The German Federal Office for Information Security (BSI) warns in the 2022 situation report presented in parallel to it-sa: Targeted attacks on critical infrastructure are increasing, as are hacker attacks on companies and political institutions. "The threat situation in cyberspace is tense, dynamic and diverse, and thus higher than ever," said BSI Vice President Gerhard Schabhüser during the press conference to present the situation report. In the reporting period, the BSI received a total of 452 reports from the critical infrastructure sectors that are obliged to report. Attacks on critical infrastructure (German abbr.: KRITIS) must be reported to the BSI by their operators.
Politicians are calling for stronger protection of critical infrastructure. However, experts not only assess the situation differently, they also recommend different approaches to solutions, as research conducted during the security trade fair it-sa showed. It is clear that critical infrastructure sectors need contempory protection concepts beyond classic security solutions such as firewalls or endpoint protection (EDR).
High level of safety and poor regulation
Depending on the KRITIS sector, however, the problem is quite different, emphasises Stefan Strobel, CEO and founder of the IT security specialist Cirosec. "Particularly sensitive infrastructures such as nuclear power plants have been very well secured for decades," he points out. "There, for example, the IT architecture is divided into different rings that are sealed off from each other by air gaps, for example," he adds. Air gaps are IT networks without connectivity. Strobel judges: "What we have and had in Germany in terms of security in these areas is unparalleled in the world".
However, the situation is different for smaller operators of critical infrastructure. Here, the security expert sees clear deficits: "For example, there is still a lot of catching up to do in the health sector. There and in other sectors, people often only rely on classic IT security elements such as firewalls and malware protection. However, the possibility to detect attacks or even intruders is missing. As a result, countermeasures cannot be initiated or can only be initiated with delay. Another point: "The BSI has created an 'orientation guide for the use of attack detection systems'. In it, the office basically calls for something like a SIEM or something that evaluates log files based on rules," says Strobel. With a Security Information and Event Management (SIEM), security-relevant messages from log files and other sources can be evaluated. Furthermore, it is required that network intrusion detection (IDS) be installed at network transitions, i.e. gateways. Instead, Strobel advocates modern technologies such as XDR, micro segmentation and the like. But operators are obliged to implement the requirements by spring 2023. This is a point that many experts are currently discussing controversially.
KRITIS companies partly overstretched
KRITIS companies are confronted with numerous challenges: Forms of attack have become more complex, attackers more professional, "sometimes you can hardly fight them with the previous tools", warns Şahab Ölmez. This has not escaped many operators: "Many companies know they have to do something, but they don't know what", he describes the situation. Ölmez is responsible for sales in the KRITIS segment at the high-security solutions provider Rohde & Schwarz Cybersecurity (R&S). He knows: "Many security solutions exist, but companies are often overwhelmed to separate the wheat from the chaff, because the evaluation and analysis of the manufacturers' offers is too complex for many".
Ölmez recommends: "You always have to consider what a single day's loss of operation or production costs". He knows of many individual cases where there is a need for action. Often, sensible safety precautions have been taken, but many are no longer sufficient today. Ölmez illustrates this with an example: "Substations are actually a sealed-off and closed network," he explains, but the network connections are often not encrypted at all or only weakly. "If attackers know where the network routes run, they could tap or change data," he warns. Wrong control commands or wrong measured values could be the result. In rail transport there are unencrypted communication links at sensitive points, too. Ölmez explains: "For example, someone could interfere with the setting of points and manipulate a signal or the command to a point”. Catastrophic accidents would be the result. For such applications, Rohde & Schwarz Cybersecurity offers devices for tamper protection, for example in the form of encryption at the Ethernet level. These devices are approved by the BSI up to the classification level VS-NfD (classified information - for official use only).
Resilience as a solution
Other specialists look at the problem from a different angle. Mirko Ross, CEO and founder of the OT specialist Asvin, emphasises: "Critical infrastructure can only be protected to a limited extent". He explains: "For example, if I know where transformer houses are located, I can always cause a power failure somehow". Ross advises: "Resilience is the key here". Resilience is understood as the ability to deal with disruptions in such a way that there are no serious consequences or failures. This can be done, for example, through massive redundancy or systems that switch to a defined state in the event of problems. But such measures would quickly become an economic question, Ross points out.
Digitalisation in OT areas such as the energy sector faces its own challenges: "Let's take the power grid: with smart grids, the attack surface increases simply because of the additional IT components. But digitalisation plays an important role, among other things because it allows me to switch loads and lines quickly," analyses Ross. But this must be accompanied by appropriate security measures. It must be taken into account that technology in OT has a long service life, but IT components quickly become obsolete and at some point no more updates are available for them. "This can lead to control elements having to be replaced more often during the life of a system in order to be able to update them or because unsafe hardware has to be replaced", the expert notes.
Complex situation requires complex consideration
This small selection from the numerous experts at it-sa shows different approaches for solving an acute problem. However, it also becomes clear that the different approaches of the experts only provide a comprehensive picture when put together. It will be the task of regulatory bodies to create effective approaches on this basis. "It would be important to have harmonised regulations throughout the EU," suggests Sudhir Ethiraj, head of cybersecurity division at TÜV Süd. He even considers more far-reaching international KRITIS regulations to be helpful. Creating the framework for this will be one of the future challenges.
Presentations from the open forums on critical infrastructure also online
Forum contributions from the it-sa Expo&Congress series it-sa insights were recorded and are now available online.
