Critical infrastructures (critics) are under severe threat from cyber attacks.
In Ukraine, bombs and missiles are raining down on electricity, water, and even nuclear power plants. But also in the rest of Europe, producers and suppliers in the fields of energy, water, finance, and health, as well as industrial companies, are increasingly being targeted by cyber attackers.
The result: production losses worth millions and supply bottlenecks, up to and including endangering human life. Recent examples include attacks on the largest pipeline in the United States, the Irish health authority, and an incident at a Croatian substation that brought Europe to the brink of a power blackout.
The cyber attacks on German municipal administrations, such as in Anhalt-Bitterfeld, Schwerin, and Witten, also highlighted the vulnerability of German authorities, where large parts of the IT systems failed or had to be shut down in an emergency. The cyberattack on the third-largest Austrian dairy was how quickly food production could come to a standstill. All company areas were affected, from production to logistics and communication.
In addition, the attack on the Oldsmar groundwater treatment plant in Florida demonstrated the potentially life-threatening consequences of a compromised critical infrastructure. The attackers successfully penetrated the computer system that controlled the water treatment plant and remotely manipulated a computer to alter the chemical balance of the water supply, which could have caused severe human harm.
Cyberwar: When there is no negotiating partner
Against the background of this increasing number of attacks, operators of critical infrastructures and companies with particular economic importance have to deal with attempts at blackmail and the topic of cyberwar. Because if cybercriminals only demand a ransom, organizations can at least implement appropriate guidelines for action in advance if, for example, a successful ransomware attack occurs.
However, suppose a cyber attack is purely politically motivated, and a hostile nation-state only chose the organization as a random victim to set an example. In that case, there is no negotiating partner, and the damage can have a massive impact on the business’s ability and take on dimensions for society.
This new type of hybrid warfare is evident in the Ukraine-Russia conflict, where digital attacks have preceded military ones and could continue to do so in the future. As early as 2015, Russia managed to paralyze part of the Ukrainian power grid with a significant cyberattack, leaving a quarter of a million Ukrainians without electricity in the winter. A month before the war began in January 2022, Microsoftdestructive wiper malware in dozens of critical systems of Ukrainian government agencies and organizations. According to the Ukrainian government, Russia is clear indications behind these attacks. In addition, it cannot be ruled out that such incidents could extend far beyond the national borders of Ukraine. German security authorities have already called on operators of critical infrastructures, in particular, to arm themselves against possible cyber attacks.
Therefore, in the KRITIS area, it is fundamental to implement a consistent, integrated security concept for both the IT and OT infrastructure, not only because of monetarily motivated attacks but also about national security, as an end-to-end solution includes products, processes, and qualified security specialists across all areas.
New legal framework for critical infrastructures
The legislator has reacted to the new digital challenges. As a result, operators of critical infrastructures and companies of particular public interest are faced with significant challenges due to the increasing number of cyber threats and the updating of the legal framework at the German and European levels.
According to the German BSI Act, organizations are operators of critical infrastructure if they belong to one of the seven sectors of energy, health, information technology and telecommunications, transport and traffic, water, finance and insurance and food, provide critical services and, in doing so, comply with the BSI -KRITIS regulation exceed thresholds.
Additional legal requirements for KRITIS operators in 2022
In Germany, the second law to increase the security of information technology systems – in short: IT Security Act 2.0 – came into force in May 2021 as a supplement to the BSI Act. This expanded the circle of critical infrastructures to include the municipal waste disposal sector. In addition, other companies in the so-called “special public interest,” such as armaments manufacturers or companies with particularly great economic importance, will also have to implement specific IT security measures in the future.
The IT Security Act 2.0 has resulted in significant adjustments for companies and, in some cases also for operators of critical infrastructures:
- At the latest, critical infrastructure operators must implement attack detection systems by May 1, 2023.
- In addition, operators must notify the Federal Ministry of the Interior of the planned initial use of critical components, for example, if the manufacturer is controlled by a third country or contradicts security policy goals of the German Federal Government, the EU, or NATO.
- Companies in the particular public interest are obliged to submit a self-declaration regularly. They have to explain which certifications in IT security have been carried out in the last two years and how their IT systems have been secured.
In addition, the European Commission has presented a proposal to reform the European NIS Directive (NIS-2) and a “Critical Facilities Resilience Directive” to improve the digital and physical resilience of critical facilities and networks. These proposals aim to minimize current and future risks. Therefore, implementing these European guidelines can result in a renewed revision of the IT Security Act 2.0.
What does integrated protection of critical infrastructure look like?
Producers and suppliers in the energy, water, and health sectors and industrial companies that need to protect their IT and control technology from cyber-attacks need integrated solutions that are in line with the IT Security Act 2.0/BSI Act and the ISO 27000 standards for information security are located. On the technology side, the following competencies should therefore be combined to form a tight security network against attacks:
Security modules to protect critical infrastructures
Log Data Analysis (LDA): Log data analysis
This is also known as Security Information and Event Management (SIEM), which collects, analyzes, and correlates logs from various sources. This results in alerts for security problems or potential risks.
Vulnerability Management & Compliance (VMC):
Vulnerability management enables continuous, internal, and external vulnerability scanning with comprehensive detection, compliance checks, and tests for complete coverage. As part of software compliance, the authorized use of software for each server or server group is determined using a set of rules and continuous analysis. Manipulated software can be recognized quickly.
Network Condition Monitoring (OT module):
This reports real-time communications that indicate disruption to the error-free operation. Technical overload conditions, physical damage, misconfigurations, and deterioration in network performance are thus recognized immediately, and the sources of error are identified directly.
Network Behavior Analytics (NBA): With network behavior analysis, detecting dangerous malware, anomalies, and other risks in network traffic is possible based on signature and behavior-based detection engines.
Endpoint Detection & Response:
Endpoint Detection and Response stands for analyzing, monitoring, and detecting anomalies on computer computers (hosts). With EDR, active protection actions and instant alerts are provided.
Due to the complexity, the further processing of the security-relevant information from these modules is carried out by security specialists. You evaluate and prioritize the knowledge gained automatically. This is the basis for initiating the proper countermeasures. Finally, the security experts make all information available in a transparent manner in a central portal to which the relevant stakeholders – including IT and OT operations teams and management – have access or from which they regularly receive customized reports that they can understand.
European safety technology for easy compliance with legal requirements
Although the use of European security technologies is not anchored in the BSI law, it is recommended for KRITIS operators and companies in the particular public interest to be able to meet the following legal requirements quickly:
Compliance with the General Data Protection Regulation as well as integrity, authenticity, and confidentiality of the IT systems
As companies in all other sectors, KRITIS operators are subject to the EU General Data Protection Regulation (GDPR) requirements. They must comply with them at all times and secure them accordingly.
Furthermore, the BSI Act (§ 8a Paragraph 1 BSIG) requires operators of critical infrastructures to provide the BSI with suitable proof of their precautions to avoid disruptions to the availability, integrity, authenticity, and confidentiality of their information technology systems, components, or processes that are essential for the functionality of the critical infrastructures operated by them are relevant.
With European security providers, whose services are based on proprietary technology developed in Europe, compliance with the above requirements is easy to implement. They are subject to the highest data protection standards. In addition to the origin of the cybersecurity provider, KRITIS companies should also pay attention to the way the security software is set up and the collection of security data. We recommend setting up on-premise solutions as the most secure form of deployment to ensure the best possible data security. Even if the trend is increasingly towards the cloud, this should be viewed critically about the high data sensitivity in KRITIS.
Critical components: Specifications for the manufacturers used
European security technology also facilitates the testing of critical components by the BSI following § 9b BSIG. For example, the BSI can prohibit the initial use of a critical component if
- the manufacturer is directly or indirectly controlled by the government, including other government agencies or armed forces, of a third country,
- the manufacturer was or is already involved in activities that had adverse effects on public order or security in the Federal Republic of Germany or another member state of the European Union, the European Free Trade Association or the North Atlantic Treaty or on their institutions,
- the use of the critical component is not consistent with the security policy goals of the Federal Republic of Germany, the European Union, or the North Atlantic Treaty.
Cyber solid resilience fundamental for KRITIS organizations
Attacks on critical infrastructure are lucrative for cybercriminals. At the same time, they harbor an exceptionally high potential for damage to the community: e.g.
Therefore, KRITIS organizations need to select security providers for their defense measures that fully meet the requirements of the BSI and the ISO 27000 standards and, at the same time, adhere to the highest European data protection standards. The premise should be to avoid fines and ensure effective and sustainable protection of the IT and OT systems. However, solid cyber resilience against attacks is never based solely on security technologies but always includes the right processes and qualified specialists. Only through this triad of products, processes and experts is it possible to get a 360-degree view of an organization’s entire infrastructure,