Good afternoon or good morning, ladies and gentlemen, welcome to this webinar, improve security with critical infrastructure requirements. We have two speakers today. My name is Matthias and I will be the opener for this webinar now will be joined later for the first part of the actual presentation by my colleague, Christopher Schutze. I am director of practice IM and he's director of practice, cyber security. And we both together will guide you through the short, through this short webinar. Before we start some information about keeping a call and the obligatory housekeeping notes.
As an Analyst company, we provide focused content and services on identity and access cybersecurity and AR artificial intelligence. And we do this through various channels and formats, including research events, like webinars meet, and of course conferences and user services. And eLearning.
I've talked about research. We have various research formats covering different aspects of your interest. We have leadership compasses who focus on different mark market segments, comparing individual vendors and leaders, identifying leaders.
There, we have compact executive view documents about specific product of services. We have comprehensive advisory notes, which look at a specific topic in more detail. And we have the two page leadership brief that cover business challenges and key issues and help you in identifying the right solution in very short time, just in time and get you to conclusions. We have recently launched our new content and research platform, KC plus, which gives subscribers convenient and full access to all keeping a call Analyst research from every device.
And it is available at a really reasonable price as shown below here. So you might want to consider this, and this was the commercial break.
We do advisory, and we do this for end user organizations. And this includes support and guidance in various phases across our areas of expertise, these digital business compass services. That's how we call them. They include for example, strategy portfolio and roadmap, definition, product and technology, concepts, benchmarking and recommendations and guidance assessments and management services for projects. I've mentioned events before.
And of course we have a lot of great events coming up this year and may is coming sooner as one might expect. And in may, there will be our flagship event, E E I C, and Munich, the European identity and cloud conference. And that will be May 12th to May 15th. And later this year, we will have the sack looking more at the consumer and customer identity world. We have the cyber security leadership summit together with the cyber access summit in Berlin, which of course will have a look at cybersecurity and access management.
And in November, there will be a new event, very interesting and really challenging event. And really looking forward to that, the cyber metrics world will be launched in parallel in Dondo, in Stockholm and in Abuja. And that will be later in November.
Finally, the housekeeping very quickly, we are muting you centrally, and we are controlling these features. There is no need to mute or mute yourself. There will be a recording of this webinar and the webinar recording together with the slide deck will be made available usually tomorrow. And we will have a short questions and answers session at the end of this webinar.
And I ask you to contribute to that by entering your questions, which might come up during the presentation, into the go to webinar questions panel, and we will pick them at the end and try to answer your individual questions or follow them up later on. And that's it for my introductory and housekeeping part. I would like to hand over now to my colleague, Christopher Schutze. He will introduce himself again, and he will do the first part of the presentation. So please welcome Christopher.
Thank you, Matthias and welcome to this webinar.
I think introduction was enough by materials, as he said, I'm the director of the practice, cybersecurity and responsible within the area research event and advisory. So let's start with a short definition what critical infrastructures are before we go into a more detailed level.
We use this definition created by the German VSI and the European union, which you can see here on the screen, critical infrastructures are, are defined as an organization or institution of major importance to the state community whose failure or degradation would result in sustained supply shortages, significant public safety disruptions, or other dramatic consequences. So, but this is very generic worldwide. There are several governmental driven frameworks and responsibilities to define what is part of C and what the required level of protection is.
We visualized it in this map, but is this only a selection of some common frameworks and responsibilities in the us?
We have the CS are the cybersecurity information sharing act, which is part of the Homeland security department. And mainly is using the N framework. The interesting thing is the us have 16 different sectors, which are relevant for critters. As we will see on a later flight, the critters in the German version only has nine in Europe. The country specific regulations are based and created from the EP C I P.
So the European program for critical infrastructure protection was a C in Germany, was a master plan, AP C I P in Austria. And the S in the Swiss, just as an example, South Africa has the CIP P so the critical infrastructure program was the critical infrastructure protection act updated in 2019. And last part, not least Australia has a CIC, the critical infrastructure center with security of critical infrastructure act 2000 and also rules created in 2018.
But in this webinar, we will focus on the German Cris as an example also because they are used as some kind of blueprint for the European union. And in some European countries, the German Cris is divided into for technical infrastructures on this slide and five socioeconomic infrastructure services, which will be shown on the next slide. So in some, we have nine different critical sectors. The power supply is the supply of gas and electricity within a country, or for sure also between country.
If you think about the European union or the power supply of gas between Germany and Russia, energy is needed for many other critical infrastructures. And for sure you will realize that there are a lot of cross dependencies between critical infrastructures. So it's not only power supply. It is always more communication is key. And therefore the exchange of information and the underlying telecommunication technology is also essential for many other areas.
It must be insured that people can share information and the necessary infrastructure is always running or available, or we have on plan B the transport of goods for food health care, or at least military use is important. The traffic system has to work in water air road and on the railways, and also the signals and the supply of water. We have the pipes, we have the monitoring about the water supplying. We have sanitation and all the stuff is really essential because if something is not working well, there's a big danger for epidemics or something like that.
When people are not able to get clean water or to use their restrooms, the five socioeconomic services, which are relevant for criers are the nutrition of people, the availability of food, the production of food.
And for sure, again, was cross dependencies to the transport sector, which delivers the goods to customers and organization, hospitals, their medicine, the doctors, the nurses are relevant, as well as the people who have to go there, there must be enough stuff, and we need medicine on the right places in the right point of time, our government or the government in general must be able to communicate internal and external, and it must be able to act our police, the fire departments, and the judge institutions must be able to do their work.
At the end crisis.
Management is really essential and a big part of this, another topic, the stock exchanges need to stop and continue in any case to protect if the money of the people just imagine, there's an imagine there's an earthquake or some political issue, and all the money on the stock exchange could be gone away within seconds for media and culture, culture, heritage.
We also have cross dependencies between the other part information and techno telecommunication technology, because people must be able to get information what is going on newspapers and news magazines, and the television must be able to inform people, but this is very generic. So maybe let's better have a deeper or an look at an example.
Therefore, we prepared an example with an railway provider, which should obviously be part of the traffic and transport area of critical infrastructures. So the facts, the rail industry consists of several industries or sub companies.
In our example, we have one for the passenger transport. We have one for freight transport and logistics. We have one for infrastructure. So the tracks, the signals, the trains and supply of energy. And we have the group management, which is mainly responsible for employees and the administration.
Our scenario, I will show this in a more detailed level on the next slide, but only in a few words, we have a train a which drives from Washo to Z two hours before he arrives and go or stop in Stu some incident happens near Frankfurt. Some are blocking the tracks. This could happen, and to make it more difficult. And other back train B should arrive Stu at the same time as train a. So let's have a look at this in the graphic. We start here in, in barau, here's our train. We are Frankfurt to Stu to Siri.
And now we have an incident here short before Frankfurt possible solution then is to use another route, maybe via another city, which is sweet spot for example. But then we have have the other train, which is driving from Copenhagen to Stu gut. And it is planned that he arrives in Stu gut at the same time. So possibly at this point here, we have some problem, but to make it a little bit more complex, we do not only have those few cities and few trains. We have several cities, several relationships. We have a lot of trains at the same time.
And at the end, it's a really, really, really complex network.
We have many variables like the signals. We have the statuses of the trains. We have delays and we have the incidents and this incidents, and it, as I said, in this example, we have some Deborahs blocking our track. So small things can have big impact. In this example, it is an external incident, but what if the threat comes from internal to make the internal threat a little bit more understandable for you? Let's have an look at the processes in the control center of the railway provider. So let's start.
What would happen if the incident happens? The control center is in the first step is informed about that, that here is something wrong. The next step should be our informed that train a, that there is some problem for you. Next the control center should decide to find an alter alternative route. So for example, use this route.
But as I said, we have some problem here because possibly they arrive at the same point in time here. So the signal for train B should be turned into red for train B and here the switch has to be switched onto the other route.
And we have to inform stud guard that there is a possibly possible delay. And for sure, we have to inform that in there's a possible delay and so on. So a control center can manage business critical processes, like deciding to switch the signal, but do they have for eye principle or the second approval? I don't know. And who ensures that nobody can manipulate those processes?
And those processes could beated by internals or at least externals. What if this account of control center employees compromised? So the control center is the bad guy. Just imagine the power the control center has.
So the core of running creates relevant organizations is to have a recovery strategy as shown in the railway provider example, the recovery strategy was switching the switch and changing a signal. What we need is general recovery strategy. If something is happening, we may need access to important it systems. In that case, the access was to an control system for the switch and for the signal, but it could be a more deeper level also on the operating system level. But what happens when the control center is offline.
So in general, for S relevant organizations, they have need an ability to act, and maybe they need some kind of break the glass scenarios to access systems, which are protected, but essential to use for further steps.
The scenario I've showed you has four different companies, which have to work together. And this is really a common scenario, but also as one organization, they might have different goals. So something could happen on an internal and external service provider.
And this is why we really should have some kind of service level agreements and agreements on availability level and support and recovery. We really need to know who's responsible and what time and what to do with something is happening. And for sure, we need enhanced security. Not every control center employee should be able to modify switches. As I showed you in the example, and those who are allowed to should at least need a second approval or some other mechanism, which prevents danger.
So no matter which critical infrastructure is considered, it is essential for it.
Not only in the transport sector, almost everything is controlled with the support of it. This means that we need to control and monitor the it systems. We must ensure that they are running. And if there are problems, we need to know this immediately because we need to react on that business. And it critical accesses need to be protected in that way that only people who are allowed can have access. And we have at least, and for I principle or anything else, maybe some service desk who monitors the action of what people are doing for operation technology infrastructures.
Like we had in the example with the railway provider, the sensors must be protected as well, especially their maintenance portals and their update interfaces are critical attack vectors. And for critical infrastructures in general business continue T is key.
Keep the system running and be prepared that they could stop.
And you should really have on plan B or at least in plan C even if your whole it is not working, you should be able to act, just think about the healthcare sector, what they would do without computers to handle all this complex things, which is try to show you on the small example, it is really mandatory to have an information security management system, if you're a or want to become it, or you want to benefit from the higher requirements, information, security management systems are used for documentation of OT devices of it, devices of IOT and all the other stuffs and processes it's is documenting the risk and the mitigating measures of, or controls to detect, prevent, and recover as a whole.
Just having an individual measure, for example, for, for your switches is not enough to be really prepared for a bigger incident. You have to think it overall. And this is the part where I hand over to Matthias.
Okay, thank you. You can hear me then I'll take over. As Christopher has told us before, when we're looking at critical infrastructure, we are not in the position as Analyst, as it Analyst to actually look at the core business that's behind.
So what, what Christopher described with the, with the trains and the tracks and the switches and the control center that is core business. And of course, when organizations look at critters compliance and being, being prepared for criers ready, this is an important part. But the second important part, as Christopher mentioned, is having the, it ready for critical infrastructure operations. And this is what we are looking at right now. So Christopher already mentioned, keep the service running because downtime is not, is not an option.
You cannot switch off the water supply because you have ware in your systems. So the goal is to ensure continuous protection and continuous operations.
That means being prepared is essential. So operators of critical infrastructure must be prepared for current threats to a high degree. That means they need to know what's going on when it comes to current cybersecurity events, to current cybersecurity posters, and you, you need to know actually your market, what's the security and the industry of cyber criminals to know what they're actually currently doing to get to know this.
There is of course, threat intelligence now available as a service to be consumed by commercial partners or by industry partners. And that is a vital part of protecting such a critical infrastructure. It's vital part of its cyber defense and the re resulting incident response because it consumes information and provides information about the current threats and so that organizations and the it can be actually prepared. And these are, might be current threats, but also traditional well known attacks that need to be covered in advance.
Therefore information needs to be collected from all possible sources and attacks, which are happening right now to other companies need to be taken into consideration when trying to identify the right measures to take the place where this usually happens, at least in mature organizations. And we expect critical infrastructure providers as mature organizations is a security operations center or a SOC. And that actually consumes the relevant, real time data and provides. And that's the important word, actionable threat intelligence, just like the switch has to be changed at the right time.
Actionable means we have to get to the right information when it comes to it security and to do the right steps at the right time to mitigate existing threats and to respond to existing threats and to recover from the once the mitigation has taken place
When we're looking at it. And then when we're looking at critical infrastructure, we are also looking on critical functions. So these functions within an organization and within it of an organization that attackers or employees will target when they want to harm your business or to interrupt your business or to yeah.
Hav in any, in any way, therefore we have just six recommendations that should be taken into consideration. We talked about the isms being at this one central part and isms of course relies on the underlying underlying ISO 27 or one, and its friends and identity access management, privileged access management and strong authentication. And segregation of Judi are all controls that are directly related to ISO 27 0 1. And so thus also with an isms. So these more, it focused, but very important recommendations should be taking into consideration for any organization.
And if you look at the recommendations that they do follow, this is an important part of it.
So first of all, implement privileged access management, make sure that administrative accounts are actually controlled in an adequate manner and that this is integrated into an IAM. So to get an overview who actually has access to critical systems who can use this control center at this traffic provider on which accounts are actually used for yeah. Doing critical operations and executing critical functions within an access governance systems to CA so, so that you can do that.
It's important that you identify business critical actions. You need to understand what is actually a critical function and what is the risk that goes with it. And that goes with its abuse or a failure in actually executing these functions. So not only administrative tasks are critical, but also business critical access must be controlled. So everything that is really closely related to being able to interrupt the actual continuous provi provisioning of services is something that needs to be identified as business critical, stronger authentication.
We just heard about, again, another password breach just that, that weekend. And I don't even mention it because if you will hear the recording next week, there will still be another password breach and we still will need to deal with it, but it'll not be the same. So prevention here is stronger authentication, wherever possible multifactor authentication should be implemented. I know that critical infrastructure often relies on legacy systems to put it mildly, but wherever possible critical access should be protected adequately.
And for us principles should be in place when it comes to really approving critical access to systems. Segregation of duties is an important part to make sure that only one part of an overall critical function can be executed by one single person. So that mutually exclusive actions cannot be assigned to a single person. So to protect business continuity at that point, understand who's responsible for an action with art, for the execution of a critical function.
It is important to assign ownership, to for example, technical and service accounts, to make sure that there is somebody behind that, a person or a group of people that actually are responsible and accountable. And a final thing I've mentioned, password leaks, of course, changing passwords for service accounts on a regular basis is often important.
We all know for some route accounts that might be still in place in some organizations that that is not the case or for service accounts when you go to actually machine out there in the field, but there need to be processes that make this more secure, more reliable, more safe.
So if you go back to the example that Christopher mentioned, it was a transport on traffic example, what do these organizations actually do when they want to be compliant to the critters requirements? Be it the ones in Germany, or be it to those in your area where you're listening right now, there are guidelines.
So these specific recommendations to exist. Again, we choose you've chosen the example of, of Germany and critters, but that is true for almost any sector in any country where these regulations to exist. They drill down the responsibility to the actual owners of these systems. And for example, for the, for the transport and traffic sector in Germany, there is a specific C sector study for transport and traffic, which has been created by the BSI in Germany. So this comes with recommendations in different areas.
So for example, we've mentioned that the basis is the implementation of an I SMS based on ISO 27 0 1, the implementation of BS, I, I T base protection then of course, training and awareness, making sure that people who actually use these systems because people are still often the weakest link that they are in the position, that they are well trained, aware, and have current knowledge.
And of course, to make sure that infrastructure operators within the same sector exchange sector, specific information for all the other sectors within Germany, their office, so-called B threes, guideline documents with B threes being somewhat an acronym for industry specific security standard. And these documents provide good information and, and guidance when it comes to making such an organization critters ready. So these are catalogs of, of measures to be taken, and they can go to rather a, a good depth so that organizations can work along these lines.
And as I mentioned, this is a regulation, of course there's audit. So there will be the obligation to present to an auditor every two years, that there are adequate measures in place. So to follow these guidelines, it's usually not a bad idea to implement measures, mitigating measures, to present, and to make sure that you are able to get to stand such an audit.
So for you and us who are now in this webinar, how can we benefit from this? I don't know how many of you are actually coming from a Cris relevant industry, but this is of no importance.
Actually the idea is to learn from this and to understand Cris on the one hand for those who are relevant for that, of course, to, to give them some idea how the critters compliance can be achieved. But for those who are not to use the principle that are behind the critters requirements for an improvement of their own security and safety, and much more important, their resilience. So to the left, we have two more or less truism sounding recommendations, but they are so important. Don't just do the minimum. If there are recommendations.
And if there is an auditor, the auditor comes every two years, make sure that you are prepared much better than only the recommendations in your P three S document says, don't just do the minimum.
Don't just meet the mandatory much better. It is. Is it to improve your own policies, organization, your systems, infrastructures, and processes to actually achieve the goal that is behind the critic idea to make systems more safe, more secure, and more resilient.
And of course, don't wait for an incident on the one hand, there's most obviously just one happening right now in such a cous environment and needs to be detect detected, and, and then mitigated. But in the end, it's really important to be prepared for every important, every risky incident beforehand, and to be prepared for having the right measures. Pre-canned at hand to respond to an incident. The benefits on the right of course are then really important. When you have gone through this process, you can become more secure, more safe, more resilient.
So you, you benefit from the challenges of operating a highly secure and reliable infrastructure by making it more safe, secure, and resilient resilience means availability in that case.
So you can reconsider security, safety, and business continuity from this slightly different angle. If you are a usual company and you have an incident, you might come to the idea to, to, to shut down that important system that has been infected or taken over, or maybe you have the, the chance to leave it running or to have the service at least running from through a different service provider.
So maintaining availability may be a good idea, and to understand that your service can be more resilient, even in case of an incident. And once you have made this step, you can benchmark yourself. You can come to a process of, of continuous improvement and using the related crit relevant recommendations to actually get better to increase your organization and maturity, if or if not, you are a criers relevant organization. And now I think we are approaching my final slide, and that is actually something that we try to do at our organization.
And we recommend to many organizations just consider being crits relevant by reading the recommendations of a sector, which is at least a bit related to what you do could be, it could be transport, whatever it is, consider being crits, relevant, criers relevant, even if you are not, or, or relevant for the critical infrastructure requirements in your local area, pick out the right recommendations and improve your overall security posture, your resilience and your, and your safety. And that's it. From my part, my, my recommendation here would be enough for you.
If you have any questions for us to enter them into the questions panel of the go to webinar panel on your screen, we have at least one already here, and we start with that. So the idea would be, and I, since I'm talking right now and we'll ask the question, of course, to Christopher, even if you are not a C relevant organization, where would you start with actually applying critical recommendations and requirements within an organization?
Where, where, where would we start
That that's really a good question. Usually you should start at that point to realize for your company or organization, where are your biggest risks? So maybe you should, should start with collecting the things you do, the most critical things you do and rate the risk. And then maybe you can use one of the B threes recommendations to, to use it guide or to use some kind of guidance to be prepared for a future incident.
And also in general, an incident respond response management system could be in solution because you cannot mitigate any risk, some risks you have to live, but you need to be prepared to keep your systems running or do whatever is it is necessary.
Okay, great.
So, so I think this risk based approach, this is really something, first of all, enabling you to actually respond at all to, to mitigate the risks in time. And the second would be really start where the biggest dangers, the biggest threat to your organization, to your business process, to your availability are that would be really the starting point. The second question, do we expect criers to evolve over the next years?
Of course, maybe I start, but, but, and you can can add to that. If we look at the misdirected that just came out, or actually it's, it's in the wild already for some years, but people now have to implement it. This actually moves critters to a, a, an international level, makes sure that criticism looked at at an EU level. So the misdirected actually just makes sure that suppliers of critical infrastructures over all in Europe do communicate and make sure that they provide common approaches and exchange data cross border, and even cross industry. I think that is something that we can expect.
So it's no longer just a German thing, a Danish thing, a Spanish thing, but it's considering the EU as a whole. Do you want to add to that as well? Christopher?
No, I can fully agree. Agree to this. I mentioned this in the example, or at the met at the beginning, right now it is country specific or European union, us, China, Russia, Australia specific, but the, the really worldwide topic is missing. And I think this will evolve much more in the future.
Currently, they are working on that. And for sure, for, for some states like the European union, there will be defined more standards for, for every part of the European union.
Okay. So no further questions available here right now. So we closed down this webinar. We would be happy to have you in one of our upcoming webinars, again, as our attendees. We thank you for all your time for participating in this webinar. If you have further questions, please get in touch with us. Mail address website is everywhere available@ko.com.
And of course we would be happy to see you at the E in Munich or any other event. And with that, I want to leave you right now, Christopher, some famous last words from your side.
No, I just want to say thank you and to hope to see you in may at the EIC.
So thank you very much for attending, and if you have any further questions, please get in touch. That's it for today. Bye bye.
