Lessons From Cyber Attack Simulation

Cyber attack simulation can provide key lessons for preparedness and response.
Published: Fri 15 May 2015

Brought to you by:


Cyber attacks are growing in number and increasingly targeting energy companies, but how will you and other members of your organization react in the event of an attack?

In an Engerati webinar, Klaus Kursawe, chief scientist at the independent, industry sponsored European Network for Cyber Security (ENCS), outlines a cyber attack simulation, which has now been presented to more than a dozen organizations. [Engerati-Ready For Battle: Lessons Learnt From A Cyber Attack Simulation On Critical Systems] With him are representatives from the Dutch distribution utility Alliander, which was a recent simulation participant.

Cyber attack simulation

“Security is possible but it costs money,” says Kursawe, continuing that the aim of the simulation is as realistically as possible over a 4-day period, to provide hands-on training and experience of a cyber attack.

The first two days are devoted to theory, followed by an approximately 8-hour attack and defence on the third day. A debriefing is held on the fourth day. Normally there are about 30 participants who are divided into two teams – approximately one-quarter into the Red team of attackers whose task is to break into the systems and three-quarters into the Blue team of defenders whose task is to keep the operation and its systems running. Overseeing them – and introducing restrictions – is a simulated “corporate headquarters.”

“It is an open exercise in which participants can use their creativity to solve problems,” says Kursawe. “There are recommended procedures but if people can find new attack or defence solutions, these are possible.”

The broad goals are on the one hand to provide awareness of how an attacker thinks and acts and on the other of what it is like to be attacked, and Kursawe cites these as the main values of a simulation. “The main value is not the technical knowledge gained but what an attack looks and feels like and how individuals and management react when under attack.”

Learnings from cyber attack simulation

Kursawe cites several key takeaways he has gained from the simulations:

• Creativity is important, both in the training and in the company setting. There are things one cannot easily do in the corporate setting, but there are other ways towards the same goal.

• Communication is hard to maintain, even in a friendly environment, and especially between IT and OT and with management.

• System knowledge is lacking, and typically at the end of the game, the red team has a better system map than the blue team.

Alliander’s lessons from cyber attack simulation

Walter van Boven from Alliander’s IT division and a member of the company’s management, was a Blue Team participant in the simulation. Among the takeaways from the exercise he cites the insights and knowledge gained, and the importance of people and communications skills in managing the team.

“As a result, we are spending more time on training, both on technical aspects as well as on managerial skills.”

Erwin Kooi, who was a Red Team participant, says that participating in a simulation was quite different to hearing it being talked about. His biggest surprise was how far attackers could penetrate the system.

“Instead of just defence, we are now focussing more on our cyber detection and response capabilities, which has also required a different skillset.”

All agreed on the importance of the “human element” in responding to a cyber attack. While the tools are important so too is knowledge, skills and communication, as well as inter-company team relationships, particularly between IT and OT.