A research team from the Norwegian University of Science and Technology (NTNU) recently conducted a crisis management exercise to assess how best to equip both public and private sectors against cyber-attacks.
What did the exercise entail?
The exercise was conducted at the Norwegian Cyber Range at NTNU in Gjøvik. Participants were told that a comprehensive cyber-attack had been carried out on one of the largest organisations in central Norway.
Experts were called to contain the security breach; failure would mean that hypersensitive information had fallen into the wrong hands. Those involved in the experiment worked under pressure from this fake scenario in an attempt to stop the imaginary hackers.
The exercise was based on a real incident, and the roles in the game were portrayed by students in the master’s degree programme in Information Security, exchange students, a PhD candidate, and a post-doctoral fellow. The roles of the Norwegian Police Security Service (PST), the press and impacted entities were performed by representatives from Innlandet’s county governor office, the Armed Forces, NTNU and Innlandet Hospital.
Grethe Østby used this exercise as a part of her doctoral dissertation, where in which she investigates the attention generally given to informational security in society.
Additionally, Østby also assessed the capabilities of both Norwegian and Nordic emergency organisations in handling disasters in the event of information security incidents; emergency response organisations, such as municipalities, county governors and emergency services, have identified emergency response duties in society.
“In other words,” commented Østby, “I look at what responsibility the leaders in these emergency preparedness organisations have in such incidents. I do this by measuring organisational maturity, how previous incidents have been handled, what risk assessments have been done and what contingency plans exist.”
What does this mean for future cyber-attacks?
Researchers have stressed that cyber-attacks could happen at any time; work at the Norwegian Cyber Range plays a crucial role in facilitating both internal and external actors to train in how to handle real cyber-attacks.
Østby emphasises that expertise in cyber security is key, and with this in mind she also examined exercises that are important for enhancing maturity by considering factors like structure, culture, and methods. These aspects translate into organisational structure, the information security culture that exists, and what security methods are employed in the organisation.
“Just look at the recent cyber-attack in Østre Toten municipality. Data was stolen from the municipality, and sensitive personal information was hacked. The municipality’s ability to collect income due from residents was impacted for a long time as well,” said Østby.
Will these scenarios be practiced with real organisations?
The research team intends to conduct the cyber-attack scenarios with real organisations in 2022. “Now we’re planning and testing the various exercises for students and emergency response organisations,” Østby concluded. “For the students, we want to incorporate exercises as part of their leadership classes. For organisations, we carry out analyses as well as exercises like the full-scale scenario we ran in October. We’ll compile and evaluate the results before finally presenting the study in academic articles and the doctoral dissertation at the end of January 2023.”