BSI report: “Threat situation in the KRITIS sector remains at a high level”

SECURITY INSIGHTS | 26 October 2020

CRITIS operators across sectors face DDoS and ransomware attacks in particular. Complex DDoS attacks on banks caused disruptions in payment transactions. Protective measures at all relevant levels are necessary for successful defense.

The number of reported security incidents in the area of critical infrastructure (CRITIS) has increased significantly. In total, the Federal Office for Information Security (BSI) was informed of 419 incidents by CRITIS operators between June 2019 and May 2020. This is two-thirds more than in the previous year (252 reports) and almost three times as many as in 2018 (145 reports). This means that the threat situation in the CRITIS sector remains at a high level, as the BSI notes in its latest situation report. Overall, the authority describes the IT security situation in Germany as “tense”.

The healthcare sector accounted for the most KRITIS notifications in the reporting period (134), followed by information technology and telecommunications (75), energy (73), and finance and insurance (65). The BSI also received notifications from the transport and traffic (56), food (9) and water (7) sectors.

Increased DDoS attacks on financial sector

According to the BSI, the failure of IT infrastructures was the most frequent reason for reported incidents. The causes of failure included technical failure, organizational problems, disruptions to external services, application or configuration errors, and cyberattacks. In the case of the latter, distributed denial of service (DDoS) attacks and ransomware attacks were at the forefront across all sectors.

For example, in the first quarter of 2020, DDoS attacks on IT infrastructures and online services of banks led to disruptions in payment transactions. “Targeted attacks occurred on several days, in the course of which changing or evolving attack patterns were recorded,” the BSI situation report states. Initially, DDoS mitigation measures had only a limited effect. Successful defense was only possible by adding further measures, among others against attacks on the network and application level.

Comprehensive DDoS defense only with Layer 7 protection

These observations are consistent with our experience: Attackers often combine several methods during a DDoS attack to overload system resources or network bandwidths. In order to successfully detect and fend off as many attacks as possible, DDoS protection solutions are required that filter traffic not only at the network and transport layer (layers 3 and 4), but also at the application layer (layer 7). This is because attacks on Layer 7 are not detected by protection systems for Layers 3 and 4 because, for example, they cannot tell the difference between a malicious HTTP request and a valid download.

In practice, it becomes apparent that Layer 7 protection is often neglected when protection exists on Layer 3 (IP) and 4 (TCP/UDP). However, attacks aimed at tapping confidential data in particular can only be detected and defended against with holistic Layer 7 protection.

According to the BSI Act, CRITIS operators are obliged to take appropriate precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components and processes in accordance with the “state of the art”. This includes comprehensive DDoS protection at all relevant levels. Myra DDoS Website Protection and Myra DDoS BGP Protection together provide this complete protection.

Myra DDoS Protection protects fully automated

Myra DDoS Protection fully secures websites, web applications and APIs at Layer 7 from the first access. Thanks to 100% traffic visibility, Myra enables intelligent load balancing and site failover with high reliability and minimal response times.

Myra DDoS BGP Protection protects IT infrastructures against volumetric attacks on the network and transport layer (Layer 3 and 4). Detailed traffic analyses are possible via automatic flow monitoring. In the event of an attack, the affected networks are switched over fully automatically.

Related articles