On 13 and 14 October last year, EBRC and other Luxembourgish and European stakeholders confronted with the biggest cybercriminal attack ever simulated. The exercise, which was coordinated across the continent, focused on strengthening cooperation between businesses and the authorities in the context of a global cyber-threat.
The scenario is a real thriller. Business tycoons in faraway countries intend to eliminate their competitors in the telecom and cloud space and orchestrate a cyber-attack at the scale of the entire European Union. By attacking their infrastructure, they hope to decrease their market valuations and... to buy them at a lower value. Several European operators, including key players in Luxembourg, are simultaneously targeted by DDOS attacks. False information against them is propagated via the media and social networks. Traditional communications channels are undermined. Drones target the Data Centres... Those are only some of the threats that the teams of EBRC and other European stakeholders, telecom and cloud providers and public authorities had to face. This hyper-realistic exercise of unprecedented scale was organised by ENISA, the European Union Agency for Network and Information Security.
Testing the necessary coordination to face major attacks
"Since 2010, every two years, an exercise takes place across the continent. As an operator and manager of critical infrastructures in Luxembourg, EBRC had a special interest in this initiative. Such an exercise is a unique and comprehensive opportunity to test our responses in the event of major attacks and to ensure the necessary coordination between stakeholders and authorities when dealing with such threats", says Lionel Dupré, CISO of EBRC. Of course, the Luxembourg cloud provider and leader in the field of managing sensitive data already schedules internal exercises to strengthen and continuously adapt its responses to threats. But opportunities to put itself to the test in a broader context are rare and therefore very valuable: "For us, it's crucial. Security is essentially based on risk analyses, on the implementation of countermeasures, the detection of incidents and appropriate responses to them", explains the CISO. "We strive to constantly improve our security, and it is essential to evaluate our reaction to coordinated attacks that far exceed the scope of EBRC alone: we have to challenge ourselves when our back is against the wall, in the most realistic crisis scenario."
Security is essential
Synchronisation is paramount
In our digital economy, interdependencies are very common. So how should we react when cybercriminals organise and regroup around clear mission goals that they try to achieve with complex attacks simultaneously targeting interdependent stakeholders? "Responding to such attacks demands synchronisation between the different stakeholders at the state level and, in this particular case, at the European level. If everyone remains isolated, it is impossible to be aware of peripheral effects and to coordinate an appropriate response. The exercise designed by ENISA aims at strengthening the coordination among stakeholders dealing with these threats under the motto 'stronger together'", says Régis Jeandin, Head of Security Services at EBRC. The scenario considers various forms of attack to produce a response but also to test the resilience of an ecosystem. "The test demonstrated that EBRC has an excellent response capacity. However, the point of the exercise is beyond answers that we can provide as individual players. In many cases, we acted as if an attack could occur despite our protections that usually prevent it. We also tested the coordination that is necessary to deal with this kind of crisis", says Lionel Dupré.
Highlighting potential for improvement
The most elaborate exercise in the world was particularly thorough. The teams really broke a sweat. "We were confronted to a cyber version of September 11, a race against time where each step mattered to fight off waves of successive and coordinated attacks. We engaged thoroughly with it and chose to react by involving all of our resources, mobilising all departments, from safety via marketing and legal to financial services... We lived through this exercise as a genuine crisis. Our CERT was constantly in touch with GovCERT, the ANSSI, and representatives of the 28 member states that were ready in the 'situation room' of ENISA in Athens. To respond to an attack of such magnitude, the implementation of our crisis unit allowed us to react effectively. Ongoing communication with other European units allowed us to coordinate our own management of the crisis: it was important to communicate without delay with the right people, the authorities, the media, to deliver the right messages... while ensuring the reliability of those we contacted", adds Régis Jeandin. EBRC can rest assured of the robustness of its security. Its teams played the game thoroughly even though, in many ways, EBRC is by its nature already "immune" against such attacks. Faced with this disaster scenario, the exercise revealed areas with potential for further optimisation. "This is the whole point of this kind of large-scale exercises. Even if we are able to address many issues at our own level, we have to test and to understand how we would react if we had to face all of them simultaneously, in short intervals, and if they affected more than just EBRC's infrastructure. We need to know how we could contribute to the recovery of activities of an entire continent after suffering such attacks. The current context encourages us to coordinate even more with all the stakeholders involved in cyber security. In this area, nothing should ever be taken for granted, and we have to constantly remain alert to strengthen and safeguard the quality of our services as well as our reputation", concludes Lionel Dupré.