—— Digital attacks are increasingly targeting city halls, municipal enterprises and hospitals—facilities that often have very limited resources for cybersecurity. TÜV SÜD specialist Sudhir Ethiraj explains how municipalities can defend themselves and what role AI can play in this field in the future.


Hackers made off with more than 16 gigabytes of data when they attacked the German Bundestag, the country’s parliament, in 2015. It was the biggest cyberattack on the federal government’s IT network. The entire system had to be temporarily shut down. There were also attacks on the parliament’s systems and the legislators’ computers in 2016 and 2021. Espionage attacks like these make up a very small proportion of cyberattacks on governmental agencies, however.

Local and municipal levels are increasingly being targeted. In November 2023, eleven municipalities in southern Germany’s Neu-Ulm district were victims of an attack on a shared data processing center. Just one month before, 72 municipalities in southern Westphalia, Germany, were all affected in one fell swoop. State secrets were not the target; rather, the aim was to extort money by paralyzing IT systems. On average, there were two ransomware attacks on local authorities or municipal agencies per month in 2023.

But why attack a city hall or a sewage treatment plant? According to a report by the Federal Office for Information Security, online criminals are increasingly following a “rational cost-benefit calculation.” Attacks are targeted not where the most money might be expected, but where defenses are weakest. Many municipalities are still inadequately resourced and experts in the field are in short supply. Like for many smaller companies, the topic of cybersecurity has played a minor role at best for most local authorities to date.

“Everyone can and should learn a better approach to IT security. Cybersecurity belongs at all levels.”

“Cybercrime has become an industry,” says Sudhir Ethiraj, head of the TÜV SÜD Cyber Security Office. That is why it is particularly important for current IT personnel to be trained on the topic of cybersecurity. Where can IT professionals strengthen their cyber defenses? The Charter of Trust is one place offering courses. The alliance, which aside from TÜV SÜD includes companies such as Siemens, Bosch, Microsoft and IBM, aims at strengthening digital security around the globe, both at a political level and through education. Investing in the necessary knowledge is the best way for municipalities to defend themselves against cybercrime.

This is not just an issue for IT departments, however. “Everyone can learn better approaches to IT security and everyone should do so. Cybersecurity is important at every level,” Ethiraj says. Even the best systems are ultimately only as resilient as their weakest link. In most cases this weakest link is a person.

“Admittedly, any training course must be adapted to the needs on the ground,” Ethiraj explains. “You can’t put every employee of an organization into a classroom for twenty hours. There must also be courses that convey the important basics in twenty minutes.” Such courses can be found at TÜV SÜD Academy, which offers training in cybersecurity for all levels of experience. A basic training course on cybersecurity for IT specialists in accordance with the ISO-27001 standard can be booked directly with TÜV SÜD.

Ethiraj also says, “There will never be one-hundred percent security. The larger an organization is and the more diverse software it uses, the more potential gateways there are for online attacks.” Therefore, along with the protections against such attacks, cyber resilience is also crucial: the ability to respond to an attack as quickly and as effectively as possible.

In the future, artificial intelligence will help monitor IT systems around the clock and initiate countermeasures immediately in the event of an emergency. This would also be a way for municipalities and smaller companies to improve their cybersecurity. However, it must be guaranteed that the AI itself has been developed according to secure standards and ethical guidelines.

Sudhir Ethiraj heads the TÜV SÜD Cyber Security Office (CSO), the central department that coordinates and consolidates all the company’s cybersecurity activities. Ethiraj was previously an engineer and consultant for Cisco Systems. He also runs the Security by Default taskforce of the Charter of Trust industrial alliance.