KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
You know, it's such a great pleasure and honor to be here with you. And when I, when I saw the preparation and I read more about cupping, our co I, I would also miss to thank you for organizing Europe's leading leading's organization for identity and cloud conference. And when I read preparation, everybody's said, Hey, there Z salty us. We're organizing it. And I think this is just great, what you're doing there. And I think it is always good to see each other to talk with each other and to discuss the various threats.
When I saw the program today, before I came here, I must say, I was really surprised how many high levels, because you are having here. And, you know, once a year, I'm giving a presentation regarding what is the level of information security in Germany on the 21st of October this year, I gave a short presentation together with minister, horse CEO firm. And we made it very clear that in parts we are having the alert level of red. Why? Because we are seeing so many heart attacks and you all are in the business.
You know what it is we saw in the last year, more than 144 million new malware programs. New, can you imagine, they're not just doing it for fun. They are doing it to attack you as a victim. They do it to get the best out of you as information or money. They try to use it regarding ransomware and they do it more and more sophisticated. And when I thought, for example, this year, you know, the data breach in March 21, you remember the Microsoft exchange weakness for zero dry exploits.
We're discovered in an on-premise Microsoft exchange server, giving attackers full access to user and password unaffected servers. We identified roughly that 98% of zero overall servers are open for these kind of attacks. 98%. Then we gave a very high warning. What you expect from the Warning. I can tell you, after a few weeks, we still saw thousands of open, not patched service in Germany, fully available thousands. Then especially small, medium size companies. Then We Went and it's not fun. It's not a joke.
Then we went a letter, a letter by mayor, not email a letter by mayor to the CEOs of the small, medium size companies. And then they started to pitch very digitized world. We are living in, right? And now can you imagine what is going to happen? If we are coming to this kind of digitized world, we are, everybody's talking about regarding artificial intelligence, IOT four or zero autonomous car driving it, we will behave in the same way. We will have lots, lots, lots of challenges.
So when we are speaking about fundamental challenges of it, security in industry four, zero, I will not sorry, solve your areas regarding semiconductors and so on. Someone else will do it, but I'm not. Or a PT attacks and supply change like solar winds. They Are very sophisticated and extremely challenging to identify. This is something, what the governments will take care of. It's not for you as industry, but what we can take care of is beside all the other challenges, there's an exponential increase in vulnerabilities. It is unbelievable how many vulnerabilities are out there?
You know, all the updates you see every day, the number of updates you're getting and warnings regarding, Hey, please implement the update. And if you're speaking regarding operational technologies, right, and operation, how do you check always, if it is really working, it's tremendous difficult. When I speak to big companies in Germany, we don't have so big Amazons, you know, which are quite young or Googles or Facebook. Not yet. We have more oil industries, which became more and more digital, right? So they have a big heritage on old it systems.
Do you know what kind of it you are working with? Do you know what kind of it is? There are the different kind of areas on the manufacturing sites. And then come see controlling eye and says, Hey, we can save 20%. If we make online possibilities to update it from home. And lots of them are opening it up to connect the manufacturing it, which was never thought to be connected with the it, with the internet, they're going to do it. And therefore we have to work on this one from my perspective, say, are tremendously vulnerable.
Therefore, we as a government agency, what you have said very well, we are having lots of publications on OT, also in English because OT is not a national area. This is a very international area, but we have to cooperate and to think jointly together. What does it mean?
We have published over 20 different documents To Find it in the internet, on our webpage, where we are looking to operational technology from different perspective, from the window perspective, for the manufacture integrator, who built a machine or does maintenance for the asset owner operator, or we also prepared short case studies, what could go wrong? Because it's essential to have the right risk management available for the operational technology. And since we are having more or less old industrial control and automation, ICS systems, how are you going to deal with it?
If you're getting out of the lifecycle? You know, we always had the joke. We are here with our pressed, right? So I could say it, I hope there was always a joke, you know, regarding one crown non-PE. And then there had been the attack regarding ransomware and so on, on the hospitals and the United Kingdom, something, or about 60 hospitals on operations had been hit heart. And then I asked the German hospitals, Hey, why didn't it work out with you? And behind the doors? You know what I said, we are not using these new software issues, like windows experience.
So on, we still have Ms. Stores. So good level of defense, but probably not appropriate, But how are you going to deal with it, right? How are dealing with the owner stuff? If it's running out of support, it is used more than 10 years. And the producer who gave it to you from the beginning is not supporting it anymore Because The industrial control and automation systems are used much longer than the normal usual stuff. And this is challenge and you will lose the control, the overview. What are you using there in your operational technologies?
And therefore we are preparing a kind of, we are prepared a few papers where we are describing what to consider, see systems wanted or needed to be used, even if they're out of the support. And I think this is very important because we are working on how to secure the supply chain. And I mean, when you look to it, it is always the same, right? Compromised by a customer compromised by a former employee, the in-house attacker by a current employee by Bitcoin minus that's all where your, what your operational technology is used for.
And I think especially if you're having older systems, this is something we should take care of. And then the operational guys always have a big challenge. Do I have to pitch now or later and wait for the next update? When do I do it appropriately? It's always said so easy just to it right away, the pitch management, if you're not sure what, how is this update impacting the other areas and operational technologies?
It is extremely challenging for operational people to do the right thing Because currently the situation is difficult because software awareness do not use a common format for information about patches and updates. It's not a common format. There are too many sources of information and what is right, what is wrong out there? Many systems and the operational technologies do not have automatic update capabilities, do not risk based approach needed. As updates can have unforeseen side effects.
What I have said, you don't know how it is affecting other operational technologies and therefore now comes the solution. Of course. So don't be afraid. I think CSA, the common security advisory framework Will Be one solution and will be probably an easy solution. It is a unified format for all suppliers and windows, easy to process and automate. It indicated by the blue icons with CSF, it focuses on the end users. It minimizes manual faults, Especially In the production. And it will be very important for the global players.
A worldwide standard will be about to be introduced in this area. So not just a national regional solution, but a global, a real worldwide one. The only challenge for us is it will be just a success. If we are all using it, we have prepared it. We have put lots of emphasis onto it, but you have to use it. Otherwise it will not work. The Foundation is prepared by BSI and now you can build on it. BSI. We are within BSI as a national cyber security authority of Germany. We are the first government entity, which is fully committed to CSA.
We supported, of course also the international efforts, very strong, the open source tools already the editor, for example. And of course we are continuing the overall development with more tools, more examples, and guidance, how it can be used when I'm now looking behind the scene, we will act as an aggregator providing information about available patches for you as a service and security advisors from several vendors. And they will be all published on the BSI homepage to support you very strong on this one.
And we will establish mechanisms for easier matching asset to available CSA F advisories. When I became president of BSI five and a half years ago, I said, gentlemen, as federal agency, what is our mission statement? And for me, it was very clear and we prepared something where we said, okay, BSI E federal cybersecurity, authority, shapes, information security in digitization for government business and society. Let me quickly explain what it means. I'm a fan of this so-called Highlander principle. See all ones of use, like me knows the film. The movie Highlander can be only one.
When I'm speaking with my colleagues in the us and I discuss with them, Hey, how many government agencies are responsible for cybersecurity? Says, told, tell always 5 50, 2 56, something like that. I don't believe that this is working. I'm happily married with three children. If I tell them during dinner. So let's clean up the table. I can tell you what is going to happen, Nothing. But if I say, Hey, Christina, you are taking the plate William, you are taking, I don't know, Sofar and Fredericka is taking the Marmon or whatever it is. Everybody will exact act like his behaved to do.
And that's why I say can only one, one competent center on the federal government. Number two, I know the security guys are laughed by the organization just prior to the data security guys, data protection officers, but shirt Security guys are normally seen as not guys which are enabling something, but say how it is not working. That's how normally security is seen zero or one. Is it working? Yes or no? Is it security? Security? Yes or no. We don't believe in it with an BSI for us. It is a question of risk management. How big is your risk appetite?
And this a core challenge you have to answer. How big is your risk appetite for the operational technologies you're using for the OT? And then you can make a clear decision for government business and society. Shortly. I will sign with the I'm. I'm responsible for the federal government. It's quite easy, but as a federal state, we are having 16 countries in Germany. So it is much more to come.
That's why we are providing services for the different kind of countries in Germany, for the lender, for business, I'm responsible for the critical infrastructures, energy telecommunications, and so on fine, but because of the new it security law to the zero in Germany, I became also responsible for the so-called institutions of national strategic interest. These are the big car companies, for example, like Volkswagen are also Bosch and the other ones, which are of tremendous importance for us. And then we are giving let's say, what is the right threshold?
What's is the right level of information security as I should provide. Last part, not least we are, we became responsible for society in may this year. So this is basically consumer protection and so on. And we are having it, combining it altogether to support you. And that's, it's like, that's why I'm so grateful to be here with you. Because from my perspective, we can do the preparation CSA F but the implementation you have to do and to improve it continuously, we will do it together. And that's for us information security is a teamwork, and that's why I'm here.
And thank you very much for the opportunity to speak with you. Thank you very much.
