Critical infrastructure is the lifeblood that keeps us all safe, fed and warm. When the power goes out, phone and Internet lines go down, or doctors are unable to access patient data, the impact on the public can be dramatic. Germany’s national KRITIS strategy for protecting infrastructure like this dates from 2009. It includes all organizations – regardless of their size – working in the fields of energy, healthcare, information technology and telecommunications, transport, media and culture, food and water, finance, insurance, governance and public administration. It requires operators to provide for added protection in these areas, including from cyberattacks. As the nervous system of critical infrastructure, IT is a potentially vulnerable area. Corresponding attacks can lead to “supply bottlenecks with lasting repercussions, considerable disruptions to public security and all sorts of other dramatic consequences,” writes the Federal Office for Information Security (BSI) in its Report on the State of IT Security in Germany.
Vulnerability leaves companies open to blackmail
Several examples show how seriously this threat must be taken. In September 2020, for instance, the University Hospital of Düsseldorf fell victim to a ransomware attack. The perpetrators encrypted the hospital’s data and demanded payment of a ransom to release it. With central systems down, the hospital was unable to provide emergency care for days. Planned operations and outpatient appointments were canceled or postponed. According to the German newspaper Süddeutsche Zeitung, one person even died after being sent to a hospital further away as a result of the attack.
Ransomware was also used to target an oil and gas pipeline in the US. The operator, Colonial Pipeline, maintains a network spanning some 8,000 kilometers and plays a key role in supplying refined oil products to consumers along the East Coast. As a result of the attack, the company shut down its administrative system and suspended the pipeline’s operation. This caused regional shortages and panic buying, including of gasoline.
While the experts at the BSI believe a similar attack is possible in Germany, they emphasize that IT attacks on energy companies here have so far only targeted office systems, allowing critical services to be maintained.