365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
The critical infrastructure sector is in a state of upheaval: sophisticated cyber attacks are causing companies just as much trouble as new regulations, such as NIS2. A discussion event as part of the IT Security Update - Special Edition "critical infrastructures" provided exciting insights into this.
In an exciting discussion round, participants were able to ask questions about IT security in the critical infrastructure sector and the associated regulations. Experts were confronted with questions from a well-versed specialist audience. It became clear that many companies are still struggling with the upcoming NIS2 regulation.
The weekend before, district clinics in the Bavarian city of Ansbach, Germany were the victims of attacks, and on Monday the Caritas Dominikus Clinic in Berlin. Both cases involved ransomware attacks in which sensitive data was encrypted. According to a report by Bavarian broadcaster Bayerischer Rundfunk (BR), it must be assumed that personal and internal company documents were also stolen by the hackers in Ansbach. It is still unclear whether personal data was also accessed during the attack in Berlin.
The attacks were not without consequences for healthcare provision: All IT systems were taken offline for security reasons, the clinics reported. As a result, there were massive restrictions on telephone availability in both cases. The hospitals have also cancelled their emergency care services. However, despite the attacks, patient care was ensured because the hospitals had drawn up appropriate emergency plans and were therefore prepared for such events. This shows once again that emergency management is an indispensable element of the Critical infrastructure sector.
Despite such incidents, security professionals repeatedly complain about a lack of interest in IT security from their top management, as the IT Security Update - Special Edition "critical infrastructures" showed. Two experts answered questions from the audience: Frank Sauber, Global Head of Sales and Business Enablement in the Industry Division at secunet, and Martin Latzenhofer, Senior Research Engineer at the Austrian Institute of Technology (AIT). The discussion revealed various ways to successfully remedy such problems. Among other things, Frank Sauber pointed out that a pentest, for example, can help to visualize existing security deficits. This would make it clear how expensive incidents caused by these problems can be. However, existing regulations often also provide for fines for failing to take protective measures. It could be helpful to make this clear to management.
Existing and planned regulations such as NIS2 give rise to numerous questions and uncertainties. For many people working in the Critical infrastructure sector, it is unclear what they should do if various regulations are to be applied, but these are contradictory or have different requirements. In many cases, it is not clear what then applies or which requirement has priority. The NIS2 Directive adopted by the EU must be implemented in all member states by autumn at the latest. The German government is currently working on an implementation law. However, many companies are still unclear as to whether they will be affected or not. But that is understandable, says Martin Latzenhofer, because the NIS2 Directive has a much broader focus than the NIS1 Directive and therefore also affects many smaller companies. They are often initially overwhelmed.
However, NIS2 is not only causing unrest in the Critical infrastructure sector. Many questions are related to security regulations for the supply chain, i.e. suppliers and vendors. They also have to prove the security of their IT, are affected by regulations or even have to undergo security certification. Especially if the company supplies critical infrastructure operators.
The event reached a high level, which was not least due to the fact that the participants were able to ask specific questions with a high level of expertise and in-depth specialist knowledge.
The event reached a high level; the participants with a high level of expertise took the opportunity to ask specific questions to the representatives of the former after presentations by AIT, secunet and the company Contechnet.
Author: Uwe Sievers
How secure are our critical infrastructures? What cyber threats do operators of critical infrastructures face? What are the security standards and which organizations are subject to the regulatory requirements?
Information and recordings of the presentations at it-sa Expo&Congress and it-sa 365 will show you how to protect your business.
