Business Simulations Help Alliander Get Cyber-Ready

Business simulations of real world cyber attacks in controlled environments make sense for critical infrastructure.
Published: Wed 27 May 2015

Serious gaming and business simulation are becoming an increasingly normal part of the business vernacular, particularly when it comes to complex and critical systems.

While serious games allow you to use gaming platforms to simulate complex environments like skyscraper evacuations, they are also being used increasingly to simulate the effect of critical failure in a controlled environment.

In the utility world as IT and OT are increasingly driven together there is a need not only to predict and safeguard for technology vulnerabilities but to simulate how these differing departments will react from a human perspective, i.e. how they would come together or collide to react to the crisis, as well as to validate that security measures have been implemented correctly.

One utility that has done exactly this is Alliander, a Dutch distribution network operator. Alliander took part in a specially constructed business simulation by the European Network for Cyber Security (ENCS), which created collisions between operational and IT management and technology in a simulated cyber attack. [Engerati-Ready For Battle: Lessons Learnt From A Cyber Attack Simulation On Critical Systems]

Being cyber ready is about people

“The security industry is very much tools focussed but these only help up to a certain point. You need people to operate them and you need good relationships between these people,” says Erwin Kooi from Alliander’s IT division, who was an attack team member in the simulation.

Kooi says the simulation built a better understanding between IT and OT, and following the simulation Alliander is now spending more time on building understanding and trust between the various teams in the company.

Walter van Boven, also from Alliander’s IT division and a member of the company’s management, who was in the defending team, says communications is key in working in a team and maintaining oversight in responding to an attack. “As a result, we are now spending more time on training, both on the technical aspects as well as on managerial skills.”

Lessons from cyber attack simulation

Other takeaways that were gained by Alliander from the simulation include:

  • The sense of realism a simulation presents, very different from hearing or talking about it

  • The ease with which systems may be hacked, e.g. through phishing email, and how far even relatively inexperienced hackers can penetrate

  • More in-depth knowledge and insight into security risks and vulnerabilities

  • Better understanding of the tools available for both hacking and defending

  • The need for greater focus on cyber detection and response, in addition to defence, with the additional skillsets these require.