Commissioned by Claroty
1 Introduction
There have been more systemic changes in society over the past two years than in the previous twenty. Citizens are demanding that their elected politicians take measured steps to ensure their safety, that companies adopt strategies that minimize their impact on the environment and that people are treated fairly. Governments are alarmed by the increase in number and impact of cyberattacks, and react with new and extended regulations. One area that is currently attracting regulatory attention is corporate ‘critical infrastructure’. This is an industry segment that has been found wanting. In many organizations with Operational Technology (OT) deployments there is little visibility into their OT infrastructure and they typically have neither the threat-detection capabilities or compromise-response processes in place to adequately protect against societal disruption.
The cybersecurity events that have recently affected society are a case in point. The Colonial Pipeline breach occurred via compromise of a virtual private network port. It affected the distribution of petroleum products on the East Coast of the United States and resulted in millions of dollars paid in ransom. The JBS Foods compromise started in their Australian operations and likely occurred via staff credentials exposed on the dark web. The breach affected the global operations of the company and the payment of millions of dollars in ransom. The Tesco Food on-line shopping operations were disrupted by an attack on their ecommerce services.
In Germany the Justus Liebig University (JLU) Giessen was taken off line in December 2019. In Sept 2020 the Düsseldorf University Hospital was attacked and some computer systems were disabled. In December 2020 the Funke News lost all their editorial systems and newspaper production technology. This year the municipality of Anhalt-Bitterfeld was paralyzed by a hacker attack which stopped services to over 150,000 residents.
It is no surprise that Germany is at the forefront of addressing corporate responsibility for cybersecurity via legislation. While critical infrastructure regulation has been in place for some time in Germany the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0 otherwise know as IT-SIG 2.0) includes an amalgamation of government agencies, stronger powers to enforce compliance and wider reach to include participants in the supply chain of critical infrastructure organisations. Nominated companies must establish comprehensive data security management systems, strengthen their risk monitoring capabilities, regularly conduct risk assessments and report results to authorities.
The question then is how to respond to these developments. Some organisations may choose to resist supporting such legislative controls citing government over-reach. Others will embrace the new direction, making changes that align with the requirements of the new regualtion and welcoming the impetus to improve their understanding of their OT environment and to reap the benefits of a better protection, detection and response capability.
Claroty have many years experience, and advanced tools, that can assist in this endeavour.