Cyber attacks, such as those on Entega, are becoming more frequent. There may be secret services or criminal gangs behind this. Expert Haya Shulman believes we need to do more to protect ourselves from such attacks. Interview.
The cyber attack on the IT service provider in Darmstadt Count + Cares, which hit Entega, Mainzer Stadtwerke, as well as the waste disposal company FES in Frankfurt, shows just how vulnerable the digital infrastructure is. How can we protect ourselves from such attacks? Who are the attackers and what are their goals?
Prof. Dr. Haya Shulman is responsible for the research area of network and computer security at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt and is a board member of the ATHENE research center. From February 2022, he is also a professor at the Institute of Computer Science at the Johann Wolfgang Goethe University in Frankfurt. He believes that we need to do more for our digital security.
Ms Shulman, the cyber attack on IT service provider Count + Care has shown that the digital infrastructure in Germany is vulnerable to attacks. Do companies and institutions underestimate the threat?
Awareness of the dangers of cyber attacks is very high in Germany, both in business and politics. However, many organizations lag behind the state of the art. Thanks to well-known methods, they were able to fend off a large proportion of cyberattacks known today. In addition, we must generally invest much more in emergency preparedness and in modern approaches such as ‘zero trust architectures’. Put simply, this is based on the principle that not only do you protect the network as a whole, but that users must verify their access rights to each service and application individually. This prevents intruders from gaining access to the entire system through a single access point.
According to the company, the delivery from Entega was not disturbed? Could it be otherwise?
I cannot say what could have happened in this particular case. Utilities like Entega naturally make sure that their IT systems, which they use for networking, email, or accounting, for example, are kept strictly separate from the systems required for delivery. However, this does not always work.
For example, Colonial Pipeline fell victim to ransomware last year (Ransomware, editorial note) only their information systems were compromised, but the company shut down the oil pipeline just in case, causing chaos and shortages at gas stations.
What’s the worst that could happen?
It depends on how well-prepared the company is for something like this. First of all, it should be assumed that after a successful ransomware attack, a large part of the company’s data and infrastructure is lost. As soon as you spot an attack, you shut down everything and usually set up all IT from scratch.
If there are up-to-date backups of all critical data, and the transition to the replacement system is well prepared and trained, it only takes a few hours to a few days for IT and all applications to restart. Of course, things are different if there are no backups, and it can be really bad if a ransomware attack actually cripples the systems actually used for operations, such as IT controlling power generation and distribution.
Who are the attackers, what are the targets?
Cyber attacks are usually carried out by various groups that act directly on behalf of secret state services or organized criminal hacker groups. When it comes to ransomware attacks, they are mostly criminals. They have their attack tools, which is malware, and several ways to get into companies and authorities, and then make sure they reach as many victims as possible.
How do hackers conduct their attacks? Are there specific patterns?
The malware is very often distributed via e-mail with attachments, or criminals use a phishing message to lure an employee to a prepared website. The malware then installs itself, spreads throughout the company, and then begins to encrypt all available data. Assigning a particular attack to a particular group is usually based on similarities in the approach, the technical tools used, and often also due to the languages used and the hackers’ working hours.
In order to be able to conduct a targeted cyberattack on a target, an attacker must first understand how the target is constructed in a technical sense. What digital assets belong to the target, e.g. which IP addresses? Without this knowledge, a targeted attack is not possible.
Hackers try to analyze what software, operating systems and applications are used, what vulnerabilities they have, and then break into individual systems and – if they succeed – gradually spread to the target, i.e. break into other systems and install malware there, or back door.
Today, many power systems are digitally controlled. Do you see this as an invitation to cyber terrorists?
Rather, I would say that digitization as a whole, including digitization, is absolutely necessary, but it can only succeed if we take the right precautions and invest in cybersecurity. Without cybersecurity, there is no digitization.
The digital network is growing faster and faster? Can security keep up with this pace?
This is obviously a big challenge. More and more systems are vulnerable to attacks and even companies that once had little to do with IT now have to take care of cybersecurity of their operations and their offer. Cybercriminals certainly have an advantage here, but cybersecurity is also evolving. So yes, we can keep up, but we – companies, administrations, every individual – have to make the effort and be ready to do something.
How is it in the private sector? A smart home, a car on the Internet, all of this should make our lives easier. Does it also create more dangers?
Of course, anything that is online can be attacked. This was clearly visible in the automotive sector, where there was a wave of attacks a few years ago. The reason was simply that cybersecurity had not been an issue for car makers and suppliers before. There has been a lot of progress since then, especially in this industry, people are concerned about cybersecurity.
In my opinion, we are at the beginning of the smart home market. There are also many manufacturers who come from completely different fields and therefore must first learn how to properly protect their products and services.
What can anyone do, at work or in private, to increase digital security?
If everyone follows the rules and uses the usual protection mechanisms, much has already been achieved. In private, it is safe to use antivirus programs, allow and perform updates, regularly back up your own data, and not open files from unknown sources. If you want to learn more, you can find many good tips on the website of the Federal Information Security Authority (BSI).
Have you been in cybersecurity for a long time? How old is the problem and how do you approach your research?
I think the problem is as old as computer science itself, and my research is primarily about Internet security and its use. On the one hand, we study very practically how the attackers are acting and how vulnerable the Internet is, and on the other hand, what can actually be done to increase security. This is, of course, a lot of technology, but we are also concerned about the question of how to establish the appropriate legal and economic incentives for applying the new security procedures.
The State Cyber Competence Center (Hessen3C) has existed since 2019. How is your cooperation with Fraunhofer SIT?
Very good, the state of Hesse and Hesse3C is one of the most important practical partners for us, i.e. the National Research Center for Applied Cyber Security ATHENE, and also for me. We are very often in return.
What challenges do you see for the future?
It is quite clear that the security architectures used mainly today are outdated, otherwise we would not have experienced such a dramatic increase in the number of attacks. But there are already many very interesting, promising and practical approaches, such as “Zero Trust Architecture”. For example, in the US, it was determined in January that the federal administration must convert to such modern architectures by 2024. We are still debating.
That is why I see the greatest practical challenge in the fact that, as a society, we must become much more ambitious in the area of cybersecurity. And of course it still requires a lot of research and development, but without the ambition to use it, it doesn’t help much.
The interview was conducted by Uwe Gerritz.
Hessenschau update – newsletter for Hesse
end of mold
End of further information