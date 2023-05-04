Frankfurt, 25. April 2023. The most recent DDoS attacks (Distributed Denial of Service, a cyber attack by flooding with harmful traffic) on German airports, state authorities and the police in spring 2023 show: The vulnerability of critical infrastructures (KRITIS) is more acute than ever. Even the first wave in autumn 2022 (including on Nord Stream pipelines) was worrying.

– Technological networking in core sectors (energy, finance, transport) increases the digital vulnerability of network operators, banks, airports, etc.

– Legislation increased at EU level Cybersecurity requirements by KRITIS operators (NIS2 guideline)

How endangered are critical infrastructures and what measures must companies and organizations take to protect themselves? For this there is KRITIS white paper by Link11 and Schalast “Critical infrastructures in the crosshairs” an overview.

In addition to physical acts of sabotage or accidents, primarily cyber attacks on these systems increased in 2022/23. According to the Bitkom study, 51 percent of the operators of critical infrastructures even expect a further increase in the near future. The Federal Office for Information Security (BSI) therefore states in the current situation report: The threat situation is “higher than ever”. No wonder, then, that regulation by the EU and the federal government is constantly increasing.

Critical infrastructures – including the areas of energy, finance, health, telecommunications, government and administration, transport and water – are essential for the functioning of our society and economy. Precisely for this reason, they are also the focus of cybercriminals:

The attackers can steal data, extort money, and cause physical damage. With far-reaching consequences: production losses worth millions and supply bottlenecks that endanger or even cost human lives. The damage to the German economy alone was around 203 billion euros in 2022. It can affect corporations, small and medium-sized companies, administration and civil society alike. For the population affected, cyber attacks on KRITIS mean direct damage at the expense of public services.

In view of increasing cyber attacks, operators of critical infrastructures and companies have to deal more intensively with digital dangers and protective mechanisms. Because as soon as it is about more than ransom, cyber attacks can not only affect the ability to do business (loss and manipulation of data or damage to reputation), but also affect society as a whole. Companies should therefore structure their IT systems in such a way that an attack only has a minimal impact and critical parts of the network cannot be reached.

Lisa Fröhlich (company spokeswoman Link11):

“Because KRITIS are so important to our lives, distinctive and constantly evolving federal and EU regulations set the framework for the necessary IT security. At the same time, the recent series of DDoS attacks in Germany shows that effective DDoS protection is essential to ensure that operators of critical infrastructure are not affected by such attacks.”

Alexander Gebhard (Partner Banking & Finance Schalast LAW | TAX):

“Compared to other areas, the financial sector already meets a high standard of cyber protection thanks to the detailed requirements of the national and European supervisory authorities. Nevertheless, he must not let up in his efforts. Rather, financial institutions must constantly monitor the self-defined level of protection from a risk perspective and raise the security awareness of their employees in order to prevent the often new type of cyber attacks at an early stage. And since financial service providers outsource many processes and data to third parties, there are new gateways, which must be controlled just as closely as the institutions do themselves.”

Janka Schwaibold (Equity Partner and Head of the Practice Group Energy, Infrastructure & Telecommunication Schalast LAW | TAX):

“The current threat potential leads to an intensification of measures at the highest European level. Such regulatory initiatives set minimum standards for more cybersecurity. Operators, companies and platforms have a duty to upgrade digitally quickly.”

