Attackers attempt to gain control over unprotected IT systems. They look for security loopholes in order to infiltrate their way into systems. The protection of critical infrastructure is vital for the survival of a company like Deutsche Bahn.
In all parts of the company, the awareness of this subject is therefore extremely high. The pressure to establish comprehensive risk management, not only due to growing threats but also due to the new requirements imposed by legislation, is growing continuously.
The requirements of IT security law demand that the operators of critical infrastructure give their connected IT systems greater protection against attackers. On top of this, there is the requirement for companies such as DB Regio to guarantee continuous passenger transport, even if the functions of the supporting IT systems are compromised.
In order to implement these requirements, it is first necessary to establish a comprehensive picture of the existing infrastructure. Due to the distributed organisation and the use of diverse IT solutions, consistent risk management is a very complex affair, especially in the case of communally structured transport services such as the bus division, DB Regio Bus.
In just four weeks, a joint working group from DB Systel, DB Regio and DB Regio Bus NRW drew up a feasibility study for an improved risk management system. This focused on reducing outlay and raising quality. The project examined two business-critical commercial processes: operations management and ticket sales for about a dozen bus companies at DB Regio NRW. For the underlying IT infrastructures, DB Regio Bus NRW allowed access to all relevant IT components.
With the aid of the tool used in the feasibility study, the entire IT system at the location examined and linked to the critical business processes was captured, checked, evaluated and visualized. The aim was to make the IT transparent in terms of risks and compromisability, as well as to initiate defensive measures.
To this end, the security experts at DB Regio, DB Regio Bus NRW and DB Systel had to create an accurate and comprehensive picture of the hardware and software in use. For efficient risk management, it is necessary to identify which applications are installed where and whether the servers are operated independently by the company or hosted by cloud providers. It was possible to perform this task efficiently by using an appropriate tool.
Through close collaboration, it was quickly possible to identify, prioritise and eliminate such risks by means of appropriate measures. The tools used capture the current situation clearly and with a modern look. For example, it was possible to find out very quickly on which computers important security patches still had to be installed, or where complete software packages had to be updated. Thus with little effort, it was to possible to increase the security level noticeably.
Collaboration as partners
Thanks to very efficient collaboration over short communication paths, a great deal of new intelligence was obtained in a very short time, to the obvious delight of DB Regio Bus NRW. By working together, it was possible to minimise the IT risk without any significant financial investment. This would not have been possible with the procedures that were previously in use. It also opened up additional application scenarios.
As part of intercompany guidelines, the risk management process was redesigned by those responsible at DB Regio and aligned with new legal provisions. The reduced effort in risk management facilitates improved control and visibility of actual IT risks, according to DB Regio Bus NRW. This solution thus lays the foundation for complying with the IT security legislation.
Growing threat from the Internet of Things
But DB Systel is thinking further ahead. The increasing penetration of information technology into the machine world makes the converging infrastructure even more susceptible to attack. The concept of the Internet of Things, in which every object can be integrated into the network, increases the potential threat. This extends from interference in communication in the vehicle IT systems of trains or buses, to the future topic of autonomous driving. It would be possible in future for attackers to gain direct access to control elements and thus paralyse the infrastructures.
The jointly developed methods enable real technical threats to IT be identified, assessed and made more visible. In this way, it is possible to disclose and minimise the potential for damage. As before, however, the greatest security risk is still the human element, which is therefore a key factor of risk management at DB Systel: in regular awareness training sessions, employees are repeatedly reminded of possible attack scenarios. Using this overall concept, DB Systel is able to significantly raise its level of IT security.