Common dilemmas when a website is unavailable: - Internet Shutdown: Potential Consequences
In a series of suspected cyberattacks, the cities of Trier, Mainz, Koblenz, and Ludwigshafen in Rhineland-Palatinate have experienced issues with their websites. The Landkriminalamt (LKA), the German state criminal office providing advice on cyberattacks, has issued guidelines for immediate action.
Immediate Steps
- Isolate affected systems and preserve evidence.
- Notify the competent German authorities, including the Federal Office for Information Security (BSI) and the local data protection authority, and engage qualified incident response/forensic help.
- Inform affected users as required by law.
Essential Context and Supporting Steps
- Disconnect or isolate compromised webservers and linked internal networks to prevent further data exfiltration.
- Do not overwrite logs or reboot unnecessarily; take forensic-sound disk images and preserve logs.
- Retain an experienced digital forensics/incident response (DFIR) team or qualified external cybersecurity firm immediately.
- Notify the BSI when critical infrastructure, public services, or severe incidents are affected, and if personal data were likely exposed, notify the competent data protection authority and affected data subjects.
- Communicate transparently with users, publish a public notice informing them about the outage/attack, and provide actionable user guidance when warranted.
Post-Recovery Steps
- Remove malware/backdoors, patch exploited vulnerabilities, rotate credentials and secrets, and rebuild compromised servers.
- Restore from verified, offline backups and test systems in a controlled environment before reconnecting them to production.
- Deploy or enhance endpoint detection and response (EDR), web application firewalls (WAF), multi-factor authentication (MFA) for administrative access, network segmentation, and continuous logging/monitoring.
- Produce an incident report documenting timelines, impact, root cause, remediation steps, and lessons learned.
- Update incident response plans, run tabletop exercises, and provide staff security awareness training focused on the vectors used in the attack.
Additional Considerations
- The LKA suggests contacting the IT service provider in case of a cyberattack.
- The central point of contact for cybercrime (ZAC) is only accessible to businesses and authorities resident in Rhineland-Palatinate. The phone number to contact the ZAC is +49 6131 65 64760, and the email address is [email protected].
- Private individuals who wish to provide information or file a complaint about cybercrime should contact a local police station or the competent public prosecutor's office.
- Companies not resident in Rhineland-Palatinate can find the direct accessibility of the central point of contact for cybercrime responsible for them in other federal states under https://www.polizei.de/Polizei/DE/Home/home_node.html.
- The LKA recommends organizing internally in the form of a crisis team and distributing roles, responsibilities, and areas of responsibility.
Limitations and Next Steps
- The general steps above follow recognized practice and recent German incident examples but do not replace legal advice or tailored incident response plans. For specific obligations under Rhineland-Palatinate law and exact reporting addresses/contact points, consult the Rhineland-Palatinate Landesdatenschutzbeauftragte and the BSI immediately.
- The nature or source of the cyberattacks, the extent of the damage caused, and the accessibility of ZAC for private individuals outside of Rhineland-Palatinate remain unknown.
- The community policy should emphasize the importance of promptly following the guidelines provided by the Landkriminalamt (LKA) in cases of suspected cyberattacks, such as those experienced by the cities in Rhineland-Palatinate, to ensure effective cybersecurity.
- In light of the recent cybersecurity issues affecting several cities and the urgent need for technology-based solutions, the employment policy may need to prioritize training and hiring individuals with expertise in cybersecurity, particularly in the domains of general-news, politics, and incident response, to better protect sensitive information and infrastructure.
