Cybersecurity for critical infrastructures

Imagine a scenario where a hospital cannot admit emergency patients for almost two weeks because it has been compromised by a cyberattack. The problem is, you don’t have to imagine this; it actually happened in 2021.

The German Federal Office for Information Security (BSI) recently identified around 144 million new malware variants – up 22% on the previous year. Ransomware attacks have trended sharply upwards. These are attacks where data is encrypted (rendering it useless) or threatened with release, unless the attackers are paid off. The hospital attack mentioned above is an example. As we have seen, the consequences were truly damaging.

Dr. Marius Feldmann, COO of Cloud&Heat Technologies GmbH and CEO of secustack GmbH, is clear: “IT security is not simply a state that you achieve. It’s a permanent process that involves a permanent build-up of competence – and the corresponding protagonists who want to do exactly the same thing on-site.” Companies and operators cannot see cybersecurity as a one-off investment. To see it as an ongoing process helps mitigate damage, and also helps prevent further manipulations and attacks.

An opportunity beckons

The IT Security Act 2.0 (IT-SiG 2.0) came into force in Germany in May 2021. This includes stricter requirements for CRITIS organizations. This group has also been significantly expanded, to include “companies in the special public interest,” or (to use the German acronym) UBI. The list of minimum requirements for these companies and organizations has also become longer and more detailed. The question remains: what makes a truly secure IT infrastructure?

The security act mentioned above has some very definite specifications. CRITIS organizations must be able to detect cyberthreats, such that those attacks are prevented from actually reaching the company in the first place. Also, security-related components, both network and system, must come from manufacturers who meet certain requirements.

Of course, the real requirements of the organization must be kept in mind when designing security. A proper analysis is of paramount importance, which documents all possible risks, and how the system is used, so long-term interests are factored in. On-site competencies need to be identified. If these aren’t available, the right partners need to be found to help determine the requirements the system needs to fulfill. When thinking structurally, long-term decision-making is key. Individual problems can be addressed on the fly, so to speak, but if the last few decades are any guide, IT security has to be seen as a constant challenge.

A company may know what it wants, security-wise. However, it is very rare that an organization has the internal competence to design, build, and manage the required IT architecture for itself. It is absolutely vital to choose the right partners now, so as to avoid unnecessary dependencies later. To take one instance: introducing a new cloud infrastructure requires lengthy, expensive integration with existing systems. This can make it difficult to switch to another vendor later. These sorts of “lock-in” scenarios with suppliers can be avoided if there is medium- and long-term strategic decision-making, rather than a focus on immediate cost advantages.

Security starts with good design

The design of the system and the standards applied are among the most important pillars of a secure IT infrastructure. Have the manufacturers and suppliers actually thought through security and protection from the ground up?

“Secure by design” and “secure by default” are not just buzzwords. Systems like these are characterized by a secure configuration from the time of installation. A good design like this provides systems with a fundamental resilience to external access, while helping to prevent or at least minimize human error.

More automation means more security

Generally speaking, a crucial feature of secure IT is the resilience to human error. The risks from phishing, for example, or socially engineered attacks during operations have to be minimized. Dr. Kai Martius, CTO of secunet, explains, “It is very important to prevent possible wrong decisions in advance and to design systems as securely as possible in this respect as well. I think the critical industry has a lot of experience in this in its traditional field. But this has not yet been consistently taken into account in the design of IT systems. This is where cloud technologies can help by providing a high degree of automation.”

Add standardization to this mix of high automation and secure cloud infrastructure, and you can see how the potential for human error can be reduced. Bringing digital sovereignty to the cloud is something secunet champions through its portfolio.

Organizations can cover all their bases, as mandated by the BSI, when they use secunet’s Secure Inter-Network Architecture (SINA) to work with sensitive data and documents. With SINA, employees can access data wherever they are, knowing that the information is completely secure. SINA can be tailored to very specific user requirements, including the security needs of CRITIS and UBI companies and organizations.

In addition, secunet monitor KRITIS offers a custom-fit network monitoring system for CRITIS companies meeting the requirements of the IT Security Act 2.0. With the help of signature-based attack detection using network and log analysis, the system fulfills the MUST requirements according to the orientation guide to the IT Security Act 2.0 published by the BSI.

Of course, secunet offers a comprehensive suite of consulting, penetration test, and forensics services, which taken together augment trust in the organization’s ability to withstand attacks and address present and future vulnerabilities.

Trust is fundamental to security. Learning from attacks and thus shortening exposure to future risks is part of understanding that IT security is an ongoing process. All partners in a security-building enterprise should be fully on board with this.

Published: 09/05/2023