The digitization of all areas of our lives brings many advantages. However, it also carries risks, as it offers lucrative targets for attacks by hackers and cybercriminals. First, the Covid-19 pandemic and now the Russian war of aggression demonstrate the importance of critical infrastructure functioning – and how dependent we are on it. In this blog post, we briefly show you what constitutes critical infrastructure, what new challenges operators face in (digital) hazard prevention, and how we can all contribute to protecting critical infrastructure.
What is critical infrastructure / what are critical infrastructures?
Critical infrastructure (CI) refers to organizations and facilities that are of paramount importance for our coexistence and the functioning of the state community. CIs are the lifelines of our modern society.
Which companies or sectors belong to critical infrastructure?
In 2009, 9 sectors were defined for the Federal Republic of Germany that are considered critical infrastructure. These CIs are:
- Energy
- Health
- Information Technology and Telecommunications
- Transport and Traffic
- Media and Culture
- Water
- Finance and Insurance
- Food
- State and Administration
It does not matter whether companies in these sectors are state-owned, whether they are public institutions, or whether the companies are privately run. The size of the respective companies (revenue, number of employees, etc.) also plays no role.
Why is the protection of critical infrastructure so important?
Whether cyberattacks on nuclear power plants, healthcare facilities, or government agencies: it does not take much imagination to recognize the dangers a successful attack on critical infrastructure could entail. The consequences of a sudden and prolonged power outage, for example, in road traffic, healthcare, or drinking water treatment, would certainly be devastating.
Unfortunately, cyberattacks on critical infrastructure are already a reality. As these targets increasingly come into the focus of criminals (e.g., extortionists), terrorists, or even other states, reliable protection against digital attacks is becoming increasingly important. A successful attack on these CIs would have dramatic consequences.
What challenges and dangers do critical infrastructure operators face?
The list of potential dangers and challenges from which CIs must be protected is long. Cyberattacks by criminals or terrorists, viruses, and malware are only part of the threat. Natural hazards and natural disasters such as storms, heavy rain, floods, earthquakes, tsunamis, etc., must also be considered. In addition, there are breakdowns and accidents based on human error. The lack of well-trained personnel (especially IT specialists) is also a major problem for some operators of critical infrastructures.
Unfortunately, with the Covid-19 pandemic and the Russian war of aggression against Ukraine, two further challenges have recently been added for critical infrastructure operators.
1. Russia's War of Aggression: Cyberwar as a New Real Threat
Cyberwarfare has also increased since the Russian invasion of Ukraine. While attacks are currently mainly directed against Ukraine and its critical infrastructure, experts also see an increased risk of state-sponsored cyberattacks against the critical infrastructure of other states supporting Ukraine. For example, a Russian hacker attack on the KA-SAT satellite network led to a Europe-wide disruption of numerous wind turbines. Even if this cyberattack was probably primarily aimed at the command structures of the Ukrainian military, the collateral damage was certainly welcome in Russia.
Cyberattacks on opinions, facts and truth
In another sector, which by definition also counts as critical infrastructure, cyber and troll attacks have been in full swing for many years. Affected are media, culture, and operators of information technology, as the current abundance of absurd conspiracy theories, "Querdenker" fantasies, and fake news on the net, and especially on social media, clearly shows. All of these aim to undermine the trust of the population in the democratic institutions and structures of their own country.
In the case of Brexit 2016, the US election 2016, and the election in France 2022, one could also see (or almost see) what far-reaching consequences permanent attacks on facts and truth can have. To protect our critical infrastructure / CIs from fake news, misinformation, and lies, we are all ultimately called upon to act, because we can all help to contain falsehoods (online and offline), at least a little. Because the state still has no effective strategy against these attacks on our critical infrastructure.
2. Covid-19 Pandemic: New Attack Options on CIs for Cybercriminals, Terrorists and Co.
The contact restrictions and lockdowns of 2020 and 2021 posed enormous challenges for many CI operators, as the pandemic meant that many employees had to carry out their work from home. And here lies a significant danger point: remote access to critical infrastructure via the (usually less well-protected) open line in the home office is logically significantly more susceptible to hacker attacks than direct control on-site. Not all employees had a sufficiently high security standard privately from the home office. Many things had to be improved.
Security vulnerabilities in video conferencing solutions
Meetings, which increasingly had to be held in the form of digital phone and video conferences - e.g., via Zoom or Microsoft Teams - were, at least in the initial phase of Corona, not safe from hackers. Numerous security breaches from this period are known, especially from Zoom. We have already presented this to you in this comparison of Zoom and Teams:
Zoom or Teams: Which video conferencing software is ahead?
Increase in social engineering during Corona
Social engineering – attacks that identify and exploit people as a vulnerability rather than IT infrastructure – also increased during the pandemic. The sending of Covid-19 relevant documents (with manipulated attachments or malicious links) was increasingly observed during the pandemic. Criminals exploited the uncertainty of many users and could rely on many falling for the manipulated information.
In the case of social engineering, one wouldn't even need to be an IT expert equipped with a high-end IT security system to protect oneself from this type of attack. Adhering to simple security rules and using the simplest security tools, as we have described and presented in these blog posts, would suffice:
- Protection against ransomware - Four tips to protect yourself from fraudulent scams
- Update software, close security gaps
- Online security for seniors: 5 rules for safe internet use
- Website security: tips and tricks for safe browsing
Critical infrastructure: We can all contribute to its protection
While the technical and digital protection of CIs is primarily the responsibility of the state (federal government / BSI, Federal Office for Information Security) and the respective operators, as shown in the last two current challenges, we can all contribute a small part to this protection. Because every virus, every Trojan, and every malware that we do not (accidentally) spread further, and every untruth, every false report, and every conspiracy theory that we contradict and "remove from circulation" instead of spreading it further, ultimately serves to protect our entire infrastructure. And if we all protect our common infrastructure together, we also protect critical infrastructure - at least a little bit.
