On the occasion of the 2022 pan-European cyber preparedness exercises programme, Cyber Europe, the executive director of the EU agency for cybersecurity (ENISA) warned that states must remain alert for cyber incidents and potential spillovers.
While ENISA already monitored about 300 cyber events in relation to the Russian aggression against Ukraine, apart from the Viasat attack, no incidents with a major impact have been reported to date.
“However, 100 of these events were spillover incidents, meaning they affected other countries as well,” Juhan Lepassaar, ENISA’s executive director, said in a press briefing on Wednesday (8 June).
Spillovers are also expected to increase in a cross-sector context – as a result, the next Cyber Europe edition might focus on cross-sector exercises. The idea behind these bi-annual exercises is to test organisations’ resilience and capability to respond to large-scale cyber events. Ultimately, this aims to ensure citizens’ trust in services and infrastructure.
This year, for the sixth edition, the Cyber Europe planners developed a scenario revolving around healthcare. These capacity-building activities are organised together with the member states and there is a wide variety of participants from public authorities and organisations designated as critical entities.
Testing the health sector’s preparedness
The scenarios, tested on Wednesday by 800 players, contained real-life inspired technical and non-technical incidents. These incidents could lead to major crises at different levels of the health sector – local, organisational, national and European. Business continuity plans and crisis management procedures were put to the test.
According to Lepassaar, these fictional exercises are also about how member states operate and coordinate during such events to prevent an escalation.
“Together with participants in member states, we draw conclusions, we adjust mechanisms and standard operating procedures at the EU and national level,” the agency chief explained, adding that the full impact of the exercises will not be known until much later – approximately in two years’ time.
Christian Van Heurck, ENISA’s head of cybersecurity training and exercises, pointed out that the situation is different in each member state and that they should report back on how things are going. “So that afterwards, we can create an after-action report with recommendations,” he said.
Ideally, the participants should also get in touch with various authorities and see where improvements are needed or what is going well already.
Potential outcomes of an attack
In the health sector, a successful attack might involve the stealing of health and patient data in order to coerce healthcare services into paying a ransom.
In Germany, in September 2020, there was a ransomware attack on hospitals following which numerous surgeries had to be postponed since the hospitals were unable to deal with their cases. In such circumstances, attacks can have an immediate impact on citizens’ welfare.
“At the end of the day, the goal is for society to be safe,” Lepassaar emphasised.
Referring back to the situation of war, the agency chief concluded: “Armies that take exercises seriously, that are able to admit mistakes and learn from them, are the more successful ones at maintaining the safety of societies that they protect.”
[Edited by Luca Bertuzzi/Nathalie Weatherald]