In the week of 25 till 29 September the fourth Cyber Security Week (CSW) was hosted in The Hague. The CSW is an annual weeklong event that is held simultaneously with the Europol - Interpol Cybercrime Conference. These events have the objective to gather key players in the cyber security community to discuss the latest developments and share knowledge and innovations. This year, international and national organisations – telecom, hospitality, tech companies, embassies, governmental departments, consultancies etc. – send representatives to CSW.
On 26 September, our Cyber Crisis Simulation team, for that day Ronald, Stijn, Max, Wouter and myself, hosted three successful runs of the Crisis Simulation Game for Industrial Control Systems for the Cyber Security Week at the The Hague Security Delta campus and at the KPMG office in The Hague.
‘Cyber security is a hot topic’, was an often heard phrase throughout the day. As it should be! Business and critical systems are increasingly digitalised, networked and distributed introducing multiple cyber risks, but also opportunities. Organisations can gain an advantage when cyber risks are addressed by all stakeholders and incidents are met with strategic, operational and tactical responses. This lesson and experience is what we offer to both executive management and operational staff with the Crisis Simulation Game. The simulation is developed using a realistic cyber defense training environment including various industrial and financial simulations to help our clients deal with these risks. The training environment contains all components that you expect in an operational environment for the energy sector (think: oil, gas and electricity), water sector, transportation and manufacturing sector.
In the first two runs at the The Hague Security Delta campus, two teams received the keys to their own brand new energy generation factory, complete with fuels train boiler and steam turbine. Objective: make profit, earn more money than your competitor, do it safe and… keep it running. What could possibly go wrong?
The tasks were divided: a management team with a floor manager, factory manager and commercial manager was in charge of the operational staff, safety and making profits. The factory was fired up and energy was produced from gas. Things seemed to be going well for a while, but soon the teams found that they were not the only ones controlling the environment. The emergency lights started flaring, a hacker was found in company clothing carrying a USB-stick and then: ransomware! There were heated discussions and press statements were made on the spot. Meanwhile, people were pushing away intrusive journalists, giving each other commands and clicking on valves to prevent their factory from shutting down. Others were trying to calm down ‘authorities’ whilst being flooded with decision cards and meanwhile figuring out what possibly had gone wrong...
Though this game is particularly used to train people working in industrial or financial environments, it is also relevant for a broader public. Participants of the simulation are challenged on being well informed and thorough in decision making to mitigate incidents or prevent them, and keep their industrial control systems running. That is exactly what our participants experienced today. They realised that this can be adapted to their own sector. In the third run at the KPMG office in The Hague we held a walkthrough of the environments and explained the logic behind it, gave a demonstration of what hacking looks like and translated the risks of our industrial environment to situations that can occur in telecom or governmental organisations. Besides that, we motivated a very enthusiastic student to pursue a career in cyber. Cyber is a hot topic that needs to be addressed, and the people we met at CSW know how to find us to assist in that.