On 20 and 21 September 2021, the Kuratorium Sicheres Österreich (KSÖ, Austrian Security Board) together with the AIT Austrian Institute of Technology, organised the first transnational cyber security simulation game in which the defence against cyber attacks was realistically simulated in hybrid form by participants from Austria, Germany and Switzerland (DACH region). The training focused on technical and communication processes, providing valuable learnings which can be applied in the case of emergency.
Whether for companies, public authorities or other types of organisation, although the process of digitalisation and networking opens up many new opportunities, it also opens up the gateway to increasing numbers of new threats, such as data theft, hacker attacks and cyber extortion using ransomware. Cyber threats have now become one of the greatest business risks. IT system breakdowns not only cost time, money, reputation and nerves, but can also lead to production downtime in factories or infrastructure failure. These, in turn, can destabilise society and may even have life-threatening consequences. The KSÖ sees it as one of its tasks to work in partnership with business, administration, science and politics in order to strengthen cyber security.
Many companies and organisations prepare for such attacks by drawing up plans and processes outlining how to react during critical situations. In order to train how to deal with these threats in a realistic setting, the KSÖ and AIT Austrian Institute of Technology again organised a cyber security simulation game – a transnational cyber security exercise involving participants from Germany, Austria and Switzerland working together to overcome cross-border challenges. The simulation game focused on cyber-physical and associated information measures.
Eight teams joined forces to fight cyber attack
This exercise on 20 and 21 September 2021, held at the Raiffeisen Forum in Vienna and with Swiss and German participants joining online, brought together a diverse range of technical and strategic players, observers and multipliers to tackle a highly current conflict situation. As in 2017, the joint exercise funded by the Austrian Federal Ministry of the Interior (BMI), and supported by Raiffeisen Holding Lower Austria & Vienna, UNIQA Österreich Versicherungen AG, and the Enterprise Training Center (ETC) as sponsors, was once again very well received by the participants. Taking as their motto ‘train as you fight’, the eight competing teams in Vienna, together with a national coordination structure for cyber security (IKDOK/OpKoord), and the partners from the Swiss National Cyber Security Centre (NCSC) and the German Federal Office for Information Security (BSI), demonstrated their abilities in a challenging scenario.
Training in a state-of-the-art IT simulation environment – the AIT Cyber Range
This threat scenario was created by experts at the AIT Cyber Range, a flexible IT simulation environment designed for cyber security exercises. The AIT Cyber Range is used to realistically simulate IT infrastructures and communication processes, so that participants can learn how to detect and defend against a variety of different forms of attack. They can practice coping with cyber attacks and extreme situations even in highly critical infrastructures, something that would not be possible in the real world due to security or cost reasons. As a result, structures and processes can be analysed and sources of error identified, so that the interaction between consequences and actions as well as reactions can be understood both safely and transparently.
It is often the case that a situation needs to be played through before it becomes clear which cyber attack defence skills an organisation is lacking. The AIT Cyber Range is also used by the International Atomic Energy Agency (IAEA) as a training environment to ensure a high level of cyber security in critical parts of nuclear power plants. In Austria it is also used for major exercises which simulate cyber crises – analogous to conventional major exercises in crisis and disaster management.
Exercise scenario: Attack on a pharmaceuticals company
The exercise scenario at this year’s KSÖ cyber security simulation game was a fictitious international pharmaceutical company with a key role in fighting a pandemic which is subject to cyber and information-focused attacks in order to disrupt its business activities.
The participants took the roles of technical operatives at the pharmaceutical company and strategic players, and were given two tasks to fulfil: firstly, to use the AIT Cyber Range in order to practice detecting and defending against these attacks, and secondly, to practice communication and coordination with the relevant public authorities and contact partners in this scenario.
Decision makers and multipliers were also able to take part in the simulation game in an observers programme which was also run online.
Franz Ruf, Director General for Public Security at the Federal Ministry of the Interior, visited the 2021 KSÖ cyber security simulation game and was positively impressed by the cooperative nature and effective outcome of the exercise: “Exercises such as these help us to coordinate the processes involved in defending against cyber incidents across national borders, and to manage communications in cases of emergency.