Legislator specifies stricter compliance and IT security guidelines
The dependence of our modern society on constantly available electricity, water, telecommunications and energy is undisputed. It is therefore alarming that, according to recent studies, many municipal utilities and utility companies have not adequately protected their systems against attacks. In this context, the consequences of a temporary and local interruption of supply are devastating for private individuals as well as for companies and the economic and social system in general. The threat from cyberattacks is increasing as our systems become more interconnected. In 2020 alone, there have been over 141 successful attacks on CRITIS and CRITIS-related entities. And the trend is upward.
The legislature is passing an IT Security Act 2.0 for the coming year, which will lower the threshold values according to BSI-KritisV. As a result of the change in the law, smaller utilities that were not previously assigned to this will also be counted as part of the critical infrastructure. As a result, small and medium-sized municipal utilities that supply the local population will also be affected from next year. Ensuring the supply of energy, electricity and water, as well as other tasks such as waste and wastewater disposal and the operation of public transport, are at the heart of the amendment.
This threshold will continue to fall in the foreseeable future. For this reason, smaller municipal utilities and supply companies should also address the issue of IT security soon. It is advisable to secure their own systems with the help of modern technologies.
The test hack of Stadtwerke Ettlingen shows how vulnerable utilities are to cyber attacks. It becomes clear that, in addition to fail-safe physical components for the high availability of systems, the software-side protection of the respective information systems and networks is particularly crucial. The essential building block for a sustainable IT security strategy is the shielding of your networks from unwanted and thus devastating external access. External access does not only include external hackers, but also the distribution of access rights to your employees. And here, the non-technical component in your IT operations is clearly in the foreground: the human factor, your employees.
Strict access restrictions to the various infrastructure components are essential, regardless of the "critical infrastructure" status. If you succeed in setting up logical and deep access restrictions and storing employee identities in a tamper-proof manner, you not only protect the underlying components from attack, but also fulfill the compliance and IT security requirements of the information security management system (ISMS) at the same time.
The four pillars of controlled identity and access management
- Multi-factor authentication
- Central access portal
- Least Privileges
- Secure file transfer
To comply with the IT Security Act 2.0, CRITIS companies must take organizational and technical measures that correspond to the "state of the art". The expansion of the IT Security Act means that the BSI's strict regulations are being rolled out further, which means that municipal utilities and smaller private energy suppliers also need deep technical protection of their systems against cyber attacks by law. The strong basis for meeting compliance and security requirements is the protection of digital employee identities. This includes access restrictions to critical systems and networks with deep Privileged Access Management (PAM) and strong multifactor authentication (MFA).
The control networks are the backbone of the central supply facilities. If a disruption, failure or tampering occurs here, the population is at risk. By using a Privileged Access Management the technical components can be strictly demarcated from the rest of the IT infrastructure. Only authorized employees with limited access can access them. This prevents intrusion and manipulation of the control network by unauthorized third parties and forms the basis for strong cybersecurity in the public utility environment. With the centralized solutions for all external and internal access platforms requiring protection, VISULOX, your employees can access all their devices and applications they need to perform their job with just one login. The integrated multi-factor authentication ensures the highest level of security. At the same time, the platform facilitates everyday work, as logging of activities guarantees reproducibility and security.
VISULOX provides, without configuration of agents on servers or clients, a central access portal that is accessible from anywhere and ensures central control over all activities in the IT and OT infrastructure.