IT security for public utilities and supply companies

The functioning of our modern society is based on the constant availability of electricity, water, telecommunications, and energy. Even a temporary and local interruption in supply has an impact on individuals, businesses, and the economic and social system in general.

In particular, the threat from cyberattacks is increasing as our systems become more interconnected. In 2020 alone, over 141 successful attacks have taken place against companies of critical infrastructure or related fields. And the trend is upward.

Despite this, recent research shows that many municipal utilities and utility companies have not adequately protected their systems from attack.

IT security for public utilities
IT security for public utilities

IT security for public utilities and supply companies

The functioning of our modern society is based on the constant availability of electricity, water, telecommunications, and energy. Even a temporary and local interruption in supply has an impact on individuals, businesses, and the economic and social system in general.

In particular, the threat from cyberattacks is increasing as our systems become more interconnected. In 2020 alone, over 141 successful attacks have taken place against companies of critical infrastructure or related fields. And the trend is upward.

Despite this, recent research shows that many municipal utilities and utility companies have not adequately protected their systems from attack.

141

»SUCCESSFUL CYBER-ATTACKS WERE PERPETRATED ON GERMAN HIGHLY CRITICAL COMPANIES BY NOV 2020«
Source: FAZ

Government sets stricter compliance and IT security guidelines

The legal requirements for operators that belong to the critical infrastructure environment are higher than for private companies from other sectors.

With the IT Security Act 2.0 passed in 2021, the legislature has further lowered the thresholds according to BSI-KritisV. Thus, smaller utilities now also count as critical infrastructure, which were not previously assigned to it.

The amendment to the law therefore already affects small and medium-sized municipal utilities that ensure supplies to the local population. The focus is particularly on ensuring the supply of energy, electricity, and water supply, but also other tasks such as waste and wastewater disposal and the operation of public transport.

It is expected that this threshold will be lowered further in the future. For this reason, even smaller municipal utilities and supply companies should start addressing the issue of IT security now. And secure their systems with state-of-the-art technologies at an early stage.

Government sets stricter compliance and IT security guidelines

The legal requirements for operators that belong to the critical infrastructure environment are higher than for private companies from other sectors.

With the IT Security Act 2.0 passed in 2021, the legislature has further lowered the thresholds according to BSI-KritisV. Thus, smaller utilities now also count as critical infrastructure, which were not previously assigned to it.

The amendment to the law therefore already affects small and medium-sized municipal utilities that ensure supplies to the local population. The focus is particularly on ensuring the supply of energy, electricity, and water supply, but also other tasks such as waste and wastewater disposal and the operation of public transport.

It is expected that this threshold will be lowered further in the future. For this reason, even smaller municipal utilities and supply companies should start addressing the issue of IT security now. And secure their systems with state-of-the-art technologies at an early stage.

2 Days

»NEEDED A HACKER TO TAKE OVER THE SYSTEMS OF ETTLINGEN CITY POWER STATION«
Source: Zeit Online
Secure critical infrastructure, e.g. energy supply

The result of the test hack of Stadtwerke Ettlingen shows how vulnerable utility companies are to cyber-attacks. It becomes clear that, in addition to fail-safe physical components, software-based protection of the respective information systems and networks is crucial for the high availability of the systems.

The most important building block for a sustainable IT security strategy is the shielding of your networks from unauthorized and thus potentially harmful external access. External access does not only mean external hackers, but also the distribution of access rights to your employees. And here, the non-technical component in your IT operations is clearly at the center: the human factor, your employees.

Secure critical infrastructure, e.g. energy supply

The result of the test hack of Stadtwerke Ettlingen shows how vulnerable utility companies are to cyber-attacks. It becomes clear that, in addition to fail-safe physical components, software-based protection of the respective information systems and networks is crucial for the high availability of the systems.

The most important building block for a sustainable IT security strategy is the shielding of your networks from unauthorized and thus potentially harmful external access. External access does not only mean external hackers, but also the distribution of access rights to your employees. And here, the non-technical component in your IT operations is clearly at the center: the human factor, your employees.

Independent of the status “critical infrastructure”, strict access restriction to the various infrastructure components is essential. If you succeed in establishing logical and deep access restrictions as well as storing employee identities in a tamper-proof manner, you also protect the components behind them from attack. Without access authorization and without a digital identity card, no changes whatsoever can then be made to the system.

At the same time, protecting digital employee identities also means ensuring compliance as well as IT security requirements of the information security management system (ISMS).

Technical protection of employee identities
Technical protection of employee identities

Independent of the status “critical infrastructure”, strict access restriction to the various infrastructure components is essential. If you succeed in establishing logical and deep access restrictions as well as storing employee identities in a tamper-proof manner, you also protect the components behind them from attack. Without access authorization and without a digital identity card, no changes whatsoever can then be made to the system.

At the same time, protecting digital employee identities also means ensuring compliance as well as IT security requirements of the information security management system (ISMS).

+ 99%

»OF ALL ATTACKS REQUIRE HUMAN ASSISTANCE.«
Source: proofpoint

The 4 pillars of an Identity Protection

Identity and Access Management

Identity and Access Management

A granular identity and access management with adaptive policies allows a small-scale assignment of access and usage rights to your employees and, if necessary, partners and suppliers.

Multifactor authentication

Multifactor Authentication

A second factor for logging in increases security when accessing devices and applications. This is because only those who can identify themselves twice are ultimately granted access to the system.

Password Management

Central password management

The introduction of a central password manager increases password security in the company. Since passwords can be retrieved on demand and your employees no longer have to remember them, they use longer and more complex passwords.

Data Management

Highly secure data storage

There is data that must not be freely accessible on the company server. An encrypted storage location that is additionally secured using a second factor is suitable for this.

Identity and Access Management

Identity and Access Management

A granular identity and access management with adaptive policies allows a small-scale assignment of access and usage rights to your employees and, if necessary, partners and suppliers.

Multifactor authentication

Multifactor Authentication

A second factor for logging in increases security when accessing devices and applications. This is because only those who can identify themselves twice are ultimately granted access to the system.

Password Management

Central password management

The introduction of a central password manager increases password security in the company. Since passwords can be retrieved on demand and your employees no longer have to remember them, they use longer and more complex passwords.

Data Management

Highly secure data storage

There is data that must not be freely accessible on the company server. An encrypted storage location that is additionally secured using a second factor is suitable for this.

39 Sec.

»A CYBERATTACK TAKES PLACE EVERY 39 SECONDS«
Source: FAZ

DoubleClue for public utilities and suppliers

Meet legal requirements

Meet legal regulations

State-of-the-art access policies to comply with the IT Security Act 2.0

In order to meet the requirements of the IT Security Act, companies of critical infrastructure must take organizational and technical measures that correspond to the “state of the art”. As part of the expansion of the IT Security Act 2.0, the BSI’s strict regulations are being rolled out further. This lowers the threshold at which facilities are considered critical to society.

Thus, municipal utilities, as well as smaller private energy providers, also need deep technical protection of their systems against cyber-attacks by law.

The strong basis for meeting compliance and security requirements is the protection of digital employee identities. This includes access restrictions to critical systems and networks with deep Privileged Access Management (PAM) and strong Multifactor Authentication (MFA).

Meet legal requirements

Meet legal regulations

State-of-the-art access policies to comply with the IT Security Act 2.0

In order to meet the requirements of the IT Security Act, companies of critical infrastructure must take organizational and technical measures that correspond to the “state of the art”. As part of the expansion of the IT Security Act 2.0, the BSI’s strict regulations are being rolled out further. This lowers the threshold at which facilities are considered critical to society.

Thus, municipal utilities, as well as smaller private energy providers, also need deep technical protection of their systems against cyber-attacks by law.

The strong basis for meeting compliance and security requirements is the protection of digital employee identities. This includes access restrictions to critical systems and networks with deep Privileged Access Management (PAM) and strong Multifactor Authentication (MFA).

Safeguard control networks

Combine granular adaptive privileged access management with strong multifactor authentication

The control networks form the backbone of the public regional supply. If a disruption, failure, or even manipulation occurs here, the population is at risk. Privileged access management can be used to strictly separate the technical components from the rest of the IT infrastructure. Only individual employees, whose accesses are also subject to restrictive regulations such as location- and time-dependent logins, can access them. This prevents intrusion and manipulation of the control network by unauthorized third parties and forms the basis for strong cybersecurity in the public utility environment.

Secure control network, e.g. water and wastewater
Secure control network, e.g. water and wastewater

Safeguard control networks

Combine granular adaptive privileged access management with strong multifactor authentication

The control networks form the backbone of the public regional supply. If a disruption, failure, or even manipulation occurs here, the population is at risk. Privileged access management can be used to strictly separate the technical components from the rest of the IT infrastructure. Only individual employees, whose accesses are also subject to restrictive regulations such as location- and time-dependent logins, can access them. This prevents intrusion and manipulation of the control network by unauthorized third parties and forms the basis for strong cybersecurity in the public utility environment.

Highest IT security and best performance

Highest security—best process performance

Single sign-on makes multifactor authentication a performance booster

Often, IT security measures and performance are seen as opposites. However, this is only true if they are poorly implemented in the IT landscape. A modern solution such as DoubleClue, therefore, combines maximum security for logging on to devices and applications with simplifications in everyday work. With the integrated single sign-on platform DoubleClue MyApplications, your employees only need an MFA-protected login to the DoubleClue UserPortal. From there, they can switch between their services without interruption and without logging in again.

Highest IT security and best performance

Highest security—best process performance

Single sign-on makes multifactor authentication a performance booster

Often, IT security measures and performance are seen as opposites. However, this is only true if they are poorly implemented in the IT landscape. A modern solution such as DoubleClue, therefore, combines maximum security for logging on to devices and applications with simplifications in everyday work. With the integrated single sign-on platform DoubleClue MyApplications, your employees only need an MFA-protected login to the DoubleClue UserPortal. From there, they can switch between their services without interruption and without logging in again.

Compliance and GDPR-compliant use

Use DoubleClue on-premises or in the German cloud

Cloud applications improve workflow and make license management more flexible. At the same time, the integration of cloud implementations offers new security risks for IT landscapes. For this reason, hybrid solutions often present themselves in the area of public utilities and suppliers. As an operator, you can decide which less critical applications are available via the cloud. And which critical applications are better left on your own servers.

DoubleClue supports the diversity of your IT landscape – decide for yourself whether you want to host DoubleClue in the cloud or on-premises. With the same functionality. Because regardless of the type of implementation, you can secure all access points to your heterogeneous IT landscape with DoubleClue.

Compliance and GDPR compliant; use on-premises, in the cloud or in hybrid environments
Compliance and GDPR compliant; use on-premises, in the cloud or in hybrid environments

Compliance and GDPR-compliant use

Use DoubleClue on-premises or in the German cloud

Cloud applications improve workflow and make license management more flexible. At the same time, the integration of cloud implementations offers new security risks for IT landscapes. For this reason, hybrid solutions often present themselves in the area of public utilities and suppliers. As an operator, you can decide which less critical applications are available via the cloud. And which critical applications are better left on your own servers.

DoubleClue supports the diversity of your IT landscape – decide for yourself whether you want to host DoubleClue in the cloud or on-premises. With the same functionality. Because regardless of the type of implementation, you can secure all access points to your heterogeneous IT landscape with DoubleClue.

+ 600%

»INCREASE IN PHISIHING MAILS IN 2020.«
Source: ENISA

Appoint individual consultation

Appointment calendar: Book individual consulting appointment "IT security for public utilities"