NAfter the explosive attack on the Nord Stream pipelines, the Federal Criminal Police Office (BKA) warned in a letter to commercial companies that further attacks on the critical infrastructure “possibly in a quantitative and possibly also in a qualitatively increased form” must be expected. The BKA named power lines, internet cables or wind turbines as potential targets, and cyber attacks must also be expected.
Just a few days after the BKA risk assessment, it became clear how justified this was: At the beginning of October, after intensive preparation, acts of sabotage occurred in Berlin and North Rhine-Westphalia on the fiber optic network of Deutsche Bahn. Rail traffic was largely paralyzed for hours.
“The critical infrastructure is the Achilles’ heel of our society,” said North Rhine-Westphalian Interior Minister Herbert Reul (CDU) on Friday at a specialist conference on the subject in his house. “The situation is serious and time is short,” as recent events have shown. According to Reul’s assessment, there are considerable deficits in the protection of the critical infrastructure, which the security authorities call KRITIS for short, even in elementary questions such as coordination or the distribution of roles.
Reul calls for more haste from the federal government
“In plain language: who does what and who is responsible for what. What is the federal government coordinating? Where are the countries where the companies asked themselves? What are the operator’s obligations?”
The federal government is “expressly obliged” to the existentially important issue. It is good that Federal Interior Minister Nancy Faeser (SPD) is introducing a KRITIS umbrella law, praised the North Rhine-Westphalian Interior Minister. “However, we need a lot more urgency. The idea of ’key points this year’ is simply too slow.” The federal government must also involve the federal states in the process in order to finally agree on clear responsibilities and measures instead of creating duplicate structures or – even worse – creating “blank spots”. In view of the dimension of the threat, the question is not how much the protection should cost the state and companies. “The question is what does it have to cost us.”
Critical infrastructure includes, among other things, the energy and water supply, transport, hospitals and other facilities whose failure would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.
Preparations for a major cyber attack
So far, however, there has not been a clear definition, which is why it is now urgently necessary to clarify “who and what exactly belongs to the critical infrastructure of our society,” complained Reul. In fact, the group of systemically important companies and institutions is much larger than is often assumed. Andy Grabner (CDU), the district administrator of Bitterfeld-Anhalt, experienced just over a year ago how endangered local authorities are. In the summer of 2021, the district north of Leipzig was the first local authority in Germany to declare a cyber disaster. Hackers had encrypted all of the district’s servers and there was no longer any access to the system. Around 160 specialist applications – including the payment of social assistance or vehicle registration – were paralyzed. “Only the phones were still working,” reported the district administrator, who was connected via video conference.
“We felt like we were back in the eighties and nineties, with the small difference that back then there were still paper files, today almost everything is digitized,” says Grabner. According to the district, the new IT structure is 94 percent complete, but the administration is still struggling with the effects of the hacker attack 15 months after the attack.
As with previous attacks on other authorities or companies, criminal hackers were behind the attack on the district. According to the findings of the Cybercrime Competence Center of the State Criminal Police Office of North Rhine-Westphalia, the Russian cyber war on Germany feared by many after Russia invaded Ukraine has not (so far) happened. Peter Vahrenhorst from the LKA competence center had already announced on Tuesday that there were no major attacks.
“You have to prepare for a cyber war, you have to produce and keep available technical weapons.” As a rule, preparations are made in peacetime to be able to penetrate foreign systems. But because Russia probably expected a quick victory over Ukraine, that apparently didn’t happen, according to Vahrenhorst. All available warning systems against hacker attacks were started up after February 24th. Since then, however, as before, there have only been individual digital disruptive maneuvers.
However, the Nord Stream and Deutsche Bahn cases have made it clear how acute the danger of physical attacks and their consequences are. The security architecture must also be prepared for this, Reul warned on Friday. “In the event of a long-lasting, widespread power failure or a massive gas shortage, the police, fire brigade, rescue services and civil protection must function smoothly.”
As a consequence of the experiences since the beginning of the corona pandemic, the North Rhine-Westphalian police have, among other things, equipped their petrol pumps with an emergency power supply and strategically distributed fuel depots across the whole country. And so that the police can be reached even if all networks fail, according to Reul, there are now “sufficient satellite phones”.