The German Informatics Society (GI) has used the current reporting on poorly secured water and sewage treatment plants as an opportunity to draw attention to the need for information security at utility companies.

The ‘Act to Increase the Security of Information Technology Systems’ (IT Security Act), in force since 2015 and expressly welcomed by the GI, currently affects an absolute minority of supply facilities in Germany, as the ‘Ordinance to Determine Critical Infrastructures According to the BSI Act’ (BSI Criticism Ordinance) provides for a threshold value of 500,000 supplied residents.

GI Junior-Fellow Tim Philipp Schäfers, who also uncovered the security deficiencies, said this is a weak point of the current legislation.

“Systems that supply less than half a million people are not considered critical infrastructures and therefore do not have to implement the legal requirements of the IT security law, although they sometimes also provide essential services for society. As smaller providers do not usually have government controls in place, some operators have not even taken absolutely basic security measures,” he said.

For this reason, the GI has demanded a reduction in thresholds and stronger controls with regard to compliance with legal requirements by authorities.

Prof Dr Hannes Federrath, President of the GI and IT security expert, also criticized the general orientation of Germany’s current cyber security policy in this context, saying: “With its current cyber security policy – such as the establishment of the Bundeswehr’s Cyber and Information Space command, the purchase of IT security gaps for intelligence services and the creation of the Central Office for Information Technology in the Security Sector (ZITiS) – the Federal Government is pursuing a predominantly offensive cyber security policy. These measures and in particular keeping IT security gaps open, for example in widespread operating systems, massively weaken IT security. While individual authorities, such as the Federal Office for Information Security (BSI), contribute to strengthening IT security, this performance is undermined by the work of other authorities”.

The GI has called for a renunciation of the current predominantly offensive cyber security policy and participation in the “digital arms race”. It says a shift to a responsible-defensive cyber security policy is necessary.

The building blocks of a new IT security strategy should be the establishment of an independent Computer Emergency Response Team (CERT), the establishment of an inter-agency process for dealing with IT security gaps and the promotion of international standards. Appropriate measures could ultimately avoid wasting resources and create a sustainable basis for the secure operation of critical infrastructures.