Cybersecurity: Connected – and vulnerable

Critical infrastructure is the lifeblood that keeps us all safe, fed and warm. When the power goes out, phone and Internet lines go down, or doctors are unable to access patient data, the impact on the public can be dramatic. Germany’s national KRITIS strategy for protecting infrastructure like this dates from 2009. It includes all organizations – regardless of their size – working in the fields of energy, healthcare, information technology and telecommunications, transport, media and culture, food and water, finance, insurance, governance and public administration. It requires operators to provide for added protection in these areas, including from cyberattacks. As the nervous system of critical infrastructure, IT is a potentially vulnerable area. Corresponding attacks can lead to “supply bottlenecks with lasting repercussions, considerable disruptions to public security and all sorts of other dramatic consequences,” writes the Federal Office for Information Security (BSI) in its Report on the State of IT Security in Germany.

Vulnerability leaves companies open to blackmail

Several examples show how seriously this threat must be taken. In September 2020, for instance, the University Hospital of Düsseldorf fell victim to a ransomware attack. The perpetrators encrypted the hospital’s data and demanded payment of a ransom to release it. With central systems down, the hospital was unable to provide emergency care for days. Planned operations and outpatient appointments were canceled or postponed. According to the German newspaper Süddeutsche Zeitung, one person even died after being sent to a hospital further away as a result of the attack.

Ransomware was also used to target an oil and gas pipeline in the US. The operator, Colonial Pipeline, maintains a network spanning some 8,000 kilometers and plays a key role in supplying refined oil products to consumers along the East Coast. As a result of the attack, the company shut down its administrative system and suspended the pipeline’s operation. This caused regional shortages and panic buying, including of gasoline.

While the experts at the BSI believe a similar attack is possible in Germany, they emphasize that IT attacks on energy companies here have so far only targeted office systems, allowing critical services to be maintained.

Analyses by companies specializing in IT security further illustrate the threat. They include data from the Threat Labs Report that was published in April by the IT security technology firm Trellix. This report highlighted an increase in online attacks 
on systemically important sectors in the fourth quarter of last year. Of the advanced persistent threats (APTs, i.e. particularly sophisticated attacks) observed, 27% targeted the transport and freight sector, making it the most heavily affected industry.

Healthcare at particular risk

According to Trellix, healthcare was the second most frequently attacked sector, accounting for 12% of such incidents. “We’re in a critical period for cybersecurity and seeing increasingly hostile behavior across an ever widening field of attack,” says Christiaan Beek, head scientist at Trellix.

The security provider Kaspersky also sees particular danger for the healthcare sector, partly due to the coronavirus crisis. According to a Kaspersky study from last year, almost three-quarters (72%) of German healthcare companies fell victim to a cyberattack during the pandemic. Just over a quarter (26%) of such organizations experienced more than one attack. These figures have alarmed the industry. “At 58%, more than half of the IT decision makers in the German healthcare sector regard the threat level to their own systems as high,” says Christian Milde, Kaspersky’s general manager for Central Europe.

The company provides regular updates on these and other threats, but has also found itself in the headlines of late. In March, the BSI warned against using Kaspersky’s antivirus software, citing its Russian origins. The BSI believes that the war in Ukraine has substantially increased the risk of cyberattacks and regards the use of Kaspersky technology as a potential vulnerability. “A Russian IT manufacturer may conduct offensive operations itself, be forced to attack systems against its will or become a victim of a cyber operation itself if it is spied on without its knowledge or misused as a tool for attacks against its own customers,” reads a BSI press release. Kaspersky has dismissed this warning as unjustified. 

Many small attacks, no big bang

There are also other experts who attach great importance to the security of critical infrastructure. Among them is Professor Jean-Pierre Seifert, head of the Security in Telecommunications department at TU Berlin. “My personal view is that a new theater of war could emerge in this field,” he says. “The threat has definitely increased.”

Professor Jörn Müller-Quade from the Karlsruhe Institute of Technology (KIT) also sees critical infrastructure as a target in a potential cyber war. He isn’t expecting a major offensive, however. “A big bang isn’t always the aim, particularly because this would be detected immediately and trigger countermeasures,” Müller-Quade explains. In reality, he adds, many attacks take place in the background – for instance, to spy on targets and lay the groundwork for larger attacks at a later stage. For all the potential threats, critical infrastructure in Germany enjoys a high level of security. This is the view of Holger Berens, board chairman of the Federal Association for the Protection of Critical Infrastructure (BKSI). The staff responsible for such assets are well trained and technical precautions are in place, thanks in particular to the IT Security Act, he says. Among other things, this law requires operators of critical infrastructure to demonstrate every two years that their IT security corresponds to the current state of the art (see box). But not all infrastructure is equally well protected. A comprehensive security strategy needs to include a company-wide information security management system (ISMS), for example. An ISMS defines rules, processes, measures and tools for controlling, monitoring and improving information security. Progress in implementing such systems varies considerably by industry. The BSI’s IT security report, for example, found that ISMS shortcomings were particularly prevalent in the energy and water sectors. Meanwhile, the BSI warns that the energy sector in particular is highly dependent on IT.

Intended target, or just collateral damage?

One key method of securing critical infrastructure involves the segmentation of networks. This means dividing a company’s network into zones that are kept separate from each other. In hospitals, for example, critical systems such as X-ray machines and CT scanners are not linked to office IT. Similarly, administrative systems are separated from production in the energy or manufacturing sector.

One reason for this is that operational technology (OT) and industrial automation systems are often not the real target of an attack. “It’s more common to see attacks that are aimed at standard office IT, but that then spill over into OT more or less by accident,” says Sarah Fluchs, security expert and CTO of the security provider admeritia. She says this was also the case in the attack on Colonial Pipeline.

Disruptions in OT can then result in critical failures in production. This is because most critical infrastructure – such as waterworks, power grids, logistics and food production – is based on automation systems, which are particularly vulnerable. “OT was never designed for today’s ubiquitous connectivity and is therefore often ill equipped for attacks on security,” says Fluchs. “If you suddenly connect it to office networks that are based on completely different technology, you expose OT to collateral damage.”

Artificial intelligence protects the power grid

Eliminating interfaces with other systems and networks reduces the potential attack vectors. That said, such segmentation stands at odds with the trend toward more and more digitalization. Taking advantage of the many new opportunities at hand means connecting different systems to each other. Smart grids that supply energy need to share data, and in healthcare, companies are keen to leverage the potential of telemedicine. Connecting different networks – traditional IT with OT – is seen as part of this. To remain protected despite this trend, critical infrastructure needs an end-to-end, integrated security concept that works for both IT and OT. In technical terms, this would mean extending systems for monitoring and analyzing network traffic (for example) to cover OT. It’s also important for systems to undergo regular security audits to identify and resolve potential weaknesses.

Artificial intelligence (AI) can also play a role. Scientists from the Fraunhofer Institute of Optronics, System Technologies and Image Exploitation (IOSB), for example, have developed a system to protect network control units in the power supply system. It is designed to monitor the flow of information between the power grid and control system to detect manipulation. The solution uses AI to learn what normal data readings and communications look like. The software can then not only keep an eye on the operational status and any technical issues, but also identify anomalies in the data traffic or the data itself.

Overall, there is a trend toward more resilient critical infrastructure; that is, “infrastructure that maintains its desired state even when unexpected events occur,” as Fluchs puts it. “Achieving this, however, is a big and difficult task.”

Markus Strehlitz is a freelance journalist and editor for VDE dialog.