Words: Jan Michielsen, SURF
It’s an ordinary day at the office for you as an ICT administrator. Suddenly you see that the mail server is handling a lot of traffic. What’s going on? Then the printer server breaks down. The first emails from worried employees and students appear in your inbox. This is no ordinary malfunction. What to do? Who are you going to involve?
This is how OZON starts for the average participant. OZON is a large-scale cyber crisis exercise that takes place once every two years. Educational and research institutions from all over the Netherlands then practice for one day to manage an ICT crisis. SURF took the initiative in 2016. Project manager Charlie van Genuchten: “We noticed that our affiliated institutions wanted to give more attention to cyber crises. The ultimate goal is to make the education and research sector more resilient to cyber crises, operationally, tactically and strategically.”
Pictures: Anita Polderdijk (left), Charlie van Genuchten (right)
Strength of collaboration
Of course, any institution can organise such an exercise for itself, but the power of OZON is precisely that institutions do it together. Charlie: “In OZON we can practice how the escalation of a crisis goes across sectors. How do fellow institutions react if all hell breaks loose at one institution? Who will be involved, who will communicate with whom, how will they work together? In addition to 57 institutions, a number of educational umbrella organisations also participate. And the Ministry of Education, Culture and Science will also participate in the coming edition.
One does not organise such a big exercise just like that: preparation starts more than six months in advance. Charlie: “We start thinking about the scenario. What kind of disaster is going to happen? Which systems and processes will be affected? We also come up with the content of the media simulator: news and social media reports are placed there during the day, which makes communication workers and press officers sweat.”
Coming up with your own story
It is not only SURF that is busy preparing, the participating institutions also have a great deal of work to do. Anita Polderdijk knows all about that. She is the Data Protection Officer at Windesheim University of Applied Sciences, and is a practice planner for OZON. In that role, she has already taken part in three of SURF’s cyber crisis exercises. Anita explains, “First we have a number of meetings at SURF about the scenario we are going to play. Then at Windesheim, we are going to look at how this scenario might affect us. We’ll weave our own story into it and see which real users we can get to participate.”
You need more than protocols to save you
Anita: “One of our main lessons learned from participating in OZON was that protocols alone are not going to save you. Even before OZON we had extensive protocols that tell who has to do what when an ICT crisis breaks out. But if things really go wrong, you also need people who set out the lines, put structure in place. When we really had a crisis situation a few days after OZON, this went a lot better.”
“We are now going to take part in a cyber crisis exercise with SURF for the fourth time. We keep getting better at dealing with such crises, but it’s important to keep practicing. Therefore, our Executive Board fully supports our participation in the OZON exercises.”
But in addition to being instructive, it is also fun to participate in OZON. “It is always exciting and interesting. Every OZON exercise is a brand-new experience.”
OZON is a great success in the Netherlands. A similar, large-scale cyber crisis exercise does not yet exist anywhere else in Europe. However, there is a lot of interest, from Belgium, Denmark, Finland and Ireland, among other countries. Charlie: “It’s true that there is no OZON at a European level, but for the past few years we’ve been organising the two-day crisis management event CLAW, as part of the GÉANT GN4-3 project. There we exchange knowledge through training courses and presentations, and we hold a ‘miniature OZON’: a half-day tabletop exercise in which a cyber crisis is simulated. I notice everyone learns a lot from this, every time. I also organise training courses for NRENs, in which I explain how they can organise their own table-top exercise.”
Want to know more?
Everything about OZON: www.surf.nl/en/ozon
Register for CLAW2020: eventr.geant.org/events/3277
Training course ‘Organise a table-top exercise yourself’: email Charlie van Genuchten at firstname.lastname@example.org
Scenario OZON 2018: ransomware holds institutions in its grip
OZON 2018 started with a phishing mail to all participants. If you clicked on it, your computer was immediately taken hostage with ransomware. Pay or not? That question became even more pressing when the hacker threatened to make hostage data public if no payment was made. Twitter exploded and the press was on the phone all the time. It was quite a job for the 50 participating institutions to bring this crisis to a successful conclusion.