As reported by the German Frankfurter Allgemeine Zeitung, unidentified attackers had broken into a cable duct of Germany’s telecommunications provider Kabel Deutschland (a Vodafone subsidiary) and cut fiber optic cables, thereby causing Internet, TV and telephony blackout for parts of Berlin. The attack is noteworthy because according to the reporting, the attackers acted professionally and knew exactly where and how to strike in order to cause significant damage, bypassing physical access control and alarms. We don’t know if they actually used chainsaws to cut the cables, but they obviously didn’t need zero-day exploits.
The attack evokes memories of the rifle attack against the Metcalf power substation in California, where a local electrical blackout was caused by destroying the cooling system of transformers with high-powered rifles – an attack that also involved cutting cable trunks in order to delay emergency response, and resulted in considerable debate on the security of the US electric grid following remarks by former FERC chairman Jon Wellinghof.
In Germany, the electric grid was unaffected. If this will also be the case once that a full-scale Smart Grid is implemented remains to be seen. Nevertheless the significance of the Berlin attack should not be underestimated now that Germany is moving full steam towards “Industry 4.0”, the German version of the Industrial Internet. Surprisingly, German chancellor Angela Merkel demanded in her weekly webcast from Oct 4, 2013 that Germans “must conflate Internet and industry” and that Germany would have to be the global leader of this movement. Merkel didn’t specify why this would be the case, and she also didn’t point to any cyber security concerns in this context, which must surprise given the chancellor’s widely publicized personal experience with information security or the lack thereof that hit the news about the same time.
One would expect that the Berlin incident will act as a huge challenge for Germany’s national cyber security strategy. The German strategy document is noteworthy for two reasons: First, it limits critical infrastructure to critical information infrastructure, which is a major deviation from national cyber security policies of the United States and of the European Commission. Secondly, it includes the bold statement: “The protection of critical information infrastructures is the main priority of cyber security.” The question on the table now is how the German government intends to protect this information infrastructure against low-key attacks like that from last weekend, especially in years to come when German industry and national economy will largely depend on this infrastructure. According to the reporting on the Berlin incident, a Vodafone spokesperson said that Vodafone and Kabel Deutschland combined operate a cable network extending 400,000 kilometers in Germany, “virtually impossible to protect reliably”.
The idea that a small force of determined Hooligans may soon be able to disrupt real (analog) critical infrastructure because of their dependence on digital data streams, using nothing but old-fashioned bolt cutters and chain saws is a political challenge for those who tout betting national economy on the reliability of the Internet, and suggest that Germany is ready for it by virtue of its cyber strategy.
The political response – if any – will be telling. I bet 50 Euros that it will fall well short of how the United States (or NERC and FERC, for that matter) handled the Metcalf incident.
Ralph Langner