Increased OES preparedness, through PHOENI2X Cyber Range -enabled realistic scenario assessment & training

Fysarakis Konstantinos, PhD; Chief Technology Officer; Sphynx Analytics Ltd, Cyprus

As ENISA’s recent Threat Landscape reports highlight, sophisticated and targeted attacks in critical domains (e.g., energy, healthcare) are on the rise, with hybrid threats, i.e., threats combing both the cyber and the physical domains, becoming more common. 

As a response to these shifts in the threat landscape, EU Member States and their Operators of Essential Services (OES) are now forced to have a minimum baseline set of cybersecurity capacities, while also supporting cross-border coordination and cooperation, owing to the NIS Directive (2016/1148) and the more recent introduction of NIS2 (i.e., an update to NIS imposing stricter requirements upon OES, and even third parties, like their subcontractors & service providers, while increasing the number of sectors classified as OES from 19 to 35).

However, managing systemic and complex cyber risks continues to be a difficult task. This difficulty is exacerbated by the increased sophistication and motivation of threat actors, often state-sponsored, who carry out increasingly targeted and persistent attacks on highly valuable data by taking advantage of the inescapably growing interconnectedness of various systems and networks.

Lack of security training & awareness is another aspect that makes OES more vulnerable, as often users can’t quickly recognise security-relevant information & incidents, allowing threat actors to successfully carry out their attacks. This insufficient knowledge of security procedures and the lack of overall security awareness across different types of employees – even within OES – is being highlighted in a number of studies (e.g., for the healthcare [1] and energy [2] sectors). This, combined with the rapid technological advancements (e.g., 5G, the Internet of Things – IoT) that transform all OES domains (and our societies, overall), provide fertile ground for various threat actors (sophisticated or otherwise) to carry out successful attacks that may significantly damage tangible and intangible assets.

Further, even the shifting regulatory landscape noted above, albeit towards a positive direction for the European cybersecurity posture, also adds a learning curve and additional complications to the day-to-day activities of organisations that fall under the provisions of NIS2.

Considering the above, Cyber Ranges emerge as a promising hands-on training solution to impactfully train people within organisations on cyber-security aspects, thus providing an effective & efficient mechanism to manage the associated risks. 

Yet, to be effective, cybersecurity training should be tailored to the different environments and trainee types, while gained knowledge should be validated to provide evidence of said effectiveness. To accomplish that, modern training strategies are not only limited to learning software and hardware skills, but also include training to understand actual cyber security threats, along with resistance-training techniques. However, training must also be adaptable to the changing needs of target domains, user behaviour, and the changing threat landscape, to ensure it remains relevant [3].

The above have all been key considerations when designing the relevant components of the PHOENI2X framework. In our first PHOENI2X blog post, and our latest position paper [4], we analysed how, by adopting a recently-released Blueprint for Collaborative Cybersecurity Operations Centres with Capacity for Shared Situational Awareness, Coordinated Response, and Joint Preparedness [5]. Regarding the latter, i.e., increased Preparedness, PHOENI2X will provide realistic scenario assessment & training capabilities, through the integration of a Resilience Cyber Range (RCR). More specifically, the RCR will be exploited in two ways: 

  1. to provide a realistic assessment of the effectiveness of the different types of Resilience Playbooks (RPs), including Business Continuity (BC) & Incident Response (IR) playbooks, as well as an assessment of RCR-only, hypothetical (what-if) Business Continuity Scenario (BCS) and Incident Response Scenario (IRS) Playbooks, to drive the improvement of existing and definition of new BC and IR strategies and assist in decision-making, and; 
  2. to provide hands-on training and assessment of preparedness of OES staff on the various defined RPs, in a realistic, interactive environment, mirroring the actual cyber systems that the RPs are designed for and executed on. 

To enable the above, the RCR will integrate cyber system emulation (e.g., for creation of virtual cyber system components) and simulation (e.g., for synthetic events generation) capabilities, along with supporting features, such as RPs to training RCR scenarios translation, a GUI for monitoring and participating in the executed scenario, and RP effectiveness and trainee performance assessment methodologies and tools. 

As baseline for the RCR, the in-house CR of SPHYNX (see Figure 1) will be used, but alternatives, such as the CR developed in the context of the THREAT-ARREST project, could also be explored.

A screenshot of a computer

Description automatically generated

Figure 1. Screenshot of the Sphynx Cyber Range tool; a key PHOENI2X preparedness-building enabler.

The SPHYNX Cyber Range tool can offer cyber security training that covers a comprehensive spectrum of known and emerging security and privacy threats and is tailored to the particular security and privacy risks of different organisations. Key innovative features of our Cyber Range platform that make it a good fit for PHOENI2X include: 

  • Delivery of cyber range exercises for different assets (and combinations of assets) of an organisation, and particular types of security and privacy threats, vulnerabilities, and risks identified for them;
  • Support for asset emulation and simulation at different layers of the implementation stack;
  • Model-driven customisation of cyber range exercises.

Furthermore, Serious Games will be included in the PHOENI2X preparedness suite, for training that specifically targets the human factor (typically the weakest link in security). These serious gaming capabilities will support the RCR, focusing on the Training & Awareness (T&A) of employees on different cyber-attacks, threat elicitation, and for improving organizational defences that depend critically on human factors (e.g., social engineering, phishing attacks). The Serious Games capabilities of PHOENI2X will be analysed in a future blog post.

A screenshot of a computer screen

Description automatically generated

Figure 2. The Preparedness enablers (highlighted in red) within the conceptual architecture of PHOENI2X CRCs.

In tandem, the above will be important enablers within PHOENI2X CRCs (see Figure 2) in order to address the root cause of certain incidents (e.g., very frequent triggering of incident response processes attributed to phishing attacks, ultimately improving the security posture of the OES, as well as their capacity to adopt and comply with the latest regulatory requirements for collaboration & coordination in response to cyber threats.

References

  1. He Y, Aliyu A, Evans M, Luo C. Health Care Cybersecurity Challenges and Solutions Under the Climate of COVID-19: Scoping Review. J Med Internet Res. 2021 Apr 20;23(4):e21747. doi: 10.2196/21747. Erratum in: J Med Internet Res. 2021 Apr 28;23(4):e29877. PMID: 33764885; PMCID: PMC8059789.
  2. Georgiadou, A., Michalitsi-Psarrou, A., & Askounis, D. (2023). A security awareness and competency evaluation in the energy sector. Computers & Security, 129, 103199.
  3. I. Somarakis, M. Smyrlis, K. Fysarakis, and G. Spanoudakis, “Model-Driven Cyber Range Training: A Cyber Security Assurance Perspective,” in Computer Security, 2019 pp. 172–184. 
  4. Fysarakis, K., Lekidis, A., Mavroeidis, V., Lampropoulos, K., Lyberopoulos, G., Vidal, I. G. M., … & Koufopavlou, O. (2023, July). PHOENI2X–A European Cyber Resilience Framework With Artificial-Intelligence-Assisted Orchestration, Automation & Response Capabilities for Business Continuity and Recovery, Incident Response, and Information Exchange. In 2023 IEEE International Conference on Cyber Security and Resilience (CSR) (pp. 538-545). IEEE.
  5. Fysarakis, K., Mavroeidis, V., Athanatos, M., Spanoudakis, G., & Ioannidis, S. (2022, December). A Blueprint for Collaborative Cybersecurity Operations Centres with Capacity for Shared Situational Awareness, Coordinated Response, and Joint Preparedness. In 2022 IEEE International Conference on Big Data (Big Data) (pp. 2601-2609). IEEE