IAEA Regional Training Course on Computer Security for Instrumentation and Control System for Nuclear Facilities
As part of an ongoing cooperation between the International Atomic Energy Agency (IAEA) and the AIT as appointed IAEA Collaborating Centre for Information and Computer Security for Nuclear Security, the latter hosts an annual week-long training course at its training premises in Vienna. The course is focused on the cyber security of industrial control systems that can be found at nuclear facilities and those associated with radioactive materials, such as hospitals and research facilities. Several topics are addressed in the course, including security requirements analysis, defensive computer security architectures (i.e. defence in depth), and technical vulnerability management.
The course has a strong hands-on component, with the participants conducting exercises on representative equipment that can be found in nuclear facilities, such as Programmable Logic Controllers (PLCs) and access control systems. Additionally, AIT is executing a technical contract with the IAEA to develop several hands-on exercises that make use of the AIT Cyber Range, to enable remote participants to conduct exercises on representative virtualized systems.
The KSÖ Cyber Security Exercises 2017 and 2021
On two occasions, the AIT has been the technical implementing partner for a national cyber security exercise that is organized by the Kompetenzzentrum Sicheres Österreich (KSÖ). These technical exercises used the AIT Cyber Range and aimed to support cooperation between critical infrastructure operators and national authorities in Austria, such as the national CERT and the various ministries that have obligations with respect to national cyber security. In 2017, the scenario that was executed related to cyber-attacks on an electrical energy distribution system, whereas the scenario in 2021 focused on the pharmaceutical sector (in relation to the Covid-19 pandemic). In both cases, representative systems were developed and deployed on the AIT Cyber Range, namely a Distribution System Operator (DSO) infrastructure and a vaccine refrigeration system.
The exercise was undertaken by eight teams that play the role of a CSIRT team at a fictitious organization, with obligations both to their organization and to national authorities, such as the General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive. Upwards of 100 people attended both events. Furthermore, this training was organized as first transnational cyber security simulation exercise in which the defence against cyber attacks was realistically simulated in hybrid form by participants from Austria, Germany and Switzerland (DACH region).