{"id":3576,"date":"2018-12-09T23:10:44","date_gmt":"2018-12-09T22:10:44","guid":{"rendered":"https:\/\/onload.reinhausen.com\/de\/?p=3576"},"modified":"2023-05-31T15:15:46","modified_gmt":"2023-05-31T13:15:46","slug":"the-issue-of-cybersecurity-permeates-every-facet-of-society-and-attackers-are-constantly-developing-new-methods","status":"publish","type":"post","link":"https:\/\/onload.reinhausen.com\/en\/12-2018\/the-issue-of-cybersecurity-permeates-every-facet-of-society-and-attackers-are-constantly-developing-new-methods\/","title":{"rendered":"\u201cThe issue of cybersecurity permeates every facet of society. And attackers are constantly developing new methods.\u201d"},"content":{"rendered":"
\n

Hackers attacking power grids is a popular theme in novels and films. How do you rate the threat level?<\/h3>\n

The threat is quite real and, in my opin\u00adion, it has increased in recent years. This can be seen not only in var\u00adi\u00adous media reports, such as those cov\u00ader\u00ading the attacks in Ukraine dur\u00ading Christ\u00admas 2015 and 2016, when up to 700,000 house\u00adholds were left with\u00adout elec\u00adtric\u00adi\u00adty for hours. Indi\u00adca\u00adtors also include, in par\u00adtic\u00adu\u00adlar, the con\u00adcrete non-pub\u00adlic warn\u00adings issued to oper\u00ada\u00adtors by the secu\u00adri\u00adty author\u00adi\u00adties. Such warn\u00adings are not issued with\u00adout rea\u00adson.<\/p>\n

What kinds of attacks do you think are most likely?<\/h3>\n

If we are talk\u00ading about tar\u00adget\u00aded attacks, these are sce\u00adnar\u00adios in which an attack\u00ader tries to inter\u00advene in the pow\u00ader sup\u00adply, for exam\u00adple by trig\u00adger\u00ading unau\u00adtho\u00adrized switch\u00ading oper\u00ada\u00adtions. In the worst case, a suc\u00adcess\u00adful attack on the grid infra\u00adstruc\u00adture could lead to a sup\u00adply dis\u00adrup\u00adtion. As we are increas\u00ading\u00adly cre\u00adat\u00ading inter\u00adfaces with end users \u2013 I\u2019m think\u00ading par\u00adtic\u00adu\u00adlar\u00adly of smart meter\u00ading, that is intel\u00adli\u00adgent elec\u00adtric\u00adi\u00adty meters, con\u00adtrol box\u00ades, and elec\u00adtric\u00adi\u00adty mobil\u00adi\u00adty \u2013 in future we can also expect attacks on the tech\u00adnol\u00ado\u00adgy used by con\u00adsumers and on their per\u00adson\u00adal data.
\n<\/p>\n

Physi\u00adcist Dr. Stephan Beir\u00ader is Team Man\u00adag\u00ader for the Infor\u00adma\u00adtion Secu\u00adri\u00adty of Process Con\u00adtrol and Automa\u00adtion Sys\u00adtems depart\u00adment at GAI Net\u00adCon\u00adsult GmbH. In this role, he pri\u00admar\u00adi\u00adly advis\u00ades medi\u00adum and large indus\u00adtri\u00adal and ener\u00adgy sup\u00adply com\u00adpa\u00adnies, trade asso\u00adci\u00ada\u00adtions, and man\u00adu\u00adfac\u00adtur\u00aders. (\u00a9 Tobias Kruse)<\/figcaption><\/figure>\n

Who is interested in carrying out large-scale attacks?<\/h3>\n

Accord\u00ading to cur\u00adrent infor\u00adma\u00adtion, the biggest threat is from state or semi-state actors. They have the nec\u00ades\u00adsary exten\u00adsive resources to car\u00adry out such sophis\u00adti\u00adcat\u00aded attacks. It is also con\u00adceiv\u00adable that attacks might be used for black\u00admail attempts by those involved in orga\u00adnized cyber crime. Although the media often reports on the pos\u00adsi\u00adbil\u00adi\u00adty of ter\u00adror\u00adist attacks on our pow\u00ader grids, I think this risk is rel\u00ada\u00adtive\u00adly un\u00adlikely at the moment. On the oth\u00ader hand, the clas\u00adsic hack\u00ader stereo\u00adtype of a tech-savvy indi\u00advid\u00adual is more rel\u00ade\u00advant in the area of end-user inter\u00adfaces.<\/p>\n

What hardware and software measures are needed to protect against such attacks?<\/h3>\n

Nowa\u00addays, hard\u00adware and soft\u00adware must always be con\u00adsid\u00adered as one and, unfor\u00adtu\u00adnate\u00adly, the grid infra\u00adstruc\u00adture can\u00adnot be pro\u00adtect\u00aded with indi\u00advid\u00adual mea\u00adsures.<\/p>\n

Man\u00adu\u00adfac\u00adtur\u00aders and oper\u00ada\u00adtors have to work hand in hand and imple\u00adment mea\u00adsures from a range of areas, includ\u00ading well-reg\u00adu\u00adlat\u00aded access pro\u00adtec\u00adtion, mal\u00adware pro\u00adtec\u00adtion (in par\u00adtic\u00adu\u00adlar for PC-based sys\u00adtems), and net\u00adwork zon\u00ading<\/span> so that the entire net\u00adwork can\u00adnot be com\u00adpro\u00admised in the event of an attack. In addi\u00adtion, it is essen\u00adtial to only use sys\u00adtems that offer avail\u00adable secu\u00adri\u00adty sup\u00adport enhanced by an adapt\u00aded patch<\/span>man\u00adage\u00adment process which updates soft\u00adware.<\/p>\n

\n
\n

<Net\u00adwork zon\u00ading><\/span>
\nDivid\u00ading a net\u00adwork into dif\u00adfer\u00adent areas inter\u00adcon\u00adnect\u00aded by secure Inter\u00adfaces.<\/p>\n

<Patch><\/span>
\nSoft\u00adware pro\u00adgram intend\u00aded to rem\u00ade\u00addy the errors con\u00adtained and detect\u00aded in a pro\u00adgram. Patch man\u00adage\u00adment refers to the planned pro\u00adce\u00addure for imple\u00adment\u00ading
\npatch\u00ades.<\/p>\n

<Hard\u00aden\u00ading><\/span>
\nProcess that increas\u00ades the secu\u00adri\u00adty of a sys\u00adtem by using only the fea\u00adtures that are actu\u00adal\u00adly need\u00aded, dis\u00adabling unnec\u00ades\u00adsary ser\u00advices and acti\u00advat\u00ading secu\u00adri\u00adty-enhanc\u00ading options for the appli\u00adca\u00adtion.<\/p>\n<\/div>\n<\/div>\n

The hard\u00aden\u00ading<\/span> of all sys\u00adtem com\u00adpo\u00adnents, that is deac\u00adti\u00advat\u00ading unnec\u00ades\u00adsary ser\u00advices and func\u00adtions, can increase secu\u00adri\u00adty, as well as using secure net\u00adwork pro\u00adto\u00adcols for para\u00adme\u00adter\u00adi\u00adza\u00adtion and com\u00adpo\u00adnent man\u00adage\u00adment. It is absolute\u00adly nec\u00ades\u00adsary for oper\u00ada\u00adtors to estab\u00adlish a secu\u00adri\u00adty orga\u00adni\u00adza\u00adtion and com\u00adpo\u00adnent man\u00adu\u00adfac\u00adtur\u00aders must ensure secure and robust imple\u00admen\u00adta\u00adtion.<\/p>\n

How important is it to keep all components up to date?<\/h3>\n

Mod\u00adern com\u00adpo\u00adnents have an exten\u00adsive and often com\u00adplex soft\u00adware and firmware instal\u00adla\u00adtion. This soft\u00adware con\u00adtains pro\u00adgram\u00adming errors which can\u00adnot be com\u00adplete\u00adly avoid\u00aded and which can man\u00adi\u00adfest them\u00adselves as secu\u00adri\u00adty vul\u00adner\u00ada\u00adbil\u00adi\u00adties. They can be harm\u00adless, but also high\u00adly crit\u00adi\u00adcal and can endan\u00adger the safe and secure func\u00adtion\u00ading of the com\u00adpo\u00adnent.<\/p>\n

There\u00adfore, man\u00adu\u00adfac\u00adtur\u00aders must iden\u00adti\u00adfy vul\u00adner\u00ada\u00adbil\u00adi\u00adties in the com\u00adpo\u00adnent soft\u00adware; for exam\u00adple, by active\u00adly track\u00ading secu\u00adri\u00adty gaps in third-par\u00adty com\u00adpo\u00adnents. De\u00adpending on their crit\u00adi\u00adcal\u00adi\u00adty, the detect\u00aded vul\u00adner\u00ada\u00adbil\u00adi\u00adties have to be fixed as part of release upgrades or with emer\u00adgency patch\u00ades in urgent cas\u00ades and then pro\u00advid\u00aded to cus\u00adtomers.<\/p>\n

Oper\u00ada\u00adtors must con\u00adclude main\u00adte\u00adnance con\u00adtracts so that they are informed about vul\u00adner\u00ada\u00adbil\u00adi\u00adties and receive updates. This patch man\u00adage\u00adment must be car\u00adried out based on the spe\u00adcif\u00adic risks in ques\u00adtion, as not every oper\u00ada\u00adtor has the same secu\u00adri\u00adty require\u00adments and as the vul\u00adner\u00ada\u00adbil\u00adi\u00adties are also not exploitable in every envi\u00adron\u00adment. If an acute risk occurs which exceeds a pre-defined thresh\u00adold, the soft\u00adware patch must be rolled out as soon as pos\u00adsi\u00adble after the required tests. Less crit\u00adi\u00adcal patch\u00ades are usu\u00adal\u00adly installed dur\u00ading peri\u00adod\u00adic main\u00adte\u00adnance win\u00addows.<\/p>\n

How can operators prepare their employees?<\/h3>\n

It is essen\u00adtial to train them prop\u00ader\u00adly. For net\u00adwork or com\u00adpo\u00adnent man\u00adagers, this train\u00ading must obvi\u00adous\u00adly include the fun\u00adda\u00admen\u00adtals of infor\u00adma\u00adtion secu\u00adri\u00adty and the re\u00adquired tech\u00adnolo\u00adgies. Users from oth\u00ader areas should start with aware\u00adness train\u00ading which address\u00ades issues such as typ\u00adi\u00adcal secu\u00adri\u00adty prob\u00adlems, what an attack looks like, and how it can be detect\u00aded. Very prac\u00adti\u00adcal issues are also impor\u00adtant. For exam\u00adple: What do I need to bear in mind when using my para\u00adme\u00adter\u00adi\u00adza\u00adtion lap\u00adtop? Can I con\u00adnect an exter\u00adnal USB stick? What kind of poten\u00adtial secu\u00adri\u00adty inci\u00addents do I have to report?<\/p>\n

How can grid operators test the security of their systems?<\/h3>\n

Self-assess\u00adment is an impor\u00adtant part of a func\u00adtion\u00ading secu\u00adri\u00adty man\u00adage\u00adment process, and the nature of the tests can vary. In this way, com\u00adpli\u00adance with ISMS and stan\u00addard require\u00adments can be checked with\u00adin the frame\u00adwork of orga\u00adni\u00adza\u00adtion\u00adal audits. For exam\u00adple, tech\u00adni\u00adcal tests are usu\u00adal\u00adly used to ver\u00adi\u00adfy the con\u00adcrete imple\u00admen\u00adta\u00adtion of the sys\u00adtems with\u00adin the infra\u00adstruc\u00adture from a secu\u00adri\u00adty per\u00adspec\u00adtive.<\/p>\n

here are var\u00adi\u00adous approach\u00ades depend\u00ading on the tar\u00adget envi\u00adron\u00adment: Due to their crit\u00adi\u00adcal\u00adi\u00adty<\/span>, live envi\u00adron\u00adments can usu\u00adal\u00adly only be test\u00aded with non-inva\u00adsive test\u00ading tech\u00adniques<\/span>, such as a con\u00adfig\u00adu\u00adra\u00adtion review, where\u00adas in an iso\u00adlat\u00aded test envi\u00adron\u00adment, more in-depth test meth\u00adods can be used. A test which is often cit\u00aded in the media is the pen\u00ade\u00adtra\u00adtion test, where a tester with\u00adout spe\u00adcif\u00adic pri\u00ador knowl\u00adedge uses hack\u00ader meth\u00adods to sim\u00adu\u00adlate an attack. This test must only be used after exten\u00adsive prelimin\u00adary plan\u00adning and only on less crit\u00adi\u00adcal inter\u00adfaces, such as between the office and process net\u00adwork. Anoth\u00ader impor\u00adtant area of \u200b\u200btest\u00ading are accep\u00adtance tests in which, in addi\u00adtion to func\u00adtion\u00adal tests, secu\u00adri\u00adty tests are car\u00adried out when sys\u00adtems arere\u00adnewed or expand\u00aded in order to ver\u00adi\u00adfy their secu\u00adri\u00adty char\u00adac\u00adter\u00adis\u00adtics.<\/p>\n

\n
\n

<Crit\u00adi\u00adcal\u00adi\u00adty><\/span>
\nThe impor\u00adtance of a sys\u00adtem in rela\u00adtion to the task it ful\u00adfills.<\/p>\n

<Non-inva\u00adsive test\u00ading tech\u00adnique><\/span>
\nTest meth\u00adods that do not inter\u00adfere with the sys\u00adtem being test\u00aded. Par\u00adtic\u00adu\u00adlar\u00adly used to test crit\u00adi\u00adcal live sys\u00adtems.<\/p>\n<\/div>\n<\/div>\n

How can we find a reasonable balance between cost-effectiveness and security?<\/h3>\n

As with every\u00adthing in life, costs are also an essen\u00adtial fac\u00adtor in the field of informa\u00adtion secu\u00adri\u00adty. Vary\u00ading require\u00adments must also be met depend\u00ading on the crit\u00adi\u00adcal\u00adi\u00adty of the ener\u00adgy util\u00adi\u00adty. There\u00adfore, for legal rea\u00adsons alone, an oper\u00ada\u00adtor of a crit\u00adi\u00adcal infra\u00adstructure will have to invest con\u00adsid\u00ader\u00adably more effort than a small pub\u00adlic util\u00adi\u00adty. How\u00adev\u00ader, when con\u00adsid\u00ader\u00ading cost effec\u00adtive\u00adness, it is impor\u00adtant to take into account the entire appli\u00adca\u00adtion rather than just the secu\u00adri\u00adty mea\u00adsures.<\/p>\n

For exam\u00adple, whether the con\u00adve\u00adnience and effi\u00adcien\u00adcy of access\u00ading the sub\u00adstation automa\u00adtion sys\u00adtem via an app on your cell phone jus\u00adti\u00adfies the com\u00adpre\u00adhen\u00adsive secu\u00adri\u00adty mea\u00adsures required in this sit\u00adu\u00ada\u00adtion must be decid\u00aded on a case-by-case basis. The com\u00adplete dig\u00adi\u00adtal\u00adiza\u00adtion of the grids and the wide\u00adspread net\u00adwork\u00ading which this entails are only fea\u00adsi\u00adble if com\u00adpre\u00adhen\u00adsive secu\u00adri\u00adty mea\u00adsures are tak\u00aden into account. After all, no one would ever think of launch\u00ading a car into the mar\u00adket with\u00adout brakes.<\/p>\n

And if the hacker was successful\u2026?<\/h3>\n

In addi\u00adtion to pre\u00adven\u00adtive mea\u00adsures \u2013 which come under the key\u00adword \u201cPro\u00adtect\u201d \u2013 Detect, Respond, and Recov\u00ader mea\u00adsures are just as impor\u00adtant. Sim\u00adply because, for rea\u00adsons of cost alone, pre\u00adven\u00adtive mea\u00adsures can nev\u00ader pro\u00advide 100% pro\u00adtec\u00adtion. An oper\u00ada\u00adtor must there\u00adfore be ready to detect a secu\u00adri\u00adty prob\u00adlem such as an attack or a com\u00adpre\u00adhen\u00adsive infra\u00adstruc\u00adture dis\u00adrup\u00adtion at an ear\u00adly stage, to con\u00adtain it, and to recov\u00ader from defined emer\u00adgency oper\u00ada\u00adtion back to nor\u00admal oper\u00ada\u00adtion. This requires appro\u00adpri\u00adate prepa\u00adra\u00adtions and emer\u00adgency plans.<\/p>\n

How will the topic of cybersecurity in power grids evolve in the future?<\/h3>\n

In recent years, infor\u00adma\u00adtion secu\u00adri\u00adty has evolved from a spe\u00adcial\u00adized prob\u00adlem to a top\u00adic that per\u00adme\u00adates every facet of our tech\u00adno\u00adlog\u00adi\u00adcal soci\u00adety. This nat\u00adu\u00adral\u00adly includes all auto\u00admat\u00aded indus\u00adtries, but espe\u00adcial\u00adly the ener\u00adgy- sup\u00adply indus\u00adtry. In the future, both man\u00adu\u00adfac\u00adtur\u00aders and oper\u00ada\u00adtors will try to devel\u00adop and imple\u00adment stan\u00addard\u00adized solu\u00adtion con\u00adcepts. How\u00adev\u00ader, as the fields of IT and con\u00adtrol tech\u00adnol\u00ado\u00adgy are pro\u00adduc\u00ading ever more com\u00adplex appli\u00adca\u00adtion sce\u00adnar\u00adios and the attack\u00aders are con\u00adstant\u00adly devel\u00adop\u00ading new meth\u00adods as well, the top\u00adic will con\u00adtin\u00adue to play an impor\u00adtant role. Per\u00adson\u00adal\u00adly, I\u2019m not wor\u00adried about the pos\u00adsi\u00adbil\u00adi\u00adty of being out of a job in ten years\u2019 time.<\/p>\n

\n
\n

More Informations<\/h3>\n
\n

Cybersecurity @ MR<\/h5>\n

MR takes the top\u00adic of cyber\u00adse\u00adcu\u00adri\u00adty into account for all its com\u00adpo\u00adnents and ensures that it is imple\u00adment\u00aded right from the start. With this in mind, MR focus\u00ades on pro\u00adduc\u00ading a high lev\u00adel of prod\u00aduct secu\u00adri\u00adty, con\u00adtin\u00adu\u00adous\u00adly opti\u00admizes its process\u00ades with regard to secu\u00adri\u00adty, and main\u00adtains a com\u00adpre\u00adhen\u00adsive risk man\u00adage\u00adment sys\u00adtem. A ded\u00adi\u00adcat\u00aded MR-CERT (Cyber\u200bsecurity Emer\u00adgency Response) team is the cen\u00adtral point of con\u00adtact for all ques\u00adtions relat\u00ading to IT secu\u00adri\u00adty. The MR spe\u00adcial\u00adists advise cus\u00adtomers and are involved in the devel\u00adop\u00adment of a prod\u00aduct from the out\u00adset. Among oth\u00ader things, they deter\u00admine which stan\u00addards and guide\u00adlines have to be observed for a spe\u00adcif\u00adic project.<\/p>\n

\n
Mission: Cybersecurity<\/h5>\n

GAI Net\u00adCon\u00adsult GmbH is an inde\u00adpen\u00addent con\u00adsult\u00ading com\u00adpa\u00adny which spe\u00adcial\u00adizes in infor\u00adma\u00adtion secu\u00adri\u00adty. A par\u00adtic\u00adu\u00adlar focus of \u200b\u200bactiv\u00adi\u00adty for the com\u00adpa\u00adny is indus\u00adtri\u00adal IT secu\u00adri\u00adty, espe\u00adcial\u00adly in the area of \u200b\u200bener\u00adgy sup\u00adply. In addi\u00adtion to project work, the com\u00adpa\u00adny also deals exten\u00adsive\u00adly with the top\u00adic in the con\u00adtext of stan\u00addard\u00adiza\u00adtion and asso\u00adci\u00ada\u00adtions. A num\u00adber of key Ger\u00adman and inter\u00adna\u00adtion\u00adal indus\u00adtry rec\u00adom\u00admen\u00adda\u00adtions and stan\u00addards, such as the BDEW\/OE white paper (Ger\u00adman Asso\u00adci\u00ada\u00adtion of Ener\u00adgy and Water Indus\u00adtries (BDEW) and Aus\u00adtri\u00adan elec\u00adtric\u00adi\u00adty indus\u00adtry asso\u00adci\u00ada\u00adtion (OE)) and ISO\/IEC 27019, are based on the work of GAI Net\u00adCon\u00adsult GmbH employ\u00adees.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

In this inter\u00adview, Dr. Stephan Beir\u00ader from infor\u00adma\u00adtion secu\u00adri\u00adty con\u00adsul\u00adtan\u00adcy GAI Net\u00adCon\u00adsult explains why cyber\u00adse\u00adcu\u00adri\u00adty needs to be tak\u00aden into account in each and every area of the pow\u00ader grid, which attacks are most like\u00adly, and what needs to be done after an attack has occurred.<\/p>\n","protected":false},"author":27,"featured_media":8481,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-3576","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-12-2018"],"acf":[],"_links":{"self":[{"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/posts\/3576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/comments?post=3576"}],"version-history":[{"count":3,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/posts\/3576\/revisions"}],"predecessor-version":[{"id":8485,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/posts\/3576\/revisions\/8485"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/media\/8481"}],"wp:attachment":[{"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/media?parent=3576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/categories?post=3576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/onload.reinhausen.com\/en\/wp-json\/wp\/v2\/tags?post=3576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}