Cyber-attacks on critical infrastructures (CI) are having an increasingly negative impact on the private sector and governments and thus on the general public who depend on their services as well. At the same time, many operators of CI are increasingly connecting their Industrial Control Systems (ICS), which are also used in many CI, to the Internet to monitor and control their operations in an uncomplicated and inexpensive way. However, security incidents in the past have shown that connecting an internal IT environment to the Internet can increase vulnerabilities to network breaches, data theft and Denial-of-Service activities in the industrial environment of electricity plants and other CI. Yet, the federal government, federal states or municipalities, which are in charge of CI, have no appropriate means to assess the intensity of threats, vulnerabilities and potential impacts and to make them transparent for operators. Moreover, it is extremely difficult to insure CI against damages due to IT security breaches.
The project “Providing a risk situation picture of industrial IT security in Germany" (RiskViz) was funded by the German IT Security Research Program of the Federal Ministry of Education and Research. The overall aim of the consortium with seven partners from research, industry and practitioners was to improve the German economy's IT security, in particular with regard to CI. Within the RiskViz joined forces to develop methods and instruments to identify ICS that have insufficient protection against cyber-attacks. RiskViz aimed to create a search engine that is capable of finding ICS and of collecting relevant information about the system and its risk situation without interfering with its operations.
BIGS analyzed the regulatory framework that is necessary for the development of a market for cyber insurance and will highlight and develop further political and economic instruments that could help to close identified security breaches.