April 2022 issue

Field report: Fundamental security review of the ICT infrastructure

In recent months, the Cybersecurity Learning Lab has conducted a fundamental security review for a local industrial company with the aim of obtaining and evaluating an overall view of the current status of implementation of the relevant technical security measures in the company.  A methodical procedure model based on IT-Grundschutz (IT-GS) was used for this purpose, which enables a quick, technical entry into the security management process with manageable effort. 

The security review was based on the methodology of basic security according to IT-GS and comprised three phases:

  • the ACTUAL analysis of the inventory documents and ICT systems,
  • the TARGET analysis with consideration of the security requirements,
  • Evaluation of the analysis and recommendations for future measures.

In the ACTUAL analysis, the first step was to take stock of existing ICT infrastructure and security processes. To this end, all available relevant documents were analyzed (e.g., network structure plans, configuration of security-relevant hardware and software components, floor plans with recorded security-relevant ICT components, etc.).

Furthermore, a TARGET/ACTUAL comparison was performed on the basis of the inventory. The recorded ICT infrastructure and its current security status were compared with the building blocks derived from the BSI Basic Protection Compendium and the associated security measures, as well as the company's internal guidelines, and evaluated with regard to the degree of implementation of the security requirements.

Finally, the results of the TARGET/ACTUAL comparison were evaluated. If deviations were found between the current implementation status and the relevant requirements, the threat risk of the identified vulnerabilities was assessed and possible attack scenarios were described.

The "Basic Security Review of the ICT Infrastructure" project is considered a fundamental component of the security concept in accordance with BSI-Grundschutz and represents a suitable starting point for the company for further security considerations, e.g., in the form of a real test of the security measures by replicating real attacks or preparation of the security process with regard to certification in accordance with ISO 27001.

Fraunhofer | Grafik
© Fraunhofer | Grafik

Research: Project reDesigN - A Cyberresilient Energy Management System

Fraunhofer | Grafic reDesigN
© Fraunhofer | Grafik reDesigN

The BMBF project reDesigN (Resilience by Design for IoT Data Platforms using the Example of Distributed Energy Management), launched in May 2019, addresses resilience aspects in the smart metering use case with a focus on the central energy management system (EMS). Based on an architecture description derived from the intended smart meter rollout, Fraunhofer IOSB-AST together with the project partners from Ilmenau University of Technology, EFR GmbH and Cuculus GmbH considers different aspects of data processing with the goal of resilient energy management. Based on a comprehensive threat analysis with the identification of the existing communication architecture and possible disruption and failure scenarios, an EMS hardened to it is designed that detects anomalies and adapts the methods for forecasting and optimization to them.

In terms of IT security, the use case of the project with the connection of a smart meter architecture wih the coupling to a central EMS via public networks represents a special challenge. The security aspects required by the BSI for the communication and the components of the smart metering infrastructure serve as a basis for identifying possible failure scenarios. Within the project reDesigN, possible impacts of the identified threats and failures are considered and countermeasures to increase resilience are proposed.

Blog post: Russian attack on Ukraine: The digital threat situation for Germany

Fraunhofer | Blogbeitrag
© Fraunhofer | Blogbeitrag

As a result of the Russian attack on Ukraine - including numerous hacker attacks on essential systems - there is now also talk of an "abstractly increased threat situation for Germany" according to the Federal Office for Information Security (BSI). What specific threats to corporate IT security can be expected and what can and must be done now? Read more about this in our latest blog post:

Introduction of the staff of the cyber security learning lab for energy and water supply.

Fraunhofer | Dipl.-Ing. Steffen Nicolai
© Fraunhofer | Dipl.-Ing. Steffen Nicolai

Today we introduce you to Steffen Nicolai - our project manager of the Cybersecurity Learning Lab for Energy and Water Supply. Steffen has been working at Fraunhofer IOSB-AST for 22 years. In this interview, he explains what makes his job as project manager in the learning lab particularly exciting.

 

What exactly do you do in the learning lab as a project manager?

Our cybersecurity learning lab covers the entire spectrum from the development of training and service offerings in the field of cybersecurity for energy and water supply based on the results from our current research projects in this topic area and flanked by a comprehensive laboratory infrastructure with the requirement for a high degree of topicality. This, of course, requires the project manager to primarily coordinate all these activities, facilitate new projects both from the industrial sector and in the form of publicly funded projects. Developing the strategies for the further development of the learning lab in terms of topics and content together with the team also plays a very important role in my work. In addition, there are also numerous tasks related to the external presentation of the learning lab. Not least in this newsletter.

 

One of your many tasks in the learning lab is strategic orientation and project coordination.  What is most exciting about these tasks?

IT security has become enormously important in recent years as a basis for the secure supply of energy and water. Our learning lab covers very many aspects of this cybersecurity and has a very strong connection to current research topics, also always with a focus on the technical process. I find it a very exciting task to translate the current developments in this field and the requirements of our customers into an approach and to implement it together with the learning lab team. Especially the comprehensive competences of the colleagues in terms of cybersecurity or in the didactic area make it possible to place very good results in the form of service offers. 

 

You have been part of the cybersecurity learning lab (LLCS) team since the very beginning. Thinking backwards, where do you see most of the project's developments?

I see one of the biggest developments in our learning lab as being the development of continuing education courses to meet the needs. I want to tie this to the establishment of our Technical Intensive Trainings. Starting from what was originally a very academic idea for a training program with a high practical component, we were able to develop a tailor-made service offering in intensive discussions with companies in the energy and water supply sector. This is based on the mobile training platform we developed and enables us to meet the needs of our customers very flexibly with regard to the further training of their specialists in the fields of secondary technology, telecontrol technology and control technology. The companies have a very high recognition value for their current topics and the training participants can immediately apply the imparted knowledge in their daily work.

 

You have been working in the field of cyber security for a long time. Where do you see the biggest challenges for energy and water utilities in the context of cybersecurity today?

Energy and water utilities are, of course, undergoing very big changes in the wake of decentralization and digitalization. Our perception is that companies are making very great efforts in terms of cybersecurity and that a good level has already been reached. However, especially in the area of OT, i.e., process IT, digitization first of all leads to a mix of old and new world with the challenges such as performing threat analyses and system hardening for such heterogeneous structures. In addition, OT systems and their communication protocols have not yet received the same attention as office IT, for example, in terms of procedures and systems for threat detection and mitigation. And last but not least, the security awareness of the employees is of course a decisive factor for the overall security of a company. These points are then also the topics that we address very strongly in our training and service offerings. 

 

Describe the LLCS for energy and water supply at Fraunhofer IOSB-AST in three words.

Research-based, customer-oriented, practical.

Our training offer:

You can find the current training dates here: