To the topic overview

On February 24, 2022, just one hour before Russian troops invaded Ukraine, a wiper malware gained privileged access to the European satellite network KA-SAT and overwrote important data in the modems' memory with destructive instructions. A poorly configured VPN application from satellite network operator Viasat made it possible, putting tens of thousands of terminals out of service across Europe. Even though this cyberattack, presumably initiated by the Russian military intelligence agency GRU, targeted Ukrainian CRITIS, it also affected other Viasat customers and, for instance, disabled the KA-SAT 9A-based remote maintenance of 5,800 German ENERCON wind turbines. 

Long before the war of aggression with conventional weapons, the escalating conflict between Russia and Ukraine was already being felt through regularly recurring Russian cyberattacks on Ukraine's CRITIS. In December 2016, Russian hackers managed to black out more than 100 Ukrainian cities, cutting power for hours. In 2017, the Russian ransomware NotPetya not only encrypted countless data, but irrevocably overwrote existential components, causing disruption to supply chains worldwide. 

However, the current warfare is not comparable to previous cyberattacks. “What's new is that we haven't seen a military cyber doctrine before where cyberattacks are used along with traditional military force against a peer or near-peer adversary,” said Alexi Drew, security expert at think tank RAND Europe.

The German Federal Office for Information Security (BSI) assesses the situation as increased in the abstract and “...therefore continues to call on companies, organizations and authorities to review their IT security measures and adapt them to the given threat situation.” In particular, DDoS attacks were increasingly recorded. Concrete recommendations for measures with regard to the current situation in Ukraine are defined by the BSI as follows. Companies and organizations should:

• Minimize targets (deploy published 0-day vulnerability patches 24/7, install security patches on all external systems, harden all systems with external access - VPN, RDP, OWA, Exchange-Online, extranet portals- via MFA, different credentials for admin accounts, make lateral movement more difficult)
• Take overarching and infrastructural measures (check accessibility/availability of personnel and set up emergency teams if necessary, develop internal BCM contingency plans without external services)
• Strengthen detection (IT security logging and monitoring of external systems)
• Implement situation-adapted response measures (create and check backups, prepare and test recovery)
• Ensure planning for surge and sustainment capability under heightened threat conditions (increased functional readiness under heightened threat conditions for IT operations, SOC, and CERT) 

Ransomware attacks ​are still mostly concentrated on criminal extortion of individual systems. 42% of German companies pay the demanded sum. “The payment of a ransom is not only financially more favorable for the individual company, it can now also be planned quite conveniently into the annual budget via so-called cyber insurance policies,” write 20 German IT security researchers in their urgent letter dated June 27, 2022, in which they call on the German government to take stronger action against ransomware.

A politically motivated cyberattack on ministries, utilities or large companies would take on far greater proportions: It would probably be designed to affect entire infrastructure chains and also more than just one country. Then the cyberattack could quickly become a NATO mutual defense case. In 2014, NATO decided that virtual attacks, just like conventional warfare, could trigger Article 5 of the NATO treaty. However, the threshold as of which such an mutual defense case would occur has not yet been defined. 

The legal framework for the protection of critical infrastructures in Germany is provided by the Federal Office for Information Security Act (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG)) and the Ordinance on the Designation of Critical Infrastructures under the BSI Act (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-​Gesetz (BSI-​KritisV)).

The IT Security Act 2.0 (also Second IT Security Act), which came into force in May 2021, expands the CRITIS to include “companies in the special public interest”. These include companies that manufacture or develop goods in accordance with Section 60 (1) Numbers 1 and 3 of the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung), companies that are subject to the Major Accidents Ordinance (Störfall-​Verordnung), and companies, e.g., suppliers, that are among the largest companies in Germany in terms of their domestic value added. These companies will be required to submit a self-declaration on IT security to the BSI at least every two years and to pass on necessary information, including personal data, as required. In addition, they will be required to deploy attack detection systems as of May 2023.

For these companies, it is important to do their “digital homework” and examine the extent to which they fall within the newly defined scope of the IT Security Act 2.0 and whether further steps are necessary to meet the security requirements described therein.

The seriousness with which the German government takes the current general threat situation is demonstrated by the recent statement made by Arne Schönbohm, President of the German Federal Office for Information Security (BSI) at the Potsdam Conference on National Cyber Security in June 2022: “Even last year at the presentation of the cyber security situation report 2021, still with German Interior Minister Horst Seehofer, I said we have a red alert in some sub-areas.” 

So far, there have been no system-relevant cyberattacks in Germany. But security awareness alone will probably not be enough in the future. Federal Minister of the Interior Nancy Faeser summarized the future requirements as follows in April 2022 when she presented the digital policy program up to 2025: “In view of the Russian war of aggression against Ukraine, we see how closely external and internal security are interrelated. This is especially true for cybersecurity. The nature of the times we live in requires significant investment in our cyber and information security. This is a particular priority for us. We are modernizing the national cybersecurity architecture and expanding the Federal Office for Information Security into a central office. We will further develop the cyber powers of the security authorities.”

Important cornerstones for the next three years will include modernizing the national cybersecurity architecture, further developing the cybersecurity strategy and information security law, and realigning and further developing the cyber powers and cyber capabilities (including ZITiS) of the federal security authorities as part of an independent cyber agenda.

For these three years and of course beyond, the old rule still applies: be prepared and practice, practice, practice...

Anyone who operates IT systems needs a functioning information security management system, including business continuity management adapted to their own business processes. However, this must not only exist on paper, it must be tested regularly and continuously, including restoring data and system programs. All of this must be done under conditions that are as real as possible, e.g., on the weekend and without warning to the workforce.

 Quellen:

^[1] https://futurezone.at/netzpolitik/windrad-enercon-cyberangriff-ka-sat-ukraine-russland-krieg/401926093#: (accessed on 27.06.2022)

^[2] https://www.businessinsider.de/wirtschaft/hundertausende-ohne-strom-hacker-bringen-kraftwerke-in-der-ukraine-zum-zusammenbruch-2016-1/ (accessed on 27.06.2022)

^[3] https://www.welt.de/wirtschaft/article185510234/Notpetya-Dieser-Fall-entscheidet-ob-Hacken-eine-Kriegswaffe-ist.html (accessed on 27.06.2022)

^[4] https://www.zeit.de/digital/2022-03/cyberkrieg-russland-hacker-nato-buendnisfall (accessed on 27.06.2022)

^[5] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Ukraine-Krise/Massnahmenempfehlungen_BSI_Ukraine.pdf?__blob=publicationFile&v=1 (accessed on 27.06.2022)

^[6] https://www.zeit.de/digital/2022-03/cyberkrieg-russland-hacker-nato-buendnisfall (accessed on 27.06.2022)

^[7]https://utf.rdir.de/form.action?agnCI=1024&agnFN=fullview&agnUID=nc.E.B.QA.DRBw.DoG.CEo3m.A.crS8UbO97ynEcKlysSLBOd20LMoO14yq253H2ILY9CX60ivuZP2T2TfYG44AY8A4jsVppfPxmBAOONISXjI8BQ (accessed on 27.06.2022)

^[8] https://www.bmi.bund.de/SharedDocs/pressemitteilungen/DE/2022/04/digitalprogramm.html (accessed on 06.07.2022)