In this episode of OT Security Made Simple, Götz Schartner, Managing Director of SOC service provider 8com and cyber insurance consultant, shares his experience of the most common attacks. He explains why OT security still receives too little attention and why this could be a company's biggest mistake.
Listen to us:
Transcript
Klaus Mochalski
Hello and welcome to a new episode of the OT Security Made Simple podcast. My guest today is Götz Schartner. I'm going to hand over to you, Götz, to introduce yourself, because what you're about to tell us and what you do also introduces the topic we want to talk about today. So without further ado to you.
Götz Schartner
My name is Götz Schartner, founder and managing director of 8com and part-time consultant for various cyber insurance companies. I am an insurance broker who examines security incidents that subsequently lead to claims for damages. 8com is a classic operator of a security operations center. The company has been around for 20 years and we deal with all kinds of cyberattacks on a daily basis.
Klaus Mochalski
So your business consists of dealing with cyber attacks at your customers' facilities. This means that you also carry out incident response. When incidents occur, your customers call you and expect your help. Can you put it that way?
Götz Schartner
Well, of course it depends a bit on what kind of customer it is. Our SOC customers don't call us directly, instead we see exactly what is happening ourselves. This means that we can almost always react very, very promptly and in good time, and at least protect the customer from the effects, because we then intervene during initial access. And then, of course, there are these classic incident response retainer contracts. In other words, customers call us: We've been hacked, please help us get out of here.
Klaus Mochalski
Does that mean you are in both a reactive and a proactive role?
Götz Schartner
Exactly.
Klaus Mochalski
Yes, I think that's important to understand. Beforehand, we had talked about classifying the types of incidents you observe. Let's just look back over the last twelve months. Can you briefly summarize what the most common types of incidents are that have been observed most frequently in the last twelve months, both in the proactive, i.e. in the SOC area, and in the reactive area, in the incident response area? And then, since our podcast is about OT, Operational Technology, i.e. the part of IT that is usually found in industrial plants where measurement, control and regulation are involved, can you also classify what proportion of pure OT incidents you see there.
Götz Schartner
So the most common incidents, which at first glance do not have such a big impact on organizations, companies, authorities or other institutions, are of course many credential attacks. In other words, Microsoft Cloud 365 is often configured incorrectly, e.g. only with single factor authentication. And then people try to get in. That's the routine standard that happens every day, I can't even say how often.
Klaus Mochalski
Perhaps briefly about these cases. Do you also treat these cases as incidents or is this more of a log message?
Götz Schartner
So if we become aware that a customer is likely to have had unauthorized access, this is an incident - depending on the customer's overall structure, we also assess this as potentially critical. This can be the initial access to a large-scale cyberattack. So this can really only be the first step towards going further. This means that the entire incident management system is actually ramped up very, very quickly, usually within a few minutes, in order to respond. Always assuming that the customer structure is right and fits, that you can see it, distinguish it, recognize it and react to it. After all, we also need the ability to react.
Klaus Mochalski
Yes, I think it's important to understand that you also take such things seriously, even if they can occur quite frequently and perhaps have no consequences at first.
Götz Schartner
Yes, exactly. So that's the first step. The thing that has the biggest impact is what can come afterwards, i.e. after the classic potential mail login - let's just call it a ransomware attack. This is what is also present in the media when large companies - such as a well-known battery manufacturer that had to cut back its production [note: this refers to VARTA AG, which was the victim of a successful attack in early 2024] - partially shut down because data is encrypted and the entire company may no longer be able to operate afterwards. This is also something that is happening more and more frequently.
Financial manipulation is less common at the moment, but it does happen. The best-known case is payment diversion attacks, where attempts are made to change bank account details. Either through fake messages along the lines of: one of your suppliers contacts you via a genuine email address and says they have new bank details. There may also be a real team call with the right person, who then speaks to the purchasing or finance department. You can't tell the difference these days. That's the worst thing.
We also do this live in lectures. It's actually quite funny until you know the impact. Then it's no longer fun. You have to differentiate. And then, of course, there's always the classic fake president. So, someone calls you and says: I'm the boss, transfer money to me. That still works well. The losses are in the millions every year.
Klaus Mochalski
I can also confirm this from my own experience. Rhebo is not a very big company. But even we've had this happen once or twice a year in the last five years. My head of finance called me and asked: Did you send me the email with the bank transfer? And yes, we were not affected. Thank goodness. But we can actually observe that too.
These attacks with a specific financial background are of course very interesting, also for us as a company. But today's podcast is about OT security. Do you also have customers who operate OT infrastructures in addition to the classic IT infrastructure in the office environment, i.e. production plants with automated control systems or energy supply companies where the substations are controlled remotely? And what proportion of your customers are these? Very roughly.
Götz Schartner
Our proportion of customers who also use OT should be just over 70 %. The classic customer for us is either a utility company - energy, electricity, everything that goes with it, water, gas - or of course a classic industrial company with production. There are very few of our customers who don't have OT. Sometimes only secondary OT, which is relatively uninteresting, but very many with relevant OT. As far as we know, we have never experienced direct attacks on it, which is always very interesting. Of course there is damage, there are impairments because attacks simply spill over. That does happen. So it's classic collateral damage. But as things stand today, we are not experiencing this.
Klaus Mochalski
This somewhat confirms what you hear in many different places when you follow the discussion in specialist circles. The examples of Stuxnet and Industroyer are repeatedly cited. But if you're out and about in the field yourself and look after customers, even in significant numbers, as you do, then statistically there are relatively few pure OT attacks. We can also confirm that.
In other words, there are these spillover attacks where IT is compromised, so to speak, and then perhaps areas of OT are also compromised due to weak internal network segmentation. Or that the IT is simply no longer available and the OT systems can therefore no longer access certain data systems, which has an impact. We also very, very rarely observe pure OT attacks.
This raises the question - and we often speculate and talk about this with our customers and partners - why do you think this is the case? We keep talking about the fact that OT systems - software, hardware - are vulnerable. We also observe this on a daily basis. In our security analyses, which we carry out for all new customers, we always find things that can be exploited. These are outdated firmware versions, poor configurations, systems and ports that are open to the outside world and the internet. In other words, these vulnerabilities are definitely there. Why do we still see so few targeted attacks on the OT infrastructure, even though there is so much talk about it?
Götz Schartner
So that's speculation, of course. There are targeted attacks on OT infrastructures and this is happening every day in Ukraine, where Russian hacker groups, you can say that quite openly, are deliberately destroying them. And that's exactly why it's not happening here. We are not currently in a state of open war, because that is what we are talking about. So if another nation or hacker groups were to deliberately destroy our energy supply, NATO would speak quite openly - there are now various agreements on this - that this is an act of war and would be responded to accordingly. We don't have that [here in Germany].
The crime we deal with is usually pure crime. Groups that want to make money. In other words, they penetrate somewhere, encrypt data, but still give this exit to say: You pay money and then we decrypt. And we also say how we got in. We show where the backdoor is. So it's a pure business, not exactly legal, but that's what it's based on.
OT security, what we know today, what we observe from afar because we haven't experienced it ourselves, is generally purely destructive. Destruction works very well, very easily, and today - thank God - we don't seem to have anyone doing that to us yet. [8com’s] work environment is primarily companies and organizations within the EU and a little bit in North America, of course. That is our primary focus.
But... and now you have to be very, very careful. I founded the company 8com 20 years ago and carried out penetration tests back then. Now I'll explain what happened. We hacked banks and showed how we could get in. For me it was obvious that the bank manager would immediately open his cash box and say: Hey, you're getting real money here, protect us. But the reaction was zero. Then we thought: well, they probably haven't understood it. Then we said [to the banks]: Can we carry out a test by showing how we manipulate your main accounts? They said: That's not possible!
So we showed them how we manipulate the main accounts from the outside so that nobody can see - because I only have a control on the screen - that we have manipulated it. [I then thought]: But now there must be real money for security concepts. But it didn't come at all. They were horrified [but nothing else]. Then we showed them how we empty ATMs. And we did it digitally. Not by blowing them up or breaking them somehow, but by hacking into the cash register systems again and then manipulating the entire cash register system so that we could simply get money out. They were extremely nervous, you could tell, it was a bit psychological, but nothing really happened. Why? Because at that time there were no real attacks.
That has changed radically today. It's no longer like that. So, the attacks are there. We are talking about the evolution of crime. Just because there are no massive attacks on OT here in Germany or in the EU today doesn't mean that they won't start tomorrow. And it will start at some point. It's just a question of time until the classic IT attacks are no longer so relevant in monetary terms. And then the next stage will begin. We just don't know when. The [mistake] is just to wait for it. It used to work because a large criminal subculture didn't form overnight. It formed gradually. It started very, very small with hacker groups in online banking fraud. For example, at some point they tried to install a Trojan on Claus Weselsky's [Note: currently Federal Chairman of the Union of German Locomotive Drivers] private computer to access his PIN and TAN and then make a small transfer using his credentials. And so they slowly grew, from small, very primitive online banking scams to better and better ones, until all these high-grade ransomware groups emerged today. It was a process that took many, many years.
Our problem today is that the switch to a different technology, to a different target - I'm exaggerating now, but - can ultimately happen overnight. Because the groups are there, the money is there, the technological know-how is there, the criminals' entire infrastructure is there too.
It's not just that I need a coder to build the attack. I need everything: people to carry out the attacks; people to monitor them and operate the business model; the whole payment area, a financial area, because the whole thing has to be monetized somewhere. It's all there today.
And that's why I'm arguing that even if we don't see anyone specifically attacking OT today, that doesn't mean it won't happen tomorrow. If you haven't taken precautions by then, you can say your prayers. Because even with Rhebo, OT security can't suddenly be implemented across the board overnight.
Klaus Mochalski
Well, it never is. There are always relatively complex processes that have to be adapted, established and improved. You have to have the right tools, the right service providers at the start, and that takes quite a while. We know that from IT security.
To summarize what you said, there is currently a lack of compelling motivation on the part of the perpetrators. State actors, sure, we're watching them. But it's about sabotage, destruction and not financial interests. We see that in Ukraine, as you said. With organized crime, with ordinary crime, I'd like to call it that, it's all about making money. And that is still easy at the moment and also possible on a large scale in IT. There is a much, much larger attack surface than in OT and the procedures are also very, very well established there. These are industrial sectors that are very professionalized. In other words, you can buy complete service packages where everything is handled right through to payment. As you described, it's almost like a consulting business. And as long as it's so lucrative, there's little motivation on the part of the attackers to take care of something new [like OT].
The technical means, the attack toolkits that are used [in IT], are also established and work. You can also find a lot of expertise there. And if you now want to target the OT infrastructure, that means a lot of new investment on the part of the perpetrators. And we all know - as you have confirmed - that it can happen, it is already possible today. It happens less than you would expect. But that doesn't mean you can think you're safe and don't have to do anything.
What would be the right course of action from your point of view? If I am the CEO of a medium-sized industrial company with 500 to 2000 employees, with relatively complex automated production here in Germany, if I want to protect myself against such attacks, not overnight, but within a foreseeable period of time. What approach do you recommend to your customers? It's certainly not just: Install this tool, then you're secure.
Götz Schartner
No, that doesn't work. It always starts right at the beginning, with risk management. I need a management process behind it. I need to understand and assess the risks. That's the alpha and omega, and it has to translate into money afterwards. What does that actually mean if scenario A, B, C, D, E occurs? Then - based on this risk assessment - you start to create a concept, to say: How can I prevent or at least reduce the probability of occurrence? How can I then recognize an attack when it starts and actually take active action against it?
This is actually always the standard procedure. The first thing is to understand the risk. Incidentally, management is also legally obliged to do this to a large extent, even if, as things stand today, liability usually only arises post mortem after the damage has occurred. It is very likely that we will see an amendment to this in the course of this year, because this threat of liability for the management is generally not even considered. And we are assuming that this EU directive, NIS 2, will actually change things massively by actually prohibiting non-liability. To say: The management, the board of directors must be held liable! Because the attacks are preventable, we must not forget that. This is not rocket science. These are completely normal, standardized procedures by criminals. Very few of them are highly innovative. And that is why this is actually the procedure for companies: 1. risk management assessment, i.e. understanding the risks. 2. think about how to reduce the attack surface. And then thirdly, how can you detect attacks and how can you react to them.
Klaus Mochalski
Thank you very much for that. That's perfect. I would like to mention this exact message, which we have also discussed repeatedly in various previous episodes of this podcast. That this is the right thing to do. In one of the last episodes, I talked to a guest about the fact that it's not about assessing OT risk separately, but that it has to be assessed in the context of my organization, just like any other risk for my business. And I have to treat it as such.
Now you've mentioned NIS2, the amendment to the Network & Information Security Directive, which must be implemented into national law in all EU member states [by October 17, 2024]. The timetable is defined, the clock is ticking. From your point of view, is the whole thing overshooting the mark? There is a very active discussion going on right now. Is this exactly what we need? Or is it overburdening companies, as many claim?
Götz Schartner
It's not overshooting the mark at all. We have to look at the damage we already have today. Depending on which statistician you ask, we're talking about hundreds of billions in the German economy, or perhaps even more. And that's all still relatively moderate. So, it could get much worse. Should we really get into a conflict, not a military one, and we are suddenly completely without electricity, we can no longer produce, we can no longer supply food or pharmaceutical products. We won't survive that. So it's not overshooting the mark.
The problem is quite simply that companies generally do too little. As an assessor, I can say this quite bluntly. In almost every report that I prepare for my insurance company, there is always an addendum that simply says - and now we are getting into a formulation that normally only lawyers are entitled to use, and - to make this clear - I myself am not a lawyer: This damage was deliberately tolerated. Because everyone knows that it will go wrong. So every IT professional is generally aware of the problems. They just don't react to them. We know that if we happen to fall victim, then it's just going to rumble and then we're suddenly encrypted, can't produce, and have millions in losses.
And these are simply things where we say that we can no longer survive in this economy in the long term. We have to start doing something. The catch is, of course - and now we come back to our model - there may be a management team, a board of directors, who don't actually own the company. They are just employees and are paid according to their success. Paying for success is always about: what profit have I ultimately generated? That's what it's all about by and large.
Cybersecurity initially costs money, whether for IT or OT. In the event of damage, with it you can massively reduce the damage and keep the company viable. But in the short-term mindset that we have today - which is also how stock market systems work, by the way - it's really all about pure profit.
And that's where the legislator really needs to get involved, because at some point we won't survive. At the moment - even if it sounds so dramatic - everything is fine. It's totally at a comfortable level. There are a few cases every day. We in our [cyber security] industry are happy because every case brings money and new customers. But it can also change completely overnight. And then we have a real existential problem in our economy. And that's why the legislator has to react. Objective facts obviously aren't enough.
Klaus Mochalski
Thank you very much for this plea. I think that is also a very nice closing statement. From your point of view, too, and I can only confirm that: The NIS2 directive has come at exactly the right time. It certainly doesn't come too soon, and companies should see it as an opportunity to carry out their risk analyses - holistically - and then make decisions accordingly. And even if the decisions are not to invest in certain things, you can still prove that you have considered this risk. And then you also fulfill your obligations as the management of a company. And that is exactly what we need.
And that's why we're making a big plea: if you haven't already done so, this NIS2 directive, along with many other frameworks, is a very good guide on how to implement IT and OT security across the board in your company. And so we can only encourage everyone there to take a close look at it now. Thank you very much, Götz, for being on the podcast. It was an exciting discussion. I hope our listeners enjoyed it, and let's discuss it in more depth when we get the chance. Many thanks to you.
Götz Schartner
Thank you very much.