Political developments and the conflict in Ukraine are creating a new type of threat situation for German companies. Local companies and operators of critical infrastructure should therefore check and, if necessary, adapt their IT security measures to account for these threats. Read about what to look out for in this blog post.
The year 2022 will be remembered by most IT security experts for a long time: the conflict of Russia and Ukraine has exacerbated the situation from a cybersecurity perspective within a short period of time. In its “Update of 12 May 2022” the Federal Office for Information Security (BSI) observed an “increased threat situation for Germany”. In principle, this finding also applies to critical infrastructure, which are known as KRITIS in Germany.
The BSI calls on companies, government authorities and other organizations to review their IT security measures and adapt them to the current threat state. Since the beginning of the conflict in Ukraine, there have already been additional IT security incidents in Germany, but these have only had a sporadic impact. New DDoS (Distributed Denial of Service) attacks were also fought off in most cases or had only a minor impact. Nevertheless, the BSI recommends that companies and other organizations should pay particular attention to protection against this type of attack.
Why discomfort is spreading among security experts
A study published by Cisco Systems at the end of March 2022 found that just under one in five security and data protection experts in Germany believe they can manage the most important security risks for their company. A similarly low number of respondents still consider themselves able to avoid major incidents. But as for the rest, this spells trouble.
“The growing threat situation is just one side of the coin,” says Michael von der Horst, Managing Director Cybersecurity at Cisco Germany. The other side is the increasing compliance requirements, the widespread shortage of skilled workers and an increasingly hybrid workforce. These developments will make IT security even more complex, Horst is convinced. To make matters worse, many security solutions in Germany are no longer up to date.
39 percent of the security technologies used by companies worldwide are obsolete. In Germany, even 48 percent of respondents reported an outdated IT infrastructure. Nevertheless, 44 percent of respondents in Germany have already developed a strategy to update their systems. Around two-thirds want to expand their cloud-based security technology in particular.
39 percent of the security technologies used by companies worldwide are obsolete. In Germany, even 48 percent of respondents reported an outdated IT infrastructure. Nevertheless, 44 percent of respondents in Germany have already developed a strategy to update their systems. Around two-thirds want to expand their cloud-based security technology in particular. There are several benefits of better cloud security, according to experts: Companies with mature Zero Trust or SASE (Secure Access Service Edge) architectures notice attacks twice as quickly as companies without these measures. This allows them to take appropriate countermeasures more quickly and avoid damage and costs.
Why operators of critical infrastructures are in focus
The conflict in Ukraine has revealed yet another security problem: The BSI’s recommendation to no longer use software from the Russian security provider Kaspersky has a far-reaching impact on the entire security industry. Many customers are now wondering to what extent they can still trust software from manufacturers in other countries. Are the risks mentioned by the BSI, such as the use of a “permanent, encrypted and uncheckable connection to the manufacturer’s servers” for carrying out updates not also applicable to other products?
In its recommendation on Kaspersky, the BSI assumes that “companies and authorities with special security interests and operators of critical infrastructure are particularly at risk”. This is not entirely new; in recent years there have already been some cyber attacks on critical infrastructure in Europe and other countries. Just think of the attack on the Colonial Pipeline, which led to a temporary outage of fuel supply in parts of the US, the attack on the Irish health authority, which hit the health system with very limited access to diagnostics, laboratory services and patient records in the middle of the pandemic, or the incident in a Croatian substation, which led Europe close to the edge of a blackout.
Given this situation, operators of critical infrastructure must deal not only with more or less clumsy blackmail attempts, but also with a politically motivated cyberwar in view of the current situation. But a state opponent has far more options than – put simply – a handful of script kiddies.
Where further hacker attacks on critical infrastructure took place
In the spring and summer of 2022, the number of attacks already increased. So far, there has been no identifiable, centrally controlled campaign against Germany, said BSI President Arne Schönbohm to Der Spiegel. Nevertheless, the situation has deteriorated further. For example, an attack on the German subsidiary of the Russian oil company Rosneft almost led to a massive disruption of the mineral oil distribution in Brandenburg and Berlin.
Interestingly, the hackers attacked supposedly Russian structures in that scenario. Microsoft, on the other hand reports of cyber attacks on at least 128 organizations in 42 countries allegedly originating from Russia. Their research focused on companies from the US and Poland. According to Microsoft, think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers in other countries are also on the list of targets.
Let’s sum up:
We are living again at a time when not only economically motivated cyber attacks are threatening us. Recent events have also made political threats possible again. This also has a decisive impact on critical infrastructure. It is therefore no surprise that German authorities have already called for comprehensive preparations for potential cyber attacks. The IT Security Act 2.0, which came into force in 2021, also plays a role in this context. However, many of the tasks mentioned there cannot be performed by companies and operators of critical infrastructure alone. They should therefore team up with suitable partners, who then meet the BSI and ISO-27xxx standards on their behalf and implement them in practice.