In recent years, the use of cyberattacks for criminal as well as military purposes has increased. Targets are private companies as well as governmental agencies and critical infrastructures. Their goals range from extracting ransoms to silently infiltrating systems or disrupting operations. For example, the impact of the use of cyberattacks in the war between Russia and Ukraine could even be felt in such a remote place as Aurich in Germany. A Russian cyberattack had targeted modems that were used for Ukrainian communication. But these modems were also used to connect to 5800 wind power stations in Germany, which were equally affected by the damage the attack caused to the modems. Fortunately, direct access to these stations was not disrupted and they continued to operate normally. But it was not possible to conduct remote maintenance operations on them. In order to regain full operational capabilities the modems had to be replaced, which took quite a long time because of the worldwide shortage of hardware components. While the effects of the disruptions were only marginal, it still highlights the need to increase the overall resilience of wind parks and other critical infrastructures in Germany, which is one key tasks of the newly founded “Agentur für Innovation in der Cybersicherheit”, short: Cyberagentur.
Research question: How to improve cybersecurity in the future?
One of the more straightforward research ideas is to simply reduce the likelihood that a system can be infiltrated, and its operation disrupted. Future tools could for example help to automatically detect weaknesses in a system and automatically fix them. In addition, the software could also detect if an attacker has already infiltrated a system and initiate a forensics analysis in order to determine the origin of the attack. While the development and research of such a tool for information technology (IT), operational technology (OT) and IT/OT systems is difficult, it is conceptually similar to how systems have been protected in the past.
A different approach is to develop hardware and software that is inherently secure. While the formal verification of a complex system, i.e. it is mathematically proven to be completely secure, may be impossible to accomplish, it might be possible to develop a barebone system that consists of hardware and software, which is verified. This basic system could then serve as a backbone of more complex systems and software and thus ensure that it is secure at the most basic level. So far, such a system has not been fully developed yet, which makes it an ideal research question for the Cyberagentur.
What conclusions can be drawn from the wind farm disruption?
In the initial example of the wind power stations, four additional aspects pose interesting research questions. First, the attack impaired the ability to perform remote maintenance work. Current research in AI is exploring how systems can be self-aware, i.e. how they can monitor their own status and how they can autonomously initiate and perform their own maintenance. Is it possible for such an artificial system to “heal itself” in the future? Second, repairing the damage involved replacing the affected modems with different models. This exchange proved difficult because of a worldwide shortage of relevant hardware. To retain digital sovereignty, it may be necessary to research novel hardware and build-up national manufacturing capabilities, in our case in Germany. Novel hardware could for example require fewer precious minerals, ideally only materials that are available in the individual country. Third, the modems were necessary in order to establish communication with the individual wind power stations. This connection is reliant on a functioning space infrastructure. But alternative modes of communication, i.e. independent of space, could increase the resilience and provide another layer of redundancy. And finally, the wind farms in the future will most likely be located offshore. It will be necessary to better monitor these parks then, which necessitates the ability to detect anomalies in the air, on the water and below the water and to quickly identify what type of anomaly it is, i.e. friendly or hostile. All these challenges and research questions fall within the prerogative of the Cyberagentur to review, assess and possibly contract research.
Conclusion: Cybersecurity needs to be the golden standard.
The case of the Russian cyberattack has shown that cybersecurity needs to be incorporated into the design and operation of any system. Cybersecurity-by-design has to become the golden standard. The Cyberagentur supports this approach by commissioning high-risk, high-reward research projects that will ensure Germany's digital sovereignty in the future. Fortunately, the Cyberagentur is not the only actor in Europe dedicated to improving cybersecurity. At the European level, the Joint European Disruptive Initiative (JEDI) launches GrandChallenges that aim to push the frontier of science further. While it is not exclusively focussed on cybersecurity, the digital domain, alongside environment, healthcare, education, oceans and space, is one of the six major societal challenges they have proposed. On a national level, France for example established its Defence Innovation Agency in 2018. Similarly, the UK launched a Defence Innovation Initiative in 2016, which consists of a Defence and Security Accelerator as well as a Defence Innovation Fund. What these initiatives and agencies all have in common is their focus on high-risk projects and to emphasise the potential benefit of a research rather than to thwart it by highlighting the potential risks of failure. It is this spirit of going forward and ‘doing the research’ instead of theorising that will ensure Europe’s security and prosperity in the future.
Introducing the Cyberagentur
It is the mission of the Agentur für Innovation in der Cybersicherheit (Cyberagentur) to contract disruptive research projects in the field of cybersecurity and related key technologies. It thus finances research with a horizon of ten to 15 years that is strategically important for Germany's internal and external security. The agency was established by the federal government as an in-house company under the joint leadership of the Federal Ministry of Defense and the Federal Ministry of the Interior and Community. Projects are commissioned that are highly innovative but at the same time involve a high level of risk with regard to achieving its objectives.
While the specific cyberattack on the modems of an energy provider is at first glance an issue for the Federal Office for IT security (BSI), which was indeed involved straight away, it also pertains to the work of the Cyberagentur. Several elements of this attacks and its aftermath present key challenges for the future of our security and the capabilities of security actors in Germany. These challenges are:
- How can we better protect our critical infrastructure against cyberattacks?
- How can we react faster to a cyberattack?
- How can we improve our ability to recover from an cyberattack?
While there are immediate measures, e.g. as discussed and proposed by the BSI, that can be taken to generally maintain a high level of security for critical infrastructure providers, a look into the future presents possibilities and opportunities. However, these need to be pursued now to reap the benefits then. So, what are possible answers to the three questions and how does the Cyberagentur pursue these answers?
This Article is part of issue 02-2022 of the German Wind Power Magazine, the international magazine of the German Wind Energy Association (BWE) about innovations of the German wind industry. You can read the full magazine here, online and for free.