Client
Around 125 years ago, a new era began for the up-and-coming industrial city of Tuttlingen with the founding of the municipal utility. At that time, electricity was initially generated using steam engines and diesel engines. Today, the long-established company with around 160 employees relies 100 percent on sustainability: Stadtwerke Tuttlingen produces green electricity from hydropower, wind power and photovoltaics, as well as biogas from renewable raw materials. In addition, the company supplies private households, industrial and commercial customers in the region with water and district heating.
Challenge
As an energy and water supplier, Stadtwerke Tuttlingen bears a great responsibility for the state community. Failures or impairments in operations could result in supply bottlenecks and a disruption of public safety. In accordance with the regulation of the Federal Office for Information Security (BSI), the municipal utilities therefore belong to the so-called critical infrastructure (KRITIS) and must fulfill particularly strict, legally prescribed security requirements in the area of IT security, among other things. The municipal utilities ensured organizational security by introducing an Information Security Management System (ISMS) according to ISO 27001. In order to check its own IT and information security, the municipal utility decided to have its IT protection measures externally audited by Allgeier secion.
Solution
In a penetration test as part of a white box audit, the entire technical IT infrastructure of Stadtwerke Tuttlingen was put to the test. For this purpose, the IT security experts from Allgeier secion carried out both an automatic vulnerability scan and a manual vulnerability analysis. In addition, the publicly accessible web applications, which are often the target of attackers, were examined for possible security vulnerabilities. The awareness of the employees of Stadtwerke Tuttlingen was also tested by means of an individual phishing campaign. Fishing" for sensitive data using fake but deceptively genuine e-mails or text messages is still one of the most popular and promising means of attack used by cybercriminals. Fake emails were therefore sent throughout the company without the knowledge of the employees. They were designed in three levels of difficulty and differed in the difficulty with which they could be identified as phishing emails.
Result
The comprehensive IT security audit by Allgeier secion provided the project managers at Stadtwerke Tuttlingen with a detailed analysis of their IT infrastructure. Because the company works intensively and continuously on its IT security measures, the technical review did not reveal any serious security gaps. All findings of the white box audit were presented to the responsible parties in a detailed report after project completion, including concrete recommendations for action to eliminate the only minor gaps. The phishing campaign underscored that regular training of all employees is also essential for comprehensive IT and information security. As a result of this measure, all employees of Stadtwerke Tuttlingen now handle received e-mails even more critically and increasingly involve the IT team in the event of uncertainties.
"We looked at various service providers and finally decided on Allgeier secion GmbH as a technically competent project partner because we were convinced by its expertise as well as its price-performance ratio. The technical review showed that we have done a good job so far with regard to our IT security, as no critical deficiencies were identified. Thanks to the detailed report, including possible solutions, we were able to implement the additional recommendations without further ado. We also continue to use the positive report as evidence in our ISO 27001 audit. The cooperation with Allgeier secion went smoothly and we learned a lot from the experts. For this reason, we are currently planning the next joint project."