At the beginning of summer, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) issued a warning about cyber attacks directed at German energy suppliers and power grids. Operators of critical infrastructure now face many different challenges.
The BSI understands that hackers have already penetrated the office networks of energy utilities but have not yet reached the critical infrastructure, the power grids, for example. Experts therefore suspect that information is being taken in an initial stage, possibly in preparation for further attacks. Nothing will work if there is no electricity, as power outages clearly remind us. And so attacks on the power grid will have particularly serious consequences if they succeed.
The energy industry is a key part of what is known as critical infrastructure (“KRITIS”). Critical infrastructure includes organizations and facilities that are of key importance for the community. If they fail, or if their functions are compromised, the result is lasting supply shortages or significant disruptions to public security. Critical infrastructure includes elements such as water utilities, hospitals, banks and airports. The chaos that can arise through a power outage became clear at Hamburg Airport recently. Although the outage in that case was attributed to a short-circuit, the repercussions were comparable.
In addition, continued advances in digitalisation and networking mean an increased threat to the availability of critical plant and facilities from cyber attacks. The latest “Monitor 2.0 – IT security for critical infrastructure” survey offers alarming results: more than half of those surveyed in critical infrastructure sectors claimed to have been the target of cyber attacks in the past year. Correspondingly, the majority of the participants in the study rate the level of threat for Germany as an economic region as high or very high.
Two vectors for attack stood out in the study of attacks on critical infrastructure systems: phishing and ransomware. Traditional methods, in other words, that can be found around the world in a range of industries. Lapses by employees were the most common reason identified in the study for the success of cyber attacks. There is thus a clear need for appropriate IT security training.
The study was performed as part of the promotional activity sponsored by the German Ministry of Education and Research (BMBF) on “IT security for critical infrastructure” (ITS|KRITIS). The BMBF has 13 research projects in place to promote the protection of critical infrastructure. The need is urgent, since critical infrastructure continues to expand. The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFIN) has announced, as it did in August, in consultation with the BSI, that it has expanded “the banking supervisory requirements on IT to include a module on critical infrastructure in the financial and insurance industry”. This will place additional demands on the affected financial service companies. Details can be obtained from the circular to affected parties, who will likely accept the increased costs only through gritted teeth.
We look at the technical aspect of attacks and outages in a further article.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.