The Federal Office for Information Security (BSI) warns that the threat level for critical infrastructure is higher than ever before. What does this mean in concrete terms?
Christine Hofer: In the area of critical infrastructures, we are seeing a persistently tense threat situation, which is also rooted in the escalating geopolitical environment. In addition to cybercriminals, critical infrastructures in particular must protect themselves against cyber espionage and cyber sabotage. The origin of cyberattacks is closely linked to the attackers’ motivation. Cybercrime has long since become a professional shadow economy in which different groups specialize in various attack scenarios. Their tools and infrastructures can be rented on the Darknet like services. Cyber espionage and cyber sabotage are usually attributed to state-directed groups, though the boundaries are fluid.
With the law implementing the European NIS2 Directive, a “high common level of cybersecurity” is to be achieved in the EU. Will Germany become more secure as a result?
By implementing the NIS2 Directive, around 29,500 companies in Germany will in future be required to adopt stronger IT security measures. They will also be obliged to report IT security incidents to the BSI. We expect this to significantly raise the general level of cybersecurity and provide a comprehensive situational picture for Germany. This is especially important for the early detection and analysis of attack methods. The BSI provides extensive information material on the NIS2 Directive so that companies can prepare themselves in a targeted and timely manner.
But operators of critical infrastructures must already report IT security incidents to you. What kind of incidents do you receive?
Incidents that could impair the critical service. These include software and hardware failures, misconfigurations, power outages, and, ultimately, successful cyberattacks. The latter, however, represent the smallest share of reported disruptions. One example would be the disruptions at several European airports last September, caused by a successful cyberattack on a service provider. In such cases, the origin of the attack is of secondary importance to the BSI; the immediate priority is restoring the critical service quickly and analyzing the incident in order to develop preventive recommendations for others.
How satisfied are you with the implementation of IT measures by companies?
Germany still needs to improve significantly in the field of cybersecurity and must never ease its efforts. Digitalization continues to advance — and so do cybercriminals. Cybersecurity is therefore a continuous task that must be addressed consistently. In the area of critical infrastructures, we are seeing a generally positive trend. Resilience is increasing step by step. Our monitoring shows increasingly better results in areas such as the implementation of information security management systems (ISMS) and business continuity management. Nevertheless, there is still a need for improvement.
