Status: 09.01.2023 2:05 p.m
The number of cyber attacks is increasing rapidly worldwide. A particular focus is on the so-called critical infrastructure such as power grids. How well can it be protected against attacks from the network?
Critical infrastructures (KRITIS) provide electricity and water, secure traffic and medical care. They include all the facilities and systems that a community needs to function. If they fail, this can lead to problems with supply and public safety.
The digital threat situation is intensifying
Critical infrastructures are increasingly threatened worldwide, especially by cyber attacks. For the year 2022, the damage caused by them in German companies is estimated at more than 200 billion euros. Martin Voss, Professor of Crisis and Disaster Research at the Freie Universität Berlin, takes a critical view of the situation: “We have created the weak points in the digital infrastructure in such a way that cyber attacks are largely underestimated. All the data that has already leaked can be stored in the usually tell no one.”
One problem: Threat scenarios are constantly changing. In so-called DDoS attacks, servers are overwhelmed with so many requests that they collapse. A much more complex method is an APT, an “advanced persistent threat”. Hacker collectives may be behind this, penetrating IT networks in a targeted manner and spying on them over the long term. Probably the greatest threat, however, comes from ransomware: Malware penetrates the system by calling up a corrupted link in an e-mail. This then encrypts all data, for example, and only releases it again after paying a ransom. Greater damage can usually only be averted if you comply with the blackmailer’s demands.
Regulation chaos should be eliminated
The IT Security Act 2.0 has been in force since May 2021. It significantly expands the cyber security requirements for KRITIS. Precautions that automatically identify and combat threats using patterns are mandatory from May 1, 2023. In addition, KRITIS companies must provide the BSI, the Federal Office for Information Security, with information on troubleshooting in the event of serious disruptions. The reporting obligations and powers of the BSI have therefore been extended.
However, these regulations do not affect all areas of critical infrastructure. According to the German definition, a total of ten sectors are summarized under KRITIS. The BSI, on the other hand, reserves the right to divide KRITIS into just eight sectors. State and administration as well as media and culture are not included. A confusion of definitions that is not conducive to compliance with uniform standards and is intended to be eliminated with the help of the new umbrella law on critical infrastructure.
Thresholds in criticism
In its KRITIS regulation, the BSI also defines threshold values that determine when a company is even counted as a critical infrastructure. Manuel Atug, expert for IT security, says in the new Documentary series ARD knowledge “Germany in an emergency”: “The BSI-KRITIS ordinance defines exactly according to which threshold value, according to which scale someone is critical infrastructure. For example, if I supply 500,000 people with fresh water, I am critical infrastructure from the water sector.”
Atug, these threshold values are too general, because: If only a little less than 500,000 people are affected by the water supply, the company does not have to comply with the specifications.
Research against cyber attacks: an early warning system for everyone
How to react better to cyber attacks in the future is also a research topic, for example at the TU Darmstadt. An early warning system called CYWARN was recently developed there. One project partner is the federal state of Hesse. CYWARN creates a cyber threat situation picture that collects all publicly available information. With the help of this vulnerability report, IT emergency teams from state authorities then receive all relevant data on the security situation. After a test phase, the so-called hessenWARN app is to make the information available to the population in the future.
Digital threats are unlikely to decrease anytime soon. But they should at least not catch critical infrastructure and citizens unprepared.
More on this topic tonight in the new format ARD Knowledge at 10:50 p.m. on the first.