Making supply chains hack-proof

26 january 2023

Coronavirus has caused problems in supply chains worldwide, and the Ukraine war has had the effect of throttling gas supplies. With global crises such as these and the increasing expansion of digital connectivity, the potential of hacker attacks to endanger critical infrastructure (CRITIS) is also on the rise. In sectors ranging from energy to transport and traffic, the support being offered by TÜViT experts to CRITIS companies includes help in their efforts to ward off hacker attacks.


On 26 October 2022, every warning light at Enercity in Hanover lit up at once. This major energy supplier had fallen victim to a hacker attack. Although the critical infrastructure was not affected – customers continued to be supplied with gas and electricity – email and phone traffic was in some cases paralysed. And the attack also cut the connection to the payments system. As cyberattacks and their consequences once again revealed for all to see, the smooth operation of IT applications and uninterrupted data flows are as essential for the energy sector as they are for supply chains. And it is exactly this which makes these sectors so very vulnerable to cyberattacks. “We need at the very least a reliable security and information management strategy to help us identify such incidents and deal with them sensibly,” says Markus Bartsch, the member of staff responsible for Business Development at TÜViT. The operators of critical infrastructure are legally obliged to prove every two years that their information security management is state of the art. Mandatory regular penetration tests – targeted attacks carried out by “good hackers” with the specific aim of probing IT security systems for weak points – have never been a legal requirement to date. And yet, the Federal Office for Information Security recommends them to CRITIS companies as a possible way of finding vulnerabilities in their own systems. Penetration testers from TÜViT are already conducting tests of this kind in industrial plants: they attack IT systems, such as those which manage production plants in a chemical factory. “You need to know what you’re doing here, of course. Otherwise, you could actually paralyse the plant you’re attacking, which is something you need to avoid at all costs,” Barsch says.


Markus Bartsch is a graduate computer scientist who first joined TÜViT in 1995. He started out as an IT security analyst; since 2002, he has been responsible for business development, in which capacity his remit extends to all new technologies which are key to IT security, ranging from automotive security, the Internet of Things and Industry 4.0 through to smart meter gateways, which will have a key role to play in the smart electricity grid of the future.

Attacks on critical infrastructure are increasing

TÜViT also works on its own account as an independent organisation whose function is to verify whether critical infrastructure systems meet the requirements laid down in IT security law. “In principle, these statutory requirements mean that most of our German CRITIS systems are in a good position. This necessary condition has thus been very largely fulfilled,” Bartsch explains. “Whether all this is actually going to be good enough remains to be seen, however.” After all, hacker attacks are continuing to increase at pace: According to the situation report for Germany issued by the Federal Criminal Police Office, the year 2021 was particularly marked by attacks on CRITIS and public administration targets. About half of the operators of critical infrastructure report a massive increase in hacker activities. According to a study of the Bitkom digital association, they are readying themselves for more violent cyberattacks: more than half the companies surveyed assume that the next twelve months will bring major attacks on their IT, with one third anticipating fairly major attacks. The main targets are electricity and gas suppliers and their associated distribution grids, alongside construction companies, airports, port operators, shipping companies and logistics firms. “The primary aim is to prevent such attacks,” Bartsch stresses. After all, cyber criminals could make it impossible for these companies to operate or, at least, severely hamper their operations. This happened to petrol station supplier Oiltanking, which fell victim to a hacker attack in early 2022. As a consequence of the attack, the company was temporarily unable to send tankers out to the 233 petrol stations, mainly in northern Germany, which it supplies. At the same time, a number of oil terminals were also hit by cyberattacks at Europe’s biggest container port, Rotterdam. This meant that, in some cases, no oil tankers could be unloaded.


The Port of Hamburg in the crosshairs

The senate in Hamburg also recently warned of the growing risk posed by hacker attacks, explicitly naming the Hanseatic city’s port, alongside the energy sector, as a potential target for criminal hackers. And the port of Hamburg is indeed a major nodal point: “Europe’s third biggest port is an international logistics hub on which inland waterways, international cargo shipping and railway freight transport operations all converge,” Bartsch explains. “A six-day blockage of the Suez Canal by a container vessel early in the year gave us all a foretaste of just how drastic the effect of an additional supply chain issue can be.”




As an international logistics hub, the Port of Hamburg is a potential target for cyber attacks.

Secure sum of the individual parts

TÜViT also carries out tests of the IT security components used by CRITIS companies. Its experts are brought on board early in the process, during the development of those components. An inspector then permanently monitors the manufacturer during the entire process, with the intention of making sure that no security-related problems will crop up later during operation. This is going to be particularly central for the road traffic of tomorrow. From the point of view of CRITIS, the potential threat posed by cyberattacks is not seen as very relevant in this area. But this will change fundamentally with the advent of fully self-driving cars. TÜViT has created some testing specifications to determine the requirements automotive components will need to satisfy to allow cars to communicate with one another and with road infrastructure in a highly secure way. “In this case, it makes particular sense to use what we call international common criteria, which have proved their worth as an IT security standard, as the guidelines for the testing procedure,” Bartsch says. By communicating with each other and the infrastructure, the vehicles will ideally know if an accident has happened around the next bend or whether some other kind of hazardous situation might arise. “But this all still a complete pipedream,” Bartsch stresses. “If we’re going to have the luxury of enjoying autonomous, self-driving personal transport, we first need to get a grip on the current threats to European energy supplies and the supply chains.”