What is certain is that the advancing development of new technologies goes hand in hand with a growing need for solutions and new cybersecurity approaches to reduce the exponentially expanding attack surface in “smart buildings” and “smart cities” or industrial plants.
Cyber-attacks have increased in recent weeks and months. Supermarkets, public authorities, universities, and even waste disposal services became victims of such attacks.
In addition to the media reporting on it, numerous studies indicate an increase in cyberattacks. Most recently, the BKA published a situation report about cybercrime in 2020. It can be seen from this that there was an increase of 8 percent in the last year alone. It is also known that large companies are falling victim and increasingly small and medium-sized organizations. No industry seems unattractive to cybercriminals. In addition, the advancing digitization allows hackers to become more creative, and they also constantly exploit new or unlocked security gaps.
“However, it is not just digitization that can be identified as the source of all evil, but also the carelessness of companies in upgrading and adequately training employees, making it easier for hackers to access company networks. Cybersecurity measures still seem to be seen more as a kind of recommendation,” claims Uwe Gries, Country Manager DACH of Stormshield. This cybersecurity manufacturer is part of the Airbus Group.
With a view to the future, which should be designed as more “digital” and “smarter,” one wonders how the two should be compatible with one another according to the principle of Security by Design. Because, in addition to digitization, “smart everything” technologies are increasingly finding their way into critical infrastructures and, if there is insufficient security, create additional gateways for attackers. This is because many areas, such as the energy, finance, health, and administrative sectors, continue to show deficits in digitization and implementing security measures.
Suppose you now consider developing approaches to convert cities into smart cities with smart grids, infrastructures 4.0, and e-administrations. In that case, one has to deal more with the topic of cybersecurity. The reason is simple: fellow human beings are also considered to be “smart” because they can weigh up risks, avoid or limit them proactively, and react promptly in the event of an emergency. The “quantization” of all infrastructures should be based on the same principle and be accompanied from the outset by adequate security measures.
Some of the recent attacks have clearly shown that critical infrastructures (KRITIS) in particular need to be protected more strongly, as these are fundamental to the functioning of a society. The KRITIS includes the energy, administration, and health sectors and the food and pharmaceutical industries. It is precisely these that need to be secured so that their attack surface is reduced to an acceptable minimum.
What is not justifiable in this context is clearly shown by the hacker attack on the US company Colonial Pipeline. The country concerned has severe consequences of complaining about, but such an incident often causes changes on a global level: In this case, oil prices rose worldwide. In addition, it becomes clear that the damage caused by such an attack can often not be repaired within a few minutes/hours, which increases the cost of repairing it exponentially. Security measures, such as solutions that also protect networks and workstations that have been decoupled from the Internet in real-time against suspicious behavior (such as sudden encryption or the transmission of commands contrary to protocol) would have been just as necessary here as behavior-based firewalling. And this for a fraction of the damage caused by the attack.
Another area that belongs to the “Smart City” concept and at least partially to KRITIS is the public sector, another popular cyber criminals target. In the last few months, in particular, authorities, public institutions, and hospitals have repeatedly fallen victim to cyber-attacks. The damage that occurred varied, but also the period until everything worked “normally” again. The hackers responsible not only got sensitive data through their attacks but also paralyzed the entire system so that the daily work of many authorities was impaired. ”Public sector organizations, particularly the reliability of which determines the level of trust of citizens, especially about the handling of personal data and the efficient provision of services, must not be satisfied with anything less than 100% preservation of sovereignty over their data and infrastructures.
This includes strict zero trust models to determine the access to data and resources and segmentation strategies that are intended to prevent attacks from spreading horizontally,” continues Gries. Here, too, the costs of security-by-design concepts and corresponding solutions would be significantly lower than the costs of repairing the damage.
As a European company specializing in cybersecurity for critical infrastructures and industrial environments, we cannot affirm often enough that cybersecurity measures can no longer be regarded as just a recommendation. The successful further development of all mentioned segments should be based exclusively on a solid line of defense, «adds Gries in conclusion.