IT systems in critical infrastructure sectors (Kritis) are by no means immune to cyber attacks. This is what the federal government wrote in a now published response to a request from the FDP parliamentary group. In the health sector with a focus on hospitals, the number of hacker attacks rose from eleven in 2018 to 16 in 2019 to 43 in the current year. That is an increase of over 50 percent since January alone.
At the same time, the number of such attacks in the energy sector increased from four over ten to 26 in the past three years. At 70, the number of IT attacks on the state and administration is significantly higher. The increase is at least smaller here: in 2019, the authorities recorded 63 critical incidents.
The figures for other Kritis sectors are comparatively low: they were in finance and insurance according to the template Six attacks in 2019 and eleven this year so far. In the transport and traffic sector, the number even fell from ten to eight. A total of 171 IT attacks on Kritis institutions are reported, compared to 121 in the previous year.
According to its own information, the lead Federal Ministry of the Interior has no information on hacker attacks on blue light authorities such as the police and fire brigade. It cannot deliver reliable figures on the number of ransomware attacks with encryption Trojans such as Emotet since 2015, nor can it provide statistics on investigative and main proceedings initiated. In the area of cybercrime in general, as well as for attacks on Kritis in particular, “a high number of unreported cases must be assumed”.
Old devices, few updates
The government defines hacker attacks as the exploitation of vulnerabilities, hacking and manipulation, malware, “targeted, multi-stage combined attacks” (APT) and the blocking of services. At the same time, she points out that there is an obligation to report to the Federal Office for Information Security (BSI) only for Kritis operators when faults are detected.
The circle of those affected is to be expanded with the IT Security Act 2.0. In clinics, the internal department primarily identifies the vulnerability of IT systems due to the use of medical devices with partly outdated and no longer updatable operating systems as a problem. In addition, hospitals are operated as open facilities with comparatively little physical security. The network connection by external service providers as well as the involvement of research and teaching in the area of the university clinics also posed risks, since these ultimately “result in a parameter that is not entirely closed”.
Production facilities are generally often characterized by industrial control systems with long running times and investment cycles, it continues. Security updates are often no longer sufficiently made available. In addition, there is the dependence on individual manufacturers and the IT security functions of their products in various areas.
In September, a cyber attack on the Düsseldorf university clinic made headlines. The perpetrators allegedly smuggled the DoppelPaymer malware into their IT system, left 30 servers and a ransom note with a ransom demand. Actually, however, they probably wanted to meet the Heinrich Heine University on site and gave out the keys for the data unlocking. Nevertheless, operations had to be canceled and a life-threatening patient admitted to another hospital, where she died shortly afterwards.
The time required to go from emergency to normal operation in such a case depends, according to the information, on the “depth of the compromise, the complexity of the existing network infrastructure”, the amount of data available and the human resources available. Often one goal is to introduce more effective protective measures or new software versions at the same time, which prolongs the procedure. Basically, the process often takes “several weeks”.
The “localization of cyber perpetrators” is “difficult due to the Internet’s scope of action”, the government states. Even who is behind it is usually not easy to identify. In the field of phenomena there is “a high division of labor between those involved and a specialization of individuals”. Cyber criminals often acted in an order and service-oriented manner. This enables even less IT-savvy criminals to “carry out more technically complex crimes”.