It’s a great idea, but the bad guys seemed to have something against it. Visite 2.0 is a project that Lukas Hospital in Neuss, Germany, uses to digitize its operations. Doctors and nurses use tablet computers, for example, to call up and enter data right at the patient’s bedside. It helps ensure more effective processes and makes good sense—as long as the data is accessible and secure.
That all suddenly changed when an employee opened an email attachment and the embedded malware crippled the hospital’s computer system—viruses do spread quickly in a hospital. The hackers who sent the malware got in touch with the hospital and promised to solve the problem—for a fee, naturally. Instead of allowing itself to be blackmailed, the hospital powered down its systems and switched back to working manually. It took four days to repair the system, and a total of ten days passed before it could be powered back up again. The hospital’s management estimated the total damages at around one million euros. It’s an example that highlights the thin line between the good and bad sides of digitization.
This trick that hackers use to get money is called ransomware. TÜV SÜD’s Chief Digital Officer Dr. Dirk Schlesinger describes this type of hack: “It’s the biggest cyber security problem worldwide at the moment. Hackers have learned to turn their attacks into money. Ransomware has become a global industry.” Researchers at IBM X-Force, the company’s security experts, calculated that ransomware accounted for almost 40 percent of the malware emails sent in 2016. The year before it was just 0.6 percent. The FBI estimates that the amount of money blackmailed from victims in 2016 totaled in the high hundreds of millions of dollars.
The most prominent and most recent global example is the WannaCry attack, which sparked fear around the world in May 2017. Within just a few hours, hundreds of thousands of desktop computers in more than 150 countries saw text windows pop up on their screens demanding money for decrypting the data that had been blocked by WannaCry. Only after receiving 300 dollars in bitcoins would the blackmailers release the data, and if payment wasn’t made immediately, the amount doubled. WannaCry caused chaos in British hospitals, at German ticket counters of the Deutsche Bahn and at Chinese gas stations. IT experts could only shake their heads, since WannaCry exploited a long-known security vulnerability in older versions of the Microsoft Windows operating system.
The response to dangers from the internet has been rather inconsistent, with some countries doing better than others, Germany among them. Risk awareness has increased overall, as shown by the E-Crime Study, conducted by the auditors at KPMG: 89 percent of managers recognize a high to very high risk that German companies could fall victim to such attacks. But only 39 percent of them consider their own company to be in danger. Accordingly, many are careless about dealing with virtual risks: 71 percent of companies don’t have cyber security guidelines, and only 17 percent have basic IT protection that has been certified. And among those companies that are required to have an IT security management system according to Germany’s new IT security law, only 41 percent have thus far complied. Yet this protection is of enormous economic value: the management consulting firm McKinsey estimates the added value that will be created globally in 2025 through digital production alone at 3.7 billion dollars.
Even politics isn’t safe any longer. Hackers from the United Arab Emirates are alleged to have sent Qatar into a crisis with a cyber attack by infiltrating the state-owned Emirates News Agency and publishing faked dispatches. Hackers may also have manipulated the most recent presidential election in the United States of America, and also leaked material intended to have a negative impact on President Emmanuel Macron just days before the national election in France. It is considered very likely that there will be attempts to influence the upcoming national elections in Germany, in September.
The risks are increasingly daily. Malware is available in countless variations on the internet. Attack tools can be purchased on the darknet—often even sold with a guarantee of success. “Thousands of new viruses are created every day,” say TÜV SÜD expert Schlesinger. No wonder: criminal organizations with professional personnel are often behind digital attacks. It is said that there are statistics circulating that list how many servers would have to be infected with a slightly mutated virus to earn between 10 and 30 million dollars.
Nonetheless, the danger for companies and critical infrastructures can be minimized. Schlesinger calls for thinking comprehensively. “It starts with the employees, who are often the weakest link in the chain,” he explains. “They must be trained not to carelessly use USB sticks or open unfamiliar email attachments. There are tests, where USB sticks labeled ‘vacation photos’ have been set out randomly in company offices. The question was how a company’s employees would react to them. A few minutes later, the USB stick had been plugged into a computer, and had it been carrying a virus, the whole system would have been affected.”
It’s often the case that smaller and medium-sized companies believe that they aren’t interesting enough for attacks. “That’s the wrong way of thinking,” Schlesinger says. “Ransomware shows that anyone can be affected, from global corporations to small handicraft businesses out in the countryside. These days every company generates a multitude of data, which can be interesting for extortionists. And if it isn’t, they can extort a ransom by encrypting it.” Of course, every medium-sized company somewhere in the countryside does not need to be made as safe as the Bank of England, Schlesinger continues. “But I can surely determine which information is worth protecting for my business and which isn’t. This differentiation is very important.”
This is where independent testing companies such as TÜV SÜD have a supporting role to play. Many smaller businesses or medium-sized companies don’t have much of this type of expertise in-house.
TÜV SÜD certifies companies according to the ISO 27001 global standard, which is based on a regular analysis of the current situation and a determination of the requirements necessary to achieve the desired state, allowing process improvements to be implemented. “This certification can only be a foundation for cyber security,” Schlesinger says. “A penetration test or a more detailed security analysis of the systems and programs can identify additional vulnerabilities. We have our own hackers for this at TÜV SÜD, who attack companies’ weak spots from the outside and also through internal interfaces. Building on this, we can then draw up a vulnerabilities report.”
Artem Vorobiev is one of the hackers Schlesinger was talking about. Vorobiev works for TÜV SÜD in Singapore, and calls himself an ethical, or white hat hacker. And he says, “Along with ransomware, it’s the devices of the Internet of Things in particular that I’m becoming increasingly worried about. People don’t put a lot of thought into security for production and approval of such devices.” Then he groans loudly. “It seems that www more often stands for wild wild west these days.”
And if anyone knows this, it’s Vorobiev, who runs the penetration tests to discover such vulnerabilities. Right now, he and a customer are readjusting the honey net project, with which TÜV SÜD imitated the infrastructure of a water company. Attacks came from all over the world and, in just a few months, had totaled more than ten thousand. “There are always vulnerabilities somewhere, and hackers specialize in finding them.”
Another big project for him at the moment is networked mobility. “In the future, cars will be one thing above all others: computers on wheels,” he says. “Consequently, there are more digital targets, particularly involving communication between individual components. Attacks that use what are known as exploits, can for instance be launched through the car’s anti-virus program. The problem is that this program protects the entire car. If hackers manage to break into it, however they do, they can control the anti-virus program—and the entire car with it. Bingo!”
Three security researchers in the US recently demonstrated how cars could be hacked through their infotainment systems. According to US-CERT, the United States Computer Emergency Readiness Team, the security gap can be used by attackers from afar to deactivate the car’s infotainment system and to influence a car’s functional features. However, the carmakers that are affected by this emphasize that no “critical safety features” were manipulated.
Programming such an exploit can take months. Once they’ve succeeded, however, hackers can attack within seconds. They could manipulate cars to create accidents. They could manipulate traffic signals to create chaos. At least in theory. The price tag for such exploits can run up to a million euros. Vorobiev calls for action: “We desperately need standards to be developed for the approval of Internet-of-Things (IoT) devices so that such dangers don’t arise in the first place. Otherwise we’ll continue to have a wild-wild-west situation. And nobody wants that.”
This is also the direction of Schlesinger’s thinking, as he refers to a hack in November 2016. At the time, more than a million Deutsche Telekom DSL routers were affected by the attack. The hackers were working for a Liberian telecommunications company, which planned to use the captured devices to build a bot network, which in turn was to start another wave of attacks. Fortunately they could be stopped in time. “The structure of such attacks is being shifted from powerful computers to IoT devices,” Schlesinger explains. “The danger is absolutely real.”
Therefore it becomes increasingly important for companies working in networked environments to invest in their own IT security—and to count on external partners such as TÜV SÜD, with the know-how of experts such as Vorobiev. Ethical hackers like Vorobiev know how criminal hackers from the darknet think and work. Many experts make the following argument: onehundred-percent security cannot be guaranteed. But in making the hackers’ lives as difficult as possible, you increase the probability that they will lose interest. And this lowers the risk for companies.
IT security in any company must continually be scrutinized and analyzed, which is the only way to realize the greatest possible protection. Because: “Cybersecurity is roughly the same as a flu shot,” Schlesinger says. “It’s not that nobody will get sick any more, but the goal must be to get sick less often, and if you do get sick, then it’s not as serious.”