Safeguarding Germany’s Industrial Manufacturing & KRITIS

19 Oct 2022

A decade ago, most German industrial manufacturers and critical infrastructure (KRITIS) operators were dealing with IT security, but were less focused on securing their operational technology (OT).

Today, the environment is fundamentally different. That is because industrial manufacturing and KRITIS environments rely on increasingly connected IT, OT, and industrial IoT networks. This increases their digital attack surface, making it more attractive for cyber threat actors to target German industries and infrastructure business operations.

Additionally, organizations must not only safeguard their business continuity and operational resilience, but also comply with stringent German and EU regulatory requirements. Non-compliance can lead to administrative violations, fines, and affect their businesses and shareholders.

History of attacks on German industrial manufacturers and KRITIS operators

Protecting against cyber attacks that target manufacturers and critical infrastructure operators is a real-world priority, not a theoretical concept.

In January 2022, two German fuel storage and distribution companies were hacked. Three German wind energy companies also fell victim to cyber attacks shortly after Russia invaded Ukraine. Three years ago, Munich-based auto manufacturer BMW discovered that its internal network was hacked. The country’s largest pharmaceutical company Bayer AG also experienced a cyber attack on its networks.

Each of these real-life OT and IT security events impacted KRITIS operators and industrial manufacturing companies, as well as businesses and end-users in their supply chain.

German energy security and Russia

In the weeks leading up to its invasion of Ukraine, Russian hackers were reportedly focused on cyber attacks against dozens of LNG companies. When the war started, Germany and other EU countries immediately faced energy supply chain security issues, causing EU countries to reduce their reliance on Russian gas and oil imports.

Germany seeks to meet the country’s LNG storage needs before winter arrives. According to Der Spiegel, however, “[i]f severe gas shortages begin developing, industrial consumers would be the first to suffer” since German law gives consumers and healthcare organizations priority for LNG supplies.

Russia’s weaponization of energy supplies, ongoing cyber security risks, and the potential for more attacks against German KRITIS operators and industrial manufacturers cannot be ignored. In this environment, it is wise for such businesses to implement comprehensive OT security risk management. Doing so can help them protect business continuity, maintain operational resilience, and comply with a growing number of German and EU regulations.

Enhanced German and EU regulatory requirements

In the face of continually evolving cyber risks and attacks against German businesses, critical infrastructure, and government agencies, the country continues to strengthen its cyber regulations. These include the IT Security Act 2.0 laws and enhanced KRITIS security regulations and reporting requirements. The compliance directives impact industrial manufacturers and critical infrastructure operators significantly.

Germany’s BSI, the country’s federal cyber security agency chief architect of secure digitalization, is responsible for enforcing compliance with these laws and regulations. KRITIS operators are required to detect cyber attacks, implement mandatory systems and processes for their detection, report incidents, and register with the BSI.

Germany also expanded its classification of KRITIS operators to include municipal waste management companies, the defense industry, and “companies of particularly high economic importance.”

Industrial manufacturers and KRITIS companies must also comply with EU regulations like the European Parliament’s NIS 2 Directive. The legislation will set the baseline for cybersecurity risk management measures and reporting obligations to “achieve a high common level of cybersecurity across the Member States.” The EU law will affect many industries, including critical infrastructure, energy, transport, health, and other industries. Under NIS 2, all German companies that provide essential services and have infrastructure in the EU will be regulated and supervised for their cyber security compliance under European law.

OTORIO’s OT security solutions

OTORIO and our technology partners like Atos have extensive experience helping German industrial manufacturers and global critical infrastructure operators comply with OT and IT regulations, both governmental and industry-specific ones. The industries and critical infrastructure companies we serve are extensive: auto manufacturers, oil & gas refineries and suppliers, other energy companies, pharmaceutical companies, utilities, transportation and logistics companies, and others.

This includes:

Meet OTORIO at the IT-SA Expo & Congress 2022

Learn more about OTORIO’s OT security solutions for industrial manufacturers and KRITIS operators at the 2022 IT-SA Expo & Congress from 25-27 October in Nuremberg, Germany. Speak with our OT cyber and digital security experts in Hall 6 at Booth 6-101. We look forward to seeing you there!

11 Jan 2022 A House of Cards: Shoring Up the OT Digital more...
02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...