Cyberattacks are now part of strategic warfare, and the war in Ukraine has brought concerns about critical infrastructure security breaches into focus. What is the state of IT security at CRITIS companies? That’s what an expert panel of policymakers, infrastructure operators, and IT security professionals recently addressed.
From awareness and recruiting to changes in the law and clearly defined responsibilities – there is still a lot for companies and the state to do to better protect critical infrastructures, according to the unanimous tenor of the panel discussion at the Presseclub München, which was joined by Dr. Reinhard Brandl, Member of the German Bundestag and digital policy spokesman for the CDU/CSU parliamentary group, Dr. Jörg Ochs, Head of IT at Stadtwerke München, Managing Director of Füssen-based cyber risk consultancy Rimian Martin Braun, and Ralph Kreter, Area VP Central and Eastern Europe at technology provider Deep Instinct.
Lack of competence in IT security at KRITIS
It quickly became clear that existing cyber gaps in the area of critical infrastructure result from a lack of responsibility and unclear competencies in the German cybersecurity architecture. While in the U.S. there are organizations such as the Cybersecurity and Infrastructure Security Agency (CISA), which are officially responsible for cybersecurity, and which also have law enforcement competencies, Germany lags behind here. “In Germany, more than 50 different agencies deal with this issue – from the federal to the state to the municipal level. The problem is that there is no uniform concept in the area of IT security,” complained Ralph Kreter, Germany managing director of the American IT security company Deep Instinct. One of the problems lies in the rigid federalism, in which each federal state, each city, and each municipality is responsible for its own area. Kreter demands that these competencies be bundled and that coherent guidelines be pushed forward.
Reinhard Brandl of the CSU, a member of the Bundestag from Ingolstadt, sounded the same horn. “We need better interdepartmental cooperation and a legal basis for the individual authorities that are responsible in the IT security sector, Brandl said. According to the digital policy spokesman for the CDU/CSU parliamentary group in the Bundestag, this distribution of responsibilities, which is strongly influenced by history, is based on a separation of external and internal security, but no longer meets today’s requirements.
Legal regulation and understanding of IT security
Brandl hopes that the traffic light government will also respond to the changed security situation with changes in responsibility and praised the recent initiative of Federal Minister of the Interior Nancy Faser (SPD) to shift responsibilities for serious cyber attacks from the states to the federal government by means of an intended amendment to the Basic Law.
From the field, cyber risk expert Martin Braun reported on vulnerabilities in the system and a lack of awareness in companies. Hacker attacks often exploit unknown vulnerabilities. From Braun’s experience, he said, these are unpatched systems, lack of personnel, and unguarded firewalls. “A large bouquet of malware is distributed and then people look to see who it hits and where they can make money as a cybercriminal,” warned Füssen-based IT security entrepreneur and CEO of Rimian Martin Braun.
Of course, there are also targeted attacks, but they don’t happen that often and if they do, one has to ask why. According to Braun, that would be because companies don’t realize what attack focus they’re in, what their risks are and what vulnerabilities exist in the system. “The problem here is that IT and management don’t speak the same language, as it quickly becomes too technical. That’s why it’s important to create an understanding and awareness of the risks to your own company,” Braun emphasized, and immediately gave a hint in the direction of lawmakers to achieve greater awareness and willingness to act with legal steps. With the General Data Protection Regulation (GDPR), he said, there is already a legal framework and fines. “For cybersecurity, that inevitably has to happen as well,” Braun urged. In the same way, he believes the job description in the field of IT security must evolve. “If you look at the training system in Germany, not much has happened there.” However, a lot has happened in IT and especially in IT security, he said. “New job profiles and new incentives need to be created here, such as shorter training periods,” Braun demanded.
Supply security in Munich is high
In view of the dynamic cyber threat situation, Stadtwerke München has taken exemplary precautions, as became clear during the expert panel. “Cyber security in networks and energy supply has been an issue for us for a long time,” emphasized Jörg Ochs, Head of IT at Stadtwerke München. Since the attack on the Ukrainian power grid in 2014, he said, there has been a greater focus on optimizing security, but also on deploying more staff.
The supply security of the critical infrastructure in Munich is high, Ochs was able to reassure. For example, it would not be possible to turn off the water to the state capital, since no pumps were needed that could be hacked; instead, the water came from the mountains via a steep gradient, Ochs said.
He also said that Munich’s gas network, because it is connected to three transfer stations and has storage capacity, could still supply the city with gas for three weeks in the event of an interruption. According to the head of IT at Stadtwerke München, the supply of district heating and electricity is more critical. The power grid in particular is susceptible to attack due to its high level of interconnectedness, but here Munich can make use of the option to disconnect from the European interconnected grid in the event of a large-scale blackout and operate a so-called island grid. “Munich can supply itself from its own energy, including hydroelectric power plants,” Ochs explained but added: “One problem, however, would be the SAP systems, which could be encrypted in the event of an attack. Then we would no longer be able to issue invoices, for example.”
Cybersecurity based on the volunteer fire department principle
Unfortunately, not everyone is able to take precautions in the CRITIS area like Stadtwerke München. Smaller companies in particular, as well as municipalities, are not as well positioned, and the expert panel also made this clear. “I see the greatest risk in electricity suppliers and hospitals. There are quite a few examples that show that some companies don’t recover after a cyber attack and have to shut down,” warned Ralph Kreter of Deep Instinct.
His solution strategy: “Every volunteer fire department in every village does emergency drills to be ready when there is a fire.” When it comes to cybersecurity, Kreter wants every community, large and small, to adopt this principle to be ready for emergencies. After all, this should not only apply to companies, but should also continue to set an example in politics and public authorities in order to make the state, society, the economy, and our critical infrastructures more digitally and security resilient.
