E-mobility meets cloud architecture & SIEM: Security for public infrastructure
Our client is an Austrian public company operating in the field of e-mobility and utilities. The company operates critical infrastructure (KRITIS) and is therefore subject to special requirements in terms of IT security, compliance, and availability.
On the path to a scalable and auditable security architecture
With the increasing interconnectedness of charging infrastructures, IoT devices, and cloud-based services, the client faced the challenge of establishing a future-proof, scalable, and auditable SIEM framework. The goal was to fully comply with the regulatory requirements of ISO 27001, NIS2, GDPR, and BSI-KRITIS, while at the same time establishing an architecture that could be operated and expanded efficiently in the long term.
In addition to the technical complexity, the organizational dimension was also crucial: roles had to be redefined within the company, processes in the security environment had to be standardized, and awareness of cybersecurity had to be raised among all stakeholders.
The right partner for cloud security in the KRITIS environment
After a multi-stage selection process, the company chose PROTOS Technologie GmbH as its vendor-independent partner. The decisive factors were the company’s proven expertise in cloud security and compliance, its experience in the KRITIS environment, and its comprehensive range of services, from strategic consulting and implementation to 24/7 operation in the SOC.
The foundation for a secure cloud future
The first step was to conduct a comprehensive assessment of the existing infrastructure, compliance requirements, and organizational objectives.
„In the first few weeks, it was crucial to clearly define the technological foundations as well as the organizational responsibilities. Only when both levels are considered together—architecture and processes—can a sustainable security foundation be created“, Paul Schmidt, Security Consultant at PROTOS.
The results of this phase formed the basis for the target architecture: an AWS multi-account strategy with centralized logging, coupled with Azure AD (now Entra ID) for uniform identity and rights management.
Implementation: Secure integration of cloud, IoT, and DevOps
In der Implementierungsphase realisierte PROTOS den Aufbau eines mandantenfähigen SIEM auf Basis von AWS-Services (u.a. CloudTrail, GuardDuty, Security Hub, VPC Flow Logs) sowie die Integration hybrider Identitäten über SSO und SCIM. Parallel dazu wurden Use Cases, Alarmierungsregeln und automatisierte Playbooks für Incident Response entwickelt. Ein besonderes Augenmerk lag auf der Sicherheitsintegration in DevOps-Prozesse.During the implementation phase, PROTOS set up a multi-tenant SIEM based on AWS services (including CloudTrail, GuardDuty, Security Hub, and VPC Flow Logs) and integrated hybrid identities via SSO and SCIM. At the same time, use cases, alerting rules, and automated playbooks for incident response were developed. Special attention was paid to security integration in DevOps processes.
„The challenge was to design the customer’s APIs and CI/CD pipelines to be not only high-performing, but also ‘security by design’. With infrastructure-as-code, secrets management, and automated compliance checks, we were able to establish a secure, highly reproducible environment“, Ann Seidel, Senior Security Consultant (Cloud & DevOps) at PROTOS.
In addition, IoT components – in particular the network of electric charging stations – were connected, which placed high demands on scalability and real-time log processing.
Following successful implementation, the PROTOS Security Operations Center (SOC) took over operations in the Managed Security Service Provider (MSSP) model. Since then, the SOC has been monitoring the customer’s cloud and on-premises systems around the clock.
The services include:
- 24/7 Security Monitoring & Incident Detection (with MS Sentinel, Azure Monitor, MS Defender for Cloud)
- AI-supported Threat Detection (Defender XDR, AWS GuardDuty)
- Security Orchestration & Automation (SOAR) for rapid response to incidents
- Vulnerability and risk management with Qualys & MS Defender VM
- Automated compliance checks in accordance with ISO 27001 and BSI-KRITIS
Thanks to the two-tier SOC model with extended on-call service, continuous availability could be guaranteed. Initial measures for serious incidents are taken within 2 hours, and for medium-level incidents within 4 hours.
The SOC from PROTOS goes beyond reactive measures: threat hunting, lessons learned, and continuous optimization are just as much a part of the service as personal coordination with the customer regarding planned changes.
Technologies & tools used
Cloud & Infrastructure
- AWS (Multi-Account-Strategy, CloudTrail, GuardDuty, Security Hub, VPC Flow Logs)
- Microsoft Azure (Azure AD (Entra ID), Entra ID Protection, Azure Monitor, Log Analytics)
SIEM & SOC
- Microsoft Sentinel, Splunk Enterprise Security
- AWS-native Logging- & Monitoring-Services
- ELK-Stack (Elasticsearch, Logstash, Kibana)
Threat Detection & Incident Response
- Microsoft Defender XDR, AWS GuardDuty, MS Defender for Identity
- Azure Sentinel SOAR, Azure Logic Apps, automated Playbooks
Compliance & ISMS
- ISO 27001-conform ISMS-Frameworks
- Azure Policy, MS Defender for Cloud, MS Compliance Manager
- Chef InSpec
Vulnerability & Risk Management
- MS Defender Vulnerability Management, Qualys VMDR
- Nessus, Metasploit, Kali Linux
DevSecOps & Automation
- Kubernetes, Docker, Terraform
- Secrets-Management & CI/CD-Pipelines with Compliance-Checks
- Infrastructure as Code (IaC)
Messbare Resultate: Compliance & Reaktionszeiten optimiert
The collaboration with PROTOS led to measurable improvements in the areas of detection, response, and compliance. Among other things, the following results were achieved:
- Mean Time to Detect (MTTD) significantly reduced – thanks to automated use cases in SIEM, security-related events are now detected within minutes.
- Mean Time to Respond (MTTR) significantly reduced – SOAR playbooks have reduced the response time to critical incidents from several hours to less than 2 hours.
- 100% coverage of critical systems in SIEM – all KRITIS-relevant cloud and on-premise assets are centrally monitored and documented in an auditable manner.
- Increased compliance transparency – automated policy and compliance checks enable continuous verification of ISO 27001 and GDPR requirements.
- Reduction of false positives – optimizing detection rules significantly reduced the workload on IT teams and increased efficiency in incident handling.
- Strengthening the security culture within the company – security has been firmly anchored in the organization through awareness workshops, DevSecOps integration, and the establishment of a Cloud Center of Excellence.
With PROTOS: Security that scales and remains secure
PROTOS has established a scalable, auditable cloud security architecture that reliably addresses KRITIS, ISO 27001, NIS2, and GDPR requirements. The combination of ISMS and compliance consulting, technological implementation (cloud and DevOps), and 24/7 SOC operations ensures faster detection and response, higher compliance security, and a sustainably anchored security culture.
„Working with PROTOS is not just a technical security project, but a decisive step toward future security for our customer. Together, we have created an architecture that meets today’s regulatory requirements while laying the foundation for our long-term cloud and security strategy. What is particularly valuable is that PROTOS combines technological excellence with strategic understanding, enabling us to view cybersecurity as a continuous value-added factor“, Karsten Quellec, CTO & SOC Manager at PROTOS.
The project thus makes it clear that cybersecurity is not a one-time measure, but rather an ongoing process that PROTOS supports in a spirit of partnership, reliability, and foresight—technologically, organizationally, and personally.
