Analysing and interpreting the crisis proved to be the biggest challenge.
In recent years, more and more complex security incidents have occurred within education and research. The subject is therefore increasingly higher on the (administrative) agenda. The media and politicians are also paying more and more attention to this topic. In order to grow as a sector in dealing with the complexity of technical challenges, the growing external attention and administrative and political issues, the sector practices a cyber crisis every two years. This fits within the broader framework of integral security and cyber security in particular, and is part of the agreements that the sector has made with the Minister and with each other.
This OZON exercise increases the resilience of (higher) education, research and care institutions and SURF. Institutions experience how they work together in the event of a national cyber crisis. Participating institutions could also add their own organisation-specific objectives to the exercise.
Fictitious threat - the setup of the exercise
During OZON, participants at the Gold and Silver levels (see box) were confronted with an attack from Guilder, a fictitious country on the edge of Europe. This dwarf state, with a dictatorial regime that seeks EU membership, has two major IT players. These are a large cloud service provider and one of the world's largest producers of network hardware. Services and products that Dutch educational and research institutions use in large numbers. For political reasons, relations between the Netherlands and Guilder have been strained for several years. The exercise started at 9 a.m. when a memo from the Ministry of the Interior and Kingdom Relations about the increasing threat from Guilder arrived at all the colleges. BZK advised to disconnect hardware from that country and to start the exit scenario for software from Guilder.
Success factors and learning points
Soon after the start of the exercise, mutual cooperation through existing channels turned out to be good. Outside these channels, contact was slower or non-existent. Participating institutions, for example, were reasonably active on the SCIRT and SCIPR lists, the mailing lists of security communities of operational and policy staff involved in security and privacy, respectively. In order to arrive at a shared picture of the crisis, education umbrella organisations in turn activated (more quickly and more than in previous exercises) the necessary bodies (integral security, Data Management Officer consultations, Coordinating SURF Contacts (CSC), administrative consultations and spokespersons' app groups). They also sent out several joint press releases. Although there was certainly joint coordination at certain levels, at the start of the crisis, when a great deal was still unclear, participants first tried to form their own picture. Only then did they contact fellow organisations.
Analysis of the crisis proves to be the biggest challenge
Analysing the crisis quickly proved to be the biggest challenge because of the enormous amount of information and because the impact of the crisis varied from institution to institution. As a result, participants struggled to understand exactly what was going on within their own institution and to compare it to the impact at sector level. Because the impact of the attack did not become clear at all institutions at the same time during the exercise - as with a real crisis - there was a great deal of enquiry about cases at fellow institutions. If, subsequently, the perception and judgment of participants within the individual institutions did not run smoothly, this led in some cases to wrong decisions and poor internal coordination.
Since the first OZON exercise, many more institutions have drawn up official crisis procedures for a cyber crisis.
Crisis procedure on standby more often
A positive point from the evaluation is that since the first OZON exercise, many more institutions have drawn up official crisis procedures for a cyber crisis. That has an effect, as the exercise showed. However, it turned out that relevant staff members were not always familiar with these procedures, which led them to improvise during the exercise instead of checking what the procedure prescribed. A final outcome concerned the lack of manpower at the technical level, as a result of which various institutions had difficulty solving this aspect of the exercise. In order to achieve a higher level of safety - 100% safety does not exist! - consistency between all elements is essential.
All in all, the players rated the exercise with an 8 (very good) and 95% of the participants said they would participate in the exercise again and recommend it to colleagues. Especially the extensive 'worldbuilding' (newspaper clippings and four websites to bring the fictitious parts of the scenario to life) was enthusiastically received by the participants. The exercise preparers of the participating institutions are also positive about the exercise: they report that they achieved almost all of the exercise objectives set in advance. Most institutions that also participated in OZON in 2016 and/or 2018 also saw many improvements in their internal crisis management compared to those earlier exercises.
Institutions that participated in previous years saw many improvements in their internal crisis management. And that has an effect, as the exercise showed.
4 recommendations for board members
Based on the evaluation, 4 recommendations have been formulated specifically for board members of institutions - in collaboration with SURF - to take the approach to a cyber crisis within their institution to a higher level.
When incidents and crises affect multiple institutions, SURFcert already has a clear role at the operational level as regards coordination and knowledge sharing. There is also often good collaboration at strategic and tactical level. But in order to coordinate a major crisis properly at national level, it is necessary to make the responsibilities of the umbrella organisations, the Ministry of Education, Culture and Science, and SURF even more explicit. People within these organisations who normally play a liaising role now appeared - understandably - to be too preoccupied with the crisis within their own organisation to take on a more coordinating role. The roles and tasks of these parties in this type of crisis were not yet entirely clear.
Good image forming, judgement making and decision making (in Dutch: the BOB-procedure) are major challenges in any crisis. This applies to an even greater extent in a cyber crisis, because what exactly is going on can be invisible and elusive for a long time. So sufficient knowledge is required within the central crisis management team and at the operational level to interpret the situation. In addition, it is important to continue practising and applying the BOB procedure. SURF can organise joint sessions and training sessions for these topics, as we did after the 2018 OZON exercise. But specific training sessions for their own crisis structure will have to be organised by institutions themselves.
Many institutions now include cyber crises in their central crisis management procedures. However, there is still a great need for material to improve procedures and tools. The exchange of best practices is therefore an important recommendation. SURF can meet this need by facilitating knowledge-sharing with the SCIRT and SCIPR communities.
2 outcomes underline the importance of continued practice. Firstly, that relevant staff often do not know existing procedures and therefore do not follow them, and secondly, how difficult it is to analyse a crisis properly. Large-scale exercises, such as OZON, help to raise awareness and to live through the entire crisis process. Smaller exercises in between, such as tabletop exercises like NOZON and operational exercises like SURFcert's Capture the Flag, also remain essential. SURF and SURFcert will continue to organise these exercises.
In summary, we can conclude: cyber crisis management knows no quick fixes and requires structural (board level) attention.
Text: Wilma Schreiber
OZON at a glance
OZON, the biennial sector-wide cyber crisis exercise, has grown to include some 1,000 participants from 40 educational/research institutions at Gold or Silver level and another 22 at Bronze level. A major difference with previous editions was that many people participated from home this time due to the coronary restrictions. The Bronze exercise was also evaluated from an organisational point of view, but due to the small-scale nature of the exercise, it did not provide any learning points on substantive crisis management. That is why the evaluation only concerned the Gold and Silver levels of OZON 2021. More information on www.surf.nl/ozon2021.