The TEUTOBURGIUM security review
How well armed is ETH Zurich against cyber attacks? The TEUTOBURGIUM security review reveals strengths, but also critical gaps. Find out what insights were gained and how they are shaping the information security strategy.
The IT landscape at ETH Zurich is very heterogeneous, and responsibilities are distributed in a decentralised manner. In view of increasing cyber threats, the TEUTOBURGIUM security review aimed to assess the capabilities of all ETH stakeholders in dealing with cyber attacks and to derive measures for improvement.
Purpose and objective
The review was intended to provide an ETH-wide overall picture of technical, procedural and organisational weaknesses. The results serve as the basis for a sub-strategy «Dealing with cyber attacks» within the information security strategy. In addition to the analysis, the intention was to enable concrete proposals for measures to be derived.
Test modules
Participation was voluntary. The participating organisational units (seven departments, parts of the central IT Services and one department of the central bodies) were invited to actively help shape the scope of the test modules that related to them:
- Vulnerability test module – technical tests (so-called pentests) to identify intrusion vectors and vulnerabilities in departments and central bodies
- Readiness test module – interviews and crisis team exercises to assess organisational and procedural preparation and response capability
- Self-assessment test module – supplementary self-assessments for units not audited by the external company Infoguard for ETH-wide comparability
Results
The results from TEUTOBURGIUM were presented to the Risk Management Committee in May 2025 and have been incorporated into the information security strategy. The results show
- how good the technical protection against cyber attacks is at ETH as a whole
- how well ETH is prepared
- whether ETH is able to respond appropriately to successful attacks that could cause significant damage
Challenging framework conditions
Research universities, including ETH Zurich, are an attractive and rewarding target for attackers. Particularly noteworthy are (economic) espionage and proliferation as well as blackmail and sabotage[1].
It is evident that ETH Zurich, with its very heterogeneous IT landscape, tends to be more difficult to defend than institutions with a tighter organisation. It also remains to be seen whether
- the cyber skills shortage will make it more difficult to recruit for retiring employees and whether
- the use of artificial intelligence to perfect cyber attacks will force ETH to develop its security measures more clearly and systematically than before
Key findings from TEUTOBURGIUM
- ETH has proven strengths; however, these will not be sufficient to adequately counter future cyber threats
- A lack of framework conditions makes it difficult to manage information and IT security consistently and systematically
Conclusion and outlook
The lack of framework conditions (security gaps) will be analysed and classified. Finally, due to the considerable knowledge gained and extraordinary interest, TEUTOBURGIUM is to be extended to the remaining organisational units where appropriate.
Contact
Cyber and Information Security division (CISEC) of IT Services and the CISO of ETH Zurich
[1] Assessment based on the Prophylax awareness programme of the Federal Intelligence Service and other sources à Akademische Welt im Visier, Spionage und Proliferation im akademischen Bereich (Academic world in the spotlight, espionage and proliferation in the academic sphere), December 2022, Federal Intelligence Service FIS, accessed on 5 January 2024
