_Futurization
Written by: Fabian Böhm, Cyber Security Expert at WAVESTONE & Falko Schönteich, Cyber Security Expert at WAVESTONE.
Cyberattacks on critical infrastructure are on the rise, both in terms of frequency and complexity. Falko Schönteich and Fabian Böhm, cybersecurity experts at WAVESTONE, firmly believe that achieving lasting security requires the establishment of international standards and norms.
Are cyberattacks actually on the rise?
As experts on industrial cybersecurity, you have been dealing with cyberattacks for years. How has the threat landscape changed in recent years?
The number of crimes in this domain has been steadily increasing over a long period. Today, we are combating criminal organizations that are highly professional and globally interconnected. Many of these attacks are based on ransomware, which encrypts or disables the victim’s systems. The hackers only release the data after receiving a ransom. Notable cases include attacks on a telecommunications provider in Portugal, an American pipeline operator, and the Irish health authorities.
In this context, phishing emails also appear to have increased.
Yes, phishing is indeed on the rise, and the senders are becoming more sophisticated. With carefully crafted phishing emails, criminal organizations have a high chance of success. They can gain access to foreign systems and retrieve data quickly and easily. As industrial and office networks are often no longer clearly separated, phishing emails pose a significant threat to critical infrastructure facilities such as power plants or transport providers. A new trend in phishing involves fake appeals for donations to aid victims in Ukraine.
What about state-sponsored attacks?
State-sponsored cyberattacks have been around for a while, but they have skyrocketed since the attack on Ukraine. The digital realm is increasingly becoming part of warfare, and attacks on critical infrastructure are now a part of hybrid warfare. In this context, the lines between purely criminal actors and those acting in the interests of the state are sometimes blurred.
What is driving this increase?
Besides political factors, what technical developments are contributing to this trend?
One reason for the increase is the accelerating digital transformation. Industries in transport, energy, and healthcare are increasingly reliant on digital technologies. Additionally, technology is advancing at a rapid pace, making it challenging for individuals to keep up with these developments.
The COVID-19 pandemic has also created new opportunities for attacks. Nowadays, employees have mobile access to corporate networks not only from home offices but from anywhere in the world. Social media has played a significant role in this shift, as our social activities have moved online, providing new opportunities for threat actors. The expanding 5G network and the proliferation of smart devices in our homes have created additional attack surfaces. With more interconnected devices collecting a growing amount of information, often with weak security measures, it’s theoretically possible for an energy provider to be attacked through a seemingly innocuous device like a lamp.
How dangerous are these developments?
There are hardly any digital products that are manufactured exclusively in one country anymore. Some component is almost always purchased from a third country – and this component in turn contains components from a fourth country. It’s almost impossible to keep track of everything. No one really knows any more how and what has been processed in the individual products by which supplier. This increases the vulnerability of individual systems and states. We are becoming dependent on others, and this can be disastrous in terms of security technology.
How dangerous are these developments?
Today, there are hardly any digital products that are exclusively manufactured within one country. Components are often sourced from multiple countries, and these components may themselves contain parts from other nations. It’s nearly impossible to keep comprehensive track of this complex web of supply chains. The result is an increased vulnerability for individual systems and nations. We are becoming increasingly dependent on external sources, and this can have severe implications for security technology.
Where do you see the greatest need for action?
At what scale should operators of critical infrastructures implement suitable measures?
Malware can inflict substantial damage on networks, whether they are large or small. It can infiltrate a critical infrastructure facility through even a minor supplier. Attacks via supply chains have gained prominence in recent years. Attackers can gain access to hundreds of other companies or even government agencies through the connections of a single supplier.
Is cybersecurity a task that each organization must tackle individually?
No, security should be prioritized during the design and production phases of a product or system. This concept is known as ‘Security by Default,’ meaning security is inherent from the outset. I anticipate a sustainable improvement through transnational standards and norms that allow us to objectively verify security, akin to ISO certifications in the industrial sector. Earlier this year, the European Union introduced a set of laws requiring organizations across various industries to protect themselves against cyberattacks. These regulations explicitly place responsibility on management. Meeting these requirements within the stipulated timeframe presents a major challenge for companies.
To what extent are operators of critical infrastructures already aware of cyber security?
Just a few years ago, this concern was the domain of IT experts exclusively. Today, it has at least made it on the agenda of board meetings. The need for security should indeed be something inherently understood, but it has somewhat slipped from focus in the IT sector. The way we see it, cyberrisks still are still not taken seriously enough. Both private and government organizations could better prepare themselves. The security of an IT system ultimately relies on its weakest link: an engineer opening a phishing email, a field worker connecting their laptop to a public hotspot, or a CEO using a weak password. Malware doesn’t care about hierarchies and departments; it attacks where vulnerabilities are easiest to exploit. While cyberattacks are often technically complex, they often begin by exploiting human vulnerabilities.
Conclusion
As humans, we naturally seek security. Even as children, we rely on our parents for protection from the unknown and the unpredictable. Only through experience can we assess dangerous situations independently and take appropriate measures.
At WAVESTONE, we focus on people and always consider all five aspects in the area of industrial cybersecurity: security, safety, reliability, resilience, and privacy. Learn from our experience in the private and public sector and use our portfolio for a holistic security view.
Fabian Böhm
Cyber Security Expert at WAVESTONE
Dr. Fabian Böhm is a consultant for IT security and can draw on comprehensive and in-depth knowledge from his studies of business informatics and IT security as well as a subsequent doctorate in the field of cyber security. With this expertise and the experience from several national and international research projects, he supports medium-sized and large companies in the sectors of industry, energy and finance in all areas of cyber security. His professional focus is mainly on active defense against and detection of security incidents
Falko Schönteich
Cyber Security Expert at WAVESTONE
Dr. Falko Schönteich, an internationally recognized expert in IT security, brings more than 10 years of experience in the field of cyber security. After a long career in change management and ERP integration project management, he focused on IT security. With significant positions such as Chief Information Security Officer of an international corporate division, he combines real-world experience with relevant project credentials and certifications in offensive and defensive security technologies. His consulting approach, in both the public and private sectors, draws on the NIST framework and ISO27k framework, particularly the Protect, Detect & Respond components. He also has expertise in risk-based security assessments.
Together with you, we are rethinking the future of the insurance industry. Get in touch with us for an initial discussion.
