Cybersecurity at thyssenkrupp: Chasing the unknown

The danger from hackers and cyber-attacks has been growing for years. The focus is increasingly on industrial companies like thyssenkrupp. The motivation of the attackers: The theft of industrial secrets and data, sabotage and blackmail. Cybersecurity experts like Marc Kleffmann and Florian Saager have declared war on hackers. Their opponent: Increasingly organised crime. Their work is correspondingly demanding and exciting, always reminiscent of a thriller and real detective work. The challenges are becoming tougher and tougher - and a dangerous trend is emerging.

The damage caused by the stealing of IT data, industrial espionage and sabotage is enormous. The industry association Bitkom estimates the damage to the German economy at 206 billion euros in 2023. According to a Bitkom study, cyber-attacks by organised crime have increased significantly. And the attacks on German companies are more and more organised in gangs.

The Cyber Defense Center at thyssenkrupp

Marc Kleffmann and Florian Saager are cybersecurity professionals in the Cyber Defense Center at thyssenkrupp, responsible for preventing and defending against cyber-attacks. Florian's department, the Offensive Security Team, takes on the "attacker role": Florian and his colleagues simulate IT attacks with the aim of uncovering vulnerabilities in the IT infrastructure before real attackers do.

Cybersecurity at thyssenkrupp: IT experts against hacker attacks

"My job is to organise and conduct so-called penetration tests - a kind of security analysis in which we manually test our own systems for security leaks," Florian reveals. The target of these simulated hacker attacks are, for example, the production sites of the technology company. "We put ourselves in the role of attackers: For example, we look at how the network is segmented, what entry points are there? Where can I spread out and where can I get to? Can I perhaps completely own the system, i.e. take it over? All this, of course, with the aim of strengthening our own defence".

In contrast, Marc Kleffmann takes on the "defender role" with the Computer Emergency Response Team (CERT). Two of the most important tasks: Threat Intelligence and Incident Response. "For Threat Intelligence, we observe and analyse the threat landscape," Marc reports. "For example, we analyse how large attack groups operate, how we prepare for any attacks and how we can respond."

Continuously adapting to new threats and scenarios

The Cyber Defense Center must continuously adapt to new threats and scenarios. "There is not just one attack sector that is typical for thyssenkrupp," says Marc. "We have to differentiate between individual business segments. Marine Systems, for example, works completely differently than Automotive or Steel, and the motives for attacks are therefore different. For this reason, we have to deal with other attackers and other types of attacks. The motivation of the attackers can be industrial espionage with the theft of patents or building constructions, as well as blackmail. Marc: "There are definitely attackers who are not interested in the type of data at all, but who try to gain access to as many systems as possible, encrypt them and demand a ransom for their release."

And often it's not primarily about the critical servers at all, Marc knows. "There are attackers who simply try to trick some employee to gain access to the account and then either jump from there or sell the access data on the Darknet. Criminals can then buy this account and take it over and pursue their own goals from there.

With playbooks against the attackers

These small attack attempts - for example via phishing mail - are usually intercepted by automatic filtering and virus scanners.  For suspicious cases that seem a bit larger, the procedure is always the same: "If we notice anomalies, i.e. if something happens in the infrastructure that typically should not occur, our playbooks enter the game," Marc reports. Using a defined procedure, the cybersecurity professionals analyse the detected anomaly. If it is indeed an attack, there is no time to lose.

After the management and the specialist department have been informed, personnel and other resources are first planned to ward off the attack. Next, the IT professionals follow the attacker’s trail. Then routines come into play that are in no way inferior to modern detective work. Processes are used that resemble a thriller. Marc: "We immediately start with the analysis: What are the attackers doing? What techniques do they use? What possibilities and motives do they have? And what systems and accounts have they already taken over?"

Cybersecurity at thyssenkrupp: IT experts against hacker attacks

Marc and his colleagues have to be extremely careful in their investigative work - because: "As long as they don't notice us, we have the chance to analyse them, what they are doing and what they can do. The moment we startle them, they will very likely do something completely different. Then there is also the risk of not being able to track them down. We need to time it right to strike back before they achieve their goals." To this end, all the resources of the Cyber Defence Centre are being pulled together. It is not only internally that there is an extremely close cooperation For example, cooperation with the authorities is also part of it: Police, Public Prosecutor's Office, State and Federal Criminal Police Office.

"Team building in its purest form"

According to Florian, major hacker attacks are an "intense experience", a professional challenge - and thus also "very exciting". It is not unusual for security professionals to take such an attack personally, as Marc admits. After all, there's a lot at stake: "There always comes a point when you realise that an attack like this can quickly become very expensive for a company like thyssenkrupp. When the production of an automotive supplier breaks down, millions are at stake. That is an enormous motivation for our team. Marc is convinced that the close cooperation with colleagues, especially under time and pressure, is "team building in its purest form".

Once the attack has been repelled, the IT experts’ work is still not over. Marc: "Then the clean-up work begins. That means all systems that have been compromised and all accounts have to be set up again. We're talking about months until everything is renewed.” So they can't complain about work at the Cyber Defense Centre. Neither can they complain about new challenges.

Cyber-attacks as service packages

"Until about five years ago, bigger attack groups carried out very professional attacks. And there were a lot of very small attackers who worked with smaller measures like phishing emails. For a few years now, however, many "as-a-service" (SaaS) providers have appeared on the scene, offering ransomware-as-a-service or phishing-as-a-service, i.e. regular service packages. This means that even criminals who are not particularly skilled in this field have the possibility to buy or rent very professional cyber-attacks for relatively little money.

Then it's time for the next team building measure at the Cyber Defense Centre.