How secure are BVG, water utilities and the airport from hacker attacks?
Every year, the IT Service Center (ITDZ) registers seven million cyber attacks on the network of the Berlin administration. In the past, there had also been repeated attacks on the IT infrastructure of public institutions in Berlin: In 2015, the computer network of the Bundestag was attacked, and in 2019, the highly dangerous malware "Emotet" damaged the entire network of the Court of Appeal.
In May of this year, hackers attacked the Technical University of Berlin. What is the state of security at critical infrastructures (CI) after massive security vulnerabilities were discovered at BVG or Water utilities?
In a current-affairs question obtained by the Daily Mirror, Interior State Secretary Torsten Akmann answers these questions posed by FDP digital expert Bernd Schlömer, but he does not provide much information. Akmann repeatedly refers to the responsible Federal Office for Information Security (BSI). All critical infrastructures have an obligation to provide information and proof to the BSI, for example, about compliance with certified security standards.Eight state-owned companies that are part of the critical infrastructure also comply with this obligation, "so that there are no additional obligations for the state of Berlin". The companies would act "on their own responsibility" in coordination with the BSI, which is the higher federal authority responsible for critical infrastructures.
According to the internal administration, the following companies belong to KI: Berliner Verkehrsbetriebe (BVG), Berlin Water Company (BWB), Berlin Municipal Cleaning (BSR), Berlin Airport Company, subsidiary of Berlin Brandenburg Airport GmbH, Charité University Medicine, Vivantes Network for Health, the traffic control and control system in municipal road traffic, the operation of the tunnel and traffic technology of the federal motorway in Berlin and the Spreebogen Zoo tunnel.
FDP man Schlömer criticizes the fact that apparently the state "has no interest in taking care of the IT security of the state companies. As the owner of critical infrastructures, you have to make sure that things run smoothly. Schlömer calls on the state to be informed about security in the state-owned enterprises. "We need regular reporting on security. The reports should instruct the boards," says the FDP politician and former chairman of the Pirate Party.It should be "in the high interest of Berliners that system-relevant areas and critical infrastructures receive special attention." In addition to regular reports, he said, there must be risk management and a situation report on information security.
The effects of the Emotet virus discovered in the Kammergericht's computer system in 2019 were still being felt in 2020. A large proportion of the 150 judges were only able to work to a limited extent: there was a lack of sufficiently secure connections from the home office to the court, so-called VPN tunnels. Only 210 out of 1,000 judges at chamber, state or district courts were able to securely dial into the state network - but only via their private computers.
The Kammergericht's own computer center was not rebuilt after the cyber attack, and 550 computers had to be disposed of. Like the eleven district courts and the regional court, the IT now runs via the ITDZ.In the meantime, all judges of the Court of Appeal have laptops with secure VPN connections, according to a spokeswoman for the court. VPN access is also available in sufficient numbers for the ordinary courts. However, there are difficulties "due to the shortage on the IT end device market caused by Corona" to obtain further laptops for judges of the other courts. By the end of July, 1143 laptops had been purchased.
After the Trojan attack, there have been no further attacks on the IT of the courts, and the infrastructure of the Emotet malware was smashed by security authorities in January. But cyber attacks are increasing year by year as critical infrastructure is increasingly targeted by cybercriminals. The Security Act 2.0, passed in May, mandates higher protection standards for AI operators. For example, they must deploy attack detection systems.
For years, however, Berlin's public transport authority (BVG) refused to prove to the BSI that its IT security was defensive. In April, BVG abandoned the simmering dispute with the federal agency. A cybersecurity firm identified 23 deficiencies in IT security. These issues are reportedly being systematically worked through within the legal deadline of two years.
BVG said it had a "very high level of security." Reports on new IT vulnerabilities are received from the BSI's situation center, from system manufacturers and via the Internet. So-called penetration tests are carried out on a regular basis - this involves a targeted search for vulnerabilities - and there are also internal security screenings.Last year, it became known that the IT security of the Berlin Water Company (BWB), was so full of holes that a cyberattack could have paralyzed the sewage disposal system for weeks. The Berlin-based consulting firm Alpha Strike had tested the IT security in the wastewater sector on behalf of BWB and found more than 30 security gaps.The security experts found that the state of IT security was inadequate. And during the penetration test, unsecured pumping stations were discovered. The IT security architecture is currently being rebuilt. After the first penetration test, two more followed, said spokesman Stephan Natz. All current certifications have been obtained, he added.
At Water utilities, there are several networks, including the drinking water supply system or a separate system for the 164 wastewater pumping stations and stormwater tanks, which are controlled with LISA (Guidance Information System). This system was built over 25 years. This is also where the auditors found the most deficiencies. The six wastewater treatment plants do not have a central system: Two of them are connected to each other in the network, such as Ruhleben and Wansdorf or Waßmannsdorf and Stahnsdorf.The water utilities also have to fend off cyber attacks. The fight against hacker attacks is "a non-stop arms race," said spokesman Natz.
Image by Darwin Laganzon