Critical infrastructures (KRITIS) in the context of cyber attacks: are all protective measures in line with the new IT Security Act 2.0? The IT Security Act 2.0 has resulted in significant adjustments for operators of critical infrastructures.
Producers and utilities in the fields of energy, water, finance and health as well as industrial companies are increasingly being targeted by attackers. The result: production losses worth millions and supply bottlenecks, up to and including endangering human life. Recent examples include attacks on the largest pipeline in the United States, the Irish health authority, and an incident at a Croatian substation that brought Europe to the brink of a power blackout.
KRITIS attacks require action
The cyber attacks on German municipal administrations, such as in Anhalt-Bitterfeld, Schwerin and Witten, also highlighted the vulnerability of German authorities, where large parts of the IT systems failed or had to be shut down in an emergency. How quickly food production can come to a standstill was made clear by the cyber attack on the third largest Austrian dairy, in which all areas of the company were affected, from production to logistics and communication.
In addition, the attack on the Oldsmar groundwater treatment plant in Florida demonstrated the potentially life-threatening consequences of a compromised critical infrastructure. The attackers successfully penetrated the computer system that controlled the water treatment plant and remotely manipulated a computer to alter the chemical balance of the water supply, which could have caused serious human harm.
Cyber war: When the negotiating partner is missing
Against the background of this increasing number of attacks, operators of critical infrastructures and companies with particular economic importance must therefore not only deal with attempts at blackmail, but also with the topic of cyber warfare. Because if cybercriminals only demand a ransom, organizations can at least implement appropriate guidelines for action in advance if, for example, a successful ransomware attack occurs.
However, if a cyber attack is purely politically motivated and the organization was only chosen by a hostile nation-state as a random victim to set an example, there is no negotiating partner and the damage can not only have a massive impact on business ability, but also take on dimensions for society as a whole.
Hybrid warfare with digital attacks
This new hybrid warfare is evident in the Ukraine-Russia conflict, in which digital attacks have preceded military ones and could continue to do so in the future. As early as 2015, Russia managed to paralyze part of the Ukrainian power grid with a major cyber attack, leaving a quarter of a million Ukrainians without electricity in the winter. A month before the start of the war in January 2022, Microsoft found destructive wiper malware in dozens of critical systems of Ukrainian government agencies and organizations. According to the Ukrainian government, there are clear indications that Russia is behind these attacks. In addition, it cannot be ruled out that such incidents could extend far beyond the national borders of Ukraine. German security authorities have already called on operators of critical infrastructures in particular to arm themselves against possible cyber attacks.
Therefore, in the KRITIS area, it is fundamental to implement a consistent, integrated security concept for both the IT and OT infrastructure, not only because of monetarily motivated attacks, but also with regard to national security, as an end-to-end solution includes products, processes and qualified security specialists across all areas.
New legal framework for critical infrastructures
The legislator has reacted to the new digital challenges. As a result, operators of critical infrastructures and companies of particular public interest are faced with major challenges not only due to the increasing number of cyber threats, but also due to the updating of the legal framework at German and European level.
According to the German BSI Act, organizations are operators of critical infrastructure if they belong to one of the seven sectors of energy, health, information technology and telecommunications, transport and traffic, water, finance and insurance and food, provide critical services and, in doing so, comply with the BSI -KRITIS regulation exceed thresholds.
Additional legal requirements for KRITIS operators in 2022
In Germany, the second law to increase the security of information technology systems - in short: IT Security Act 2021 - came into force in May 2.0 as a supplement to the BSI Act. This expanded the group of critical infrastructures to include the municipal waste disposal sector. In addition, other companies in the so-called "special public interest", such as armaments manufacturers or companies with particularly great economic importance, will also have to implement certain IT security measures in the future.
The IT Security Act 2.0 has resulted in significant adjustments for companies and in some cases also for operators of critical infrastructures:
Critical infrastructure operators must implement attack detection systems by May 1, 2023 at the latest.
In addition, operators must notify the Federal Ministry of the Interior of the planned initial use of critical components, for example if the manufacturer is controlled by a third country or contradicts security policy goals of the German Federal Government, the EU or NATO.
Companies in the special public interest are obliged to regularly submit a self-declaration. They have to explain which certifications in the field of IT security have been carried out in the last two years and how their IT systems have been secured.
In addition, the European Commission has presented a proposal to reform the European NIS Directive (NIS-2) and a "Critical Facilities Resilience Directive" to improve the digital and physical resilience of critical facilities and networks. The aim of these proposals is to minimize current and future risks. The implementation of these European guidelines can therefore result in a renewed revision of the IT Security Act 2.0.
What does integrated protection of critical infrastructure look like?
Producers and suppliers in the energy, water and health sectors, as well as industrial companies that need to protect their IT and control technology from cyber attacks, need integrated solutions that are in line with the IT Security Act 2.0/BSI Act and the ISO 27000 standards for information security are located. On the technology side, the following competencies should therefore be linked in order to form a tight security network against attacks:
Security modules to protect critical infrastructures
- Log Data Analysis (LDA): Log data analysis, also known as Security Information and Event Management (SIEM), is the collection, analysis and correlation of logs from a wide variety of sources. This results in alerts for security problems or potential risks.
- Vulnerability Management & Compliance (VMC): Vulnerability management enables continuous internal and external vulnerability scanning with comprehensive detection, compliance checks and testing for complete coverage. As part of software compliance, the authorized use of software for each server or server group is determined using a set of rules and continuous analysis. Manipulated software can be recognized quickly.
- Network Condition Monitoring (OT module): This is used to report communications in real time that indicate a disruption to error-free operation. Technical overload conditions, physical damage, misconfigurations and deterioration in network performance are thus recognized immediately and the sources of error are identified directly.
- Network Behavior Analytics (NBA): With network behavior analysis, detection of dangerous malware, anomalies and other risks in network traffic is possible based on signature and behavior-based detection engines.
- Endpoint Detection & Response: Endpoint Detection and Response stands for the analysis, monitoring and detection of anomalies on computer computers (hosts). With EDR, active protection actions and instant alerting are provided.
Due to the complexity, the further processing of the security-relevant information from these modules is carried out by security specialists. You evaluate and prioritize the knowledge gained automatically. This is the basis for initiating the right countermeasures. Finally, the security experts make all information available in a clear manner in a central portal to which the relevant stakeholders - including IT and OT operations teams, but also management - have access or from which they regularly receive customized reports that they can understand.
European security technologies
Although the use of European security technologies is not anchored in the BSI law, it is recommended for KRITIS operators and companies in the particular public interest in order to be able to easily meet the following legal requirements:
Compliance with the General Data Protection Regulation as well as integrity, authenticity and confidentiality of the IT systems
KRITIS operators, like companies in all other sectors, are subject to the requirements of the EU General Data Protection Regulation (GDPR) and must comply with them at all times and secure them accordingly.
Furthermore, the BSI Act (§ 8a Paragraph 1 BSIG) requires operators of critical infrastructures to provide the BSI with suitable proof of their precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are essential for the functionality of the critical infrastructures operated by them are relevant.
Ali Carl Gülerman, CEO and General Manager at Radar Cyber Security (Image: Radar Cyber Security).
With European security providers, whose services are based on proprietary technology developed in Europe, compliance with the above requirements is easy to implement, as they are subject to the highest data protection standards. In addition to the origin of the cybersecurity provider, KRITIS companies should also pay attention to the way the security software is set up and the collection of security data. To ensure the best possible data security, we recommend setting up on-premise solutions as the most secure form of deployment. Even if the trend is increasingly towards the cloud, this should be viewed critically in view of the high data sensitivity in the area of KRITIS.
Critical components: Specifications for the manufacturers used
The use of European security technology also facilitates the testing of critical components by the BSI in accordance with § 9b BSIG. For example, the BSI can prohibit the initial use of a critical component if
- The manufacturer is directly or indirectly controlled by the government, including other government agencies or armed forces, of a third country,
- The manufacturer was or is already involved in activities that had adverse effects on public order or security in the Federal Republic of Germany or another member state of the European Union, the European Free Trade Association or the North Atlantic Treaty or on their institutions,
- The use of the critical component is not consistent with the security policy goals of the Federal Republic of Germany, the European Union or the North Atlantic Treaty.
Strong cyber resilience fundamental for KRITIS organizations
Attacks on critical infrastructure are lucrative for cybercriminals. At the same time, they harbor a particularly high potential for damage to the community: e.g.
It is therefore essential for KRITIS organizations to select security providers for their defense measures that fully meet the requirements of the BSI and the ISO 27000 standards and at the same time adhere to the highest European data protection standards. The premise should not only be to avoid fines, but in particular to ensure effective and sustainable protection of the IT and OT systems. However, strong cyber resilience against attacks is never based solely on security technologies, but always includes the right processes and qualified specialists. Only through this triad of product, processes and experts is it possible to have a 360-degree view of an organization's entire infrastructure in order to ensure holistic early detection and rapid response to cyber threats.
More at RadarCS.com
About Radar Cyber Security Radar Cyber Security operates one of the largest cyber defense centers in Europe in the heart of Vienna based on the proprietary Cyber Detection Platform technology. Driven by the strong combination of human expertise and experience, paired with the latest technological developments from ten years of research and development work, the company combines comprehensive solutions for the challenges related to IT and OT security in its products RADAR Services and RADAR Solutions .