Traffic chaos, failure of heating or air conditioning, food and water shortages, lack of petrol - what sounds like an apocalyptic disaster film can become bitter reality. As the German Federal Office for Information Security (BSI) has now confirmed, there was a significant increase in attacks on critical infrastructures in Germany in 2018. And this also includes the power grid.
According to the BSI, there were a total of 157 reports of IT security incidents on critical infrastructure operators in the second half of 2018. In the corresponding period before that, there were 145 reports, in the previous year only 34. Critical infrastructures include the energy industry, water supply, the food industry, the health sector, information technology and telecommunications, finance and insurance, transport and traffic, government and administration and the media. These industries are subject to the IT Security Act, which is intended to improve and guarantee the security of IT systems. The operators of critical infrastructures are therefore obliged to maintain a minimum level of IT security, to protect their IT according to the state of the art and to report significant IT disruptions to the BSI. However, this reporting obligation does not apply to everyone: many small organisations are exempt.
Whether there has been an actual increase in attacks remains unclear. It cannot be ruled out that there were as many incidents even before the European NIS Directive and the European Data Protection Regulation (GDPR) came into force in May 2018. Since then, perhaps only the sensitivity to report these attacks earlier or at all has increased. But even the BSI still assumes that there is a high number of unreported cases. Not only because not all operators are obliged to report security incidents, but also because many suppliers fear damage to their reputation if they report attacks.
The European NIS Directive has also been binding for all EU member states since May 2018. In Germany, it supplements the IT Security Act. What is new with the implementation of the NIS Directive is that operators of digital services must also meet minimum requirements and reporting obligations. This applies, for example, to online marketplaces, search engines and cloud computing services.
Cloud computing services in particular are moving into focus here. After all, the operators of critical infrastructures must also pay attention to costs. The simplest option is to outsource some services to the cloud. The advantage: computing power or storage space can be adapted to actual requirements at any time. However, this data must be properly protected. After all, think of what could happen when the construction plans of a nuclear power plant fell into the wrong hands. The hacker attacks on large enterprises in the past have shown that sensitive data is a popular target in cloud environments. Additional data protection is worthwhile, for example with an encryption solution such as the eperi Gateway. Such flexible solutions offer comprehensive protection of sensitive data in transit, at rest and in use. Legal data protection requirements are also met. And this with minimal integration effort, which does not require any intervention in existing IT systems.
Energy suppliers that want to be future-proof will therefore have to think about the issue of cloud data protection.