.

Learn more

Infrastructure & OT security

IT/OT segmentation, SCADA access, firewall configurations, privileged accounts: we test the network holistically with particular care for operationally critical systems.

Learn more

Active Directory & access management

Privilege escalation, lateral movement, weak accounts: a compromised AD in a KRITIS environment can have catastrophic consequences.

Learn more
Frequently asked questions

KRITIS & penetration testing - your questions

Paragraph 8a BSIG requires KRITIS operators to demonstrate every two years to the BSI that they have implemented appropriate technical and organisational measures. A penetration test is the recognised instrument for this evidence.
Technically many methods are identical - the differences lie in preparation, the sensitivity of execution, and reporting. For KRITIS operators, operationally critical systems must be carefully scoped out. OT systems require a different approach to classical IT.
Yes - but with particular care. OT systems are often more sensitive than classical IT and must not be destabilised by aggressive test methods. We jointly define clear boundaries and coordinate the test closely with your operations staff.
There is no one-size-fits-all answer. KRITIS environments vary considerably depending on sector, facility size, IT/OT ratio, and desired scope. After a free initial consultation we will understand your environment and you will receive a transparent fixed-price offer.
The BSI requires evidence every two years. We also recommend testing after significant changes to your IT or OT infrastructure and after security-relevant incidents.
The BSIG defines nine critical sectors: energy, water, food, ICT, health, finance and insurance, transport and traffic, government and public administration, and media and culture. Whether an operator is specifically subject to KRITIS obligations depends on defined thresholds.

Ready for your KRITIS pentest?

In 30 minutes we discuss your KRITIS environment, clarify the scope, and you receive a no-obligation quote - at no cost.

Book your free initial consultation hello@access-granted.de

About Access Granted

Address
Albert-Einstein-Straße 1, 95028 Hof
E-Mail
hello@access-granted.de
Phone
+49 9281 5918506

Useful Links

Pentest Portfolio

Think like an Attacker, Act as a Partner

© AccessGranted X GmbH