After the leaks in the Baltic Sea pipelines and the sabotage at Deutsche Bahn, calls for more protection for Germany's critical infrastructure are becoming louder. How this has been protected so far, what is lacking and what could be changed.
At the end of September, four underwater leaks in the Nord Stream pipelines are discovered, and NATO and the EU assume sabotage. Cables for the train radio are damaged at the weekend, and almost all train traffic in several federal states is paralyzed for hours. Transport Minister Volker Wissing and the railways speak of sabotage. The vulnerability of our critical infrastructure is painfully revealed. Part of the problem is homegrown.
It is simply impossible to monitor the critical infrastructure across the board. The cable harnesses for the railway radio, for example, run across the country, as Michael Wiesner, spokesman for AG Kritis, clarified in an interview with ntv.de. According to the independent working group, the goal is more security of supply for the population through more IT security. "According to the information available, a cable duct was opened for the current act of sabotage, which was already additionally protected by a large weight; it must have been done with large equipment - you can no longer protect yourself from that," says Wiesner.
However, Wiesner emphasizes that safety measures are all the more important to prevent an isolated malfunction from leading to a total failure. Even if several cables are severed, the operation must continue to function. The IT security expert speaks of multiple redundancies. "That doesn't seem to be the case with the railways at the moment - it was enough to just cut two cables."
IT security laws prescribe numerous measures for the operators of critical infrastructure. For the energy industry, for example, the Federal Network Agency sets security requirements, as Wiesner explains - from physical measures such as protection against unauthorized access to organizational rules such as the assignment of authorizations to regulations for the operation of server systems. Operators of critical infrastructure must also systematically analyze and minimize potential dangers.
But in the opinion of the Kritis working group, this is going far too slowly. The problem is that the security requirements differ depending on the industry, says Wiesner. The economy suggests this, the Federal Office for Security in Information Technology has to approve it. "On the one hand, that's good, because the industries know their specific issues better, on the other hand, the economy sometimes resists the rules very energetically because their implementation is complex and expensive and the security concept is pushed into the background," reports the IT expert. "It's going very, very slowly."
The AG Kritis demands more speed. "High security standards were missed," says Wiesner. The state of the art, such as multi-factor authentication, is also not implemented in many places. "The impacts are getting closer." Experts like him have been warning of the security gaps in critical infrastructure for years, but little has happened.
The Federal Association of Energy and Water Management, on the other hand, responded to an inquiry from ntv.de: "In Germany there is a high level of security that makes large, widespread failures very unlikely." Network operators are taking numerous measures in line with German and European guidelines in order to “guarantee the best possible security”. For security reasons, specific measures could not be mentioned, explains a spokeswoman. Just this much: From securing the IT systems to property protection, the operators are continuously developing their security concepts.
Sebastian Bleschke, Managing Director of the Energy Storage Initiative (INES), an association of operators of German gas and hydrogen storage facilities, reports to ntv.de: "Against the background of the suspected sabotage of the Nord Stream pipelines, security measures for gas storage facilities in Germany have been strengthened." But he qualifies: "Only the state has the necessary means to effectively counteract serious attacks on infrastructure, such as at Nord Stream."
Despite this, Wiesner does not fear a widespread failure of critical infrastructure. Damage from attacks is greatest where most people are affected. An act of sabotage against the power supply would probably have the strongest effect. However, AG Kritis does not expect a major failure here, because the providers and network operators are well positioned in terms of security compared to other sectors.
It becomes critical when the technology is outdated or emergency concepts don't work, explains Wiesner - as in the case of the cut train replacement line. Health care and water management, for example, are rather poorly positioned, as penetration tests have shown. However, these industries consist of numerous smaller providers, so that the effect of an attack would be relatively manageable, according to Wiesner. But attacks on these industries would of course also have a strong psychological effect.
Critical infrastructure includes the sectors of energy, nutrition, finance and insurance, health, information technology and telecommunications, media and culture, government and administration, transport and traffic, and water. The Greens are calling for a law that should not only regulate IT security, but also the physical protection of critical infrastructure; it is already provided for in the coalition agreement. Greens boss Omid Nouripour is now calling for rapid implementation, as the German Press Agency reports: In addition to more investment, the civil protection authorities should work together better and the attention of the security authorities should increase.
The IT systems of logistics providers, for example, are now being increasingly attacked, as Niels Beuck, Managing Director of the Federal Association of Forwarding and Logistics, reports in an interview with ntv.de. However, it is more about criminal activities such as ransom demands.
The affected companies felt serious effects, but the attacks did not affect the supply of the population - for example with food - because storage capacities or other transport providers and means could be used, for example from train traffic to trucks and even in shipping. "The system copes with a failure," says Beuck.
The logistics sector as a whole is part of the critical infrastructure; however, the individual companies, mostly medium-sized companies, are often organized in a decentralized manner and generally do not operate critical infrastructure. Nevertheless, a lot has happened since the September 11 attacks, access to ports, for example, is now secured. According to Beuck, the situation is worse when it comes to protecting smaller companies in particular: there is often a lack of personnel and money to implement high security standards.
