Threats to and the Protection of Critical Infrastructure
31.05.2023 - The predicted lack of sufficient energy caused by the interruption of gas supplied from Russia, the drastic price increase of certain raw materials and, above all, the attacks on the Nordstream 1 and 2 pipelines, as well as the attacks on the German railway network, have raised public awareness and that of politics, commerce and the media of just how critical and threatened critical infrastructure is (KRITIS). Highlighting the complexity of KRITIS, the strategy, options and limits of its protection, as well as the necessity of emergency planning, is the aim of this article by Reinhard Rupprecht, Ministerial Director (retired).
The German abbreviation KRITIS (standing for CRITical InfraStructure) was not used until the turn of the century. Since then it has become established in the vocabulary of economists, technology and social science worldwide. The German Interior Ministry defines the term as “organizations and installations of great importance for the general public, where their failure or disturbance would lead to long-lasting supply problems, a significant reduction of public security or other dramatic consequences.”
The complexity of KRITIS being defined this way leaves room for limitations. The term is excellent for political evaluations and strategic direction, but as a legal term it needs to be made more precise and more accurate by defining thresholds.
The criticality arises from the effect of an industry, a structure, a logistics process, an organization or a company on the existential needs of the population, the state or commerce. The term KRITIS in all its complexity includes both a microeconomic and also a macroeconomic level of an industry, a national economy or an international business community. It covers the energy, information technology and telecommunication industries, transport and traffic, health, water management, finance and insurance bodies, the state and administration as well as media and culture.
The German IT Security Law 2.0 also includes the communal waste disposal service and “...companies of particular public interest,” that is, companies in armament production, companies with an IT security function for confidential matters, the largest companies in Germany by domestic turnover together with their suppliers, as well as companies that process dangerous goods and fall under the special law for the reporting of incidents. In total, more than 20 industries can be considered as KRITIS.
The Spectrum of Threats and Danger
The breadth of the danger spectrum is made clear by recent developments and highly visible security events: The spread of the Covid-19 virus since 2020 is the pandemic with the most severe consequences worldwide in human history, has caused the death of millions of people, and overstretched the medical resources of many countries. The total lockdown policy in China led to worldwide delivery problems and manufacturing delays. Natural catastrophes, such as tsunamis, have caused many deaths while climate change is destroying the food resources of millions of people.
The Russian invasion of Ukraine in February 2022, together with the end of the Nordstream 2 project and reduced gas supplies to Europe, has massively affected most European countries. On 26 September 2022, the Nordstream 1 und 2 pipelines were blasted apart and the attack showed how vulnerable the gas supply is.
On 8 October 2022, two data cables for the mobile radio service of the German railway were cut in an underground cable tray that was covered by a solid concrete cover. Later some distance away, the backup fiberoptic cable was also cut. This caused the entire railway radio communication network in the north of Germany to fail and all rail movements, even international ones, were stopped for hours. The culprits must have known the purpose of those cables.
Also in October 2022, three attacks on underwater internet cables became known. The operators of wind generator farms lost the connection to their installations due to a Russian hacking attack on the KI-SAT satellite network. Cyberattacks continually threaten KRITIS, and there has been a rising frequency of carefully prepared ATP (Advanced Persistent Threat) attacks over recent years that threaten KRITIS operators worldwide.
Countermeasures involve both governmental and commercial strategies, and there is a close cooperation between the two. A strategy requires risks to be identified in advance, their effect to be kept as small as possible through emergency management and redundancy, and the use of constantly updated danger analyses to improve levels of protection.
New laws in Germany taking effect on 1 May 2023 oblige operators of critical infrastructure to take reasonable organizational and technical measures to prevent interruption of the availability, integrity, authenticity, and confidentiality of their IT systems, components and processes according to the state of the art in technology. It includes employing methods of recognizing attacks by continuously gathering and evaluating information from production processes and proposing action when faults occur. Continued compliance must be demonstrated every two years. A new obligation to report “critical components” has also been introduced that prevents their use before the manufacturer has been approved by the authorities for confidentiality.
In November 2022, the EU Parliament adopted the NIS2 Directive, which forms the European IT security framework for KRITIS operators. It sets minimum standards for the regulation of KRITIS. Companies in 18 sectors with more than 50 employees and 10 million euros turnover must implement their cybersecurity obligation at the latest by October 2024. Cybersecurity must also be upheld throughout the delivery chains, too, according to this directive. At the moment, one third of all KRITIS operators in the energy sector do not monitor a single item of critical operational technology (OT) through a security operation center.
Protection of Power and Communications Networks
Complete surveillance of all the power and communication cables on the seabed or buried in the ground is clearly impossible. But this does not mean that the operators of these networks are powerless against possible extremist-motivated attacks: The laying of redundant cable networks is very important. The railway saboteurs mentioned above apparently knew how they could overcome the redundancy, which points to insider knowledge and poor levels of internal secrecy. It is also important to be able to localize cable breaks with the help of monitoring sensors and quickly repair them.
Protection of Energy Networks
The 100 % protection of energy supply networks also appears impossible. Even though many gas lines are often buried one or two meters deep, they are not unreachable. Protecting pipelines on the seabed is particularly difficult – the thousand sensors that the operators of Nordstream had installed only showed the danger once it was too late. Researchers at the Chinese Academy of Science have developed a method of creating a 3D image of a gas leak cloud, which gives its volume and concentration. The researchers use two systems to generate a 3D image to observe a gas cloud from two perspectives. This information is spatially combined with details of the location. This new approach could be used for early leak detection, risk evaluation and decision-taking about the best method to stop the leak.
Protection of Hubs and Systems
Hubs in cable and supply networks and individual KRITIS systems – such as solar parks, wind generators, transformer and switching installations, power stations and water pumping stations, computer centers, hospitals – are of course much easier to protect against attacks than long pipes and lines through appropriate construction, mechanical and electronic security technology. On the other hand, such installations are easily recognized and are attractive targets for saboteurs, such as cybercriminals who attack the control systems to encrypt data with ransomware and then blackmail the operators.
Junctions of deep-sea cables at landing points are monitored around the clock. KRITIS systems like these need double perimeter protection consisting of a wall or fence, as well as video surveillance by infrared cameras and intelligent analysis, also as detection cables buried in the ground or attached to the fence. Glass-fiber monitoring systems in particular are able to provide reliable and fully automatic monitoring of a perimeter. Any damage to or breaks in the fence immediately raise the alarm. Particularly sensitive systems or spaces should also be protected by two-factor authentication.
A comprehensive emergency plan must be made for critical infrastructure in case an attack or other service interruption cannot be prevented. It is built on a comprehensive threat, danger, and weak-point analysis of the respective critical system. The plan must consider the consequences of any attack and the effect of other influences, and find and prepare possible alternative sources of supply.
An Emergency Plan Must Include at Least the Following:
- Establish who is responsible within an organization for emergency planning and its implementation
- Look for possible alternative supplies and prepare their acquisition
- Purchase the required emergency power generators for all parts of the company
- Check the “critical hardware and software components” that could endanger a system if they fail, in accordance with legal requirements
- Check supply chains, their relevance and susceptibility, as well as the ability to find alternative sources of supply, and reduce storage capacity
- Prepare the business continuity management
- Prepare for the personnel consequences if operational limitations occur
- Accumulate reserves for the purchase of alternative supplies in an emergency
- Sensitize employees to emergencies and their consequences
- Check and strengthen the entire resilience of the company
- Plan how internal and extern communications will take place in an emergency