Which systems, which factories, which infrastructures are actually vital and indispensable in the event of a cyber attack, a natural disaster, an accident? Only those who can answer this question can protect the digital nervous system in a country, factories, sewage treatment plants, energy and telecommunications systems and maintain their functionality in the face of digital attacks or natural disasters. Experts call this resilience.
“Resilience is of vital importance for our country,” said Major General Jürgen Setzer, head of cyber security in the German Armed Forces, at WELT’s “Vision Now” cyber security summit in Berlin on Tuesday. Because, the general warned, the threat is now omnipresent – no longer just from cyber criminals, but also from state actors. “We are no longer at peace,” said Setzer, referring to recent cyber attacks on the CDU’s networks in the run-up to the European elections, which became public knowledge at the weekend.
The war in Ukraine in particular is causing “spillover” effects, meaning that cyber attacks there also have consequences in Germany. “The purpose of such attacks is to create fear and confusion among the population and to break the will to defend itself against an aggressor.” Germany must therefore now become more resilient against such failures.
This uncertainty is already becoming apparent, as a recent survey by the opinion research institute Civey among IT managers in German companies shows: Two thirds of IT managers have the impression that the security situation has deteriorated significantly, and only six percent believe that German companies are well positioned to defend themselves against the attacks.
But many people in charge, many companies and authorities themselves cannot even answer exactly which systems and procedures are essential for this resilience. And so everything is protected a little bit and nothing properly.
“Many companies have no idea which systems are particularly relevant,” says Christian Schunck, cyber security expert at the Fraunhofer Institute IAO in Stuttgart. “Those responsible are faced with 80 different warning messages from their security software on Monday mornings, most of which are false alarms. An overall picture of the situation, a context, is missing.” The alarm has become a permanent state, warn Schunck and Setzer, the attackers are constantly present.
This is particularly noticeable for operators of critical infrastructure: the number of attacks on infrastructure companies is growing, warns Mathias Böswetter from the German Energy and Water Industry Association (BDEW). In particular, so-called overload attacks to block systems, which originate from ideologically motivated or state actors, have increased by 40 percent.
Stefan Jesse, head of the security service provider Auvesy MDT, estimates that large companies have now largely secured their systems. However, small and medium-sized companies in particular lack the know-how to do this. Jesse is an expert in making control systems in factories crisis-proof – not only against cyber attackers, but also against crisis situations such as the current floods. “We come to the customer and find backups on USB sticks on the shelf,” he reports from his practical work.
In many places, the basics are still lacking, as IT departments often only have an eye on administration and not the actual production facilities. “The basics are often missing. Every manager should be able to assess which systems are critical for their company and what the ability to restore them is,” warns researcher Schunck.
In many companies, comments Paul Kaffsack from the security service provider Myra Security, security is still seen as part of a profitability calculation and is treated accordingly with neglect. That is why it is important to oblige the approximately 30,000 companies that provide critical infrastructure in Germany to comply with basic safety rules. “The seat belt requirement also applies in road traffic.”
However, to make critical infrastructure resilient, it is not enough to just block attackers from the Internet and keep your systems up to date. Resilience, according to the conclusion of the “Vision Now” summit participants, goes deeper and is based on a tiered defense: Even if systems fail, be it due to an attack or a natural disaster, companies must have a security concept in place to resume production or services as quickly as possible.
In addition, employees must also be trained accordingly, says Nikolaus Trzeschan of Mastercard: “I believe that we have a special responsibility to educate society, but also in our specific industries. We publish data points about ourselves online as a matter of course, which can serve as leverage points for attackers.” Using artificial intelligence in particular, attackers can now tailor their actions to their victims and turn them into security gaps themselves using “social engineering”. “The malware walks into the factory on two legs,” says expert Schunck.
In many places, employees in production in particular lack awareness of the danger. The peace mentality, the experts warn, is still widespread – and attackers are currently taking advantage of this: “The attackers are currently still faster than the defenders,” says Myra boss Kaffsack.