The Paul Scherrer Institut (PSI) is the largest research centre in Switzerland. Cyber security challenges have increased enormously in recent years. In order to protect the continuity of its large research facilities and infrastructure, the organisation decided to focus on creating a culture of cyber security. We spoke with Björn Abt, IT Security Officer at PSI.
With more than 2,100 employees and 2500 guest scientists, many of whom use their own devices for scientific research and 40% of the systems and applications with decentralised management, cyber security is one of PSI’s biggest challenges. When it comes to cyber threats, the research centre mainly has to deal with industrial espionage and (spear) phishing attacks. “In addition to the classic mass phishing emails, we are very frequently confronted with highly targeted attacks, such as phone calls where attackers try to find out the structure of the internal organisation. But reverse engineering attacks and CEO fraud are also common,” says Björn Abt.
The reason for starting an awareness-raising programme was caused by several crypto locker incidents in the course of 2017. “We found that it usually involved a user who had (inadvertently) done something wrong. Our objective was to make our end users more aware of the dangers online and the important role they play in the cyber security policy of our research centre,” explains Björn Abt.
PSI then called in an external company to assist the centre with advice and guidance in the development of concrete campaigns. “Among other things, they wrote articles for the internal newsletter, created a concept for posters and helped us find the right wording and tone-of-voice in our communication. We also triggered the curiosity of our employees, by inviting an expert to give a lecture on the dark web. That lecture received a lot of attention.”
USB drop attack
In the next phase, the PSI decided to proceed to its first concrete action, which was supported by management. “This consisted in a “USB drop attack”, whereby we gradually distributed around 50 USB sticks containing malware throughout the organisation, mainly in places where many colleagues gather: the printer, the coffee machine, the cafeteria, etc. To further arouse staff’s curiosity, we labelled the USBs with stickers such as “directors’ meeting”, “salary discussion”, “confidential” and so on,” explains Björn Abt.
The results were surprising: although half of the USB sticks were reported by users to the helpdesk, 10 USBs were plugged in anyway. To make the experiment a success, the PSI IT department exceptionally made sure that the macros in the documents were allowed on the USB so that the ‘malware’ could be installed. The users in question were then directed to a website that told them they had committed an error by plugging in the USB. They were also given guidelines and concrete tips & tricks and were asked to return the USBs to the helpdesk.
The results were then processed – anonymously – and communicated to the employees via the weekly internal newsletter. “The intention was to give our colleagues confidence, not to frighten them or pillory them. In the period after this ‘campaign’, several articles followed on the risks of social engineering. The USB drop attack prompted a great deal of response, and after 3 years, colleagues are still talking about it!”
The next action was the simulation of a phishing attack. A total of 350 employees received a phishing e-mail in their mailbox, which is 10% of the employees of each department. “That mail was written in vague language with content and spelling errors and asked employees to log on to the webmail server as part of a so-called mail server upgrade. A low two-digit percentage of the employees actually entered their credentials. On the positive side, however, some employees reported the e-mail to our Service Desk immediately after it was sent. As with the USB drop attack, we immediately gave the ‘victims’ tips on the dangers of phishing and how to recognise fake messages.”
The concrete reason for the phishing test was an incident with ransomware. “Often, it starts with employees clicking on a suspicious link. In order to prevent similar incidents, we also took technical measures: we implemented some software with “behaviour-based” functionality, which detects ransomware before it can take effect. The results are therefore excellent: before we used to have 4 to 5 successful ransomware attacks every month – since then we have not had any successful attacks,” says Björn Abt.
Impact of the coronavirus crisis
Even during the coronavirus crisis, PSI was not spared. “The number of employees with a home office set up at our organisation rose from 100 to 1800 in a short period of time. In addition to the risks associated with the logistics of tokens and laptops, we saw a sudden increase of 50% to even 100% of phishing e-mails during the COVID-19 crisis. When the crisis broke out, we immediately set up a pandemic task force that met several times a week. We also paid a lot of attention to communicating to our employees on how to safely work from home online.”
The PSI already had a conference call system from SWITCH before the crisis, but due to the massive switch to remote working, it had to look for a system with a larger capacity. “We therefore decided to allow the use of Zoom and WebEx, subject to some several precautions and guidelines, e.g. on what it may and may not be shared. This enabled us to respond to the needs of our employees without compromising on safety.”
And the future?
PSI will continue to focus on the development of an awareness-raising culture in the coming years too. “So far, our campaigns have focused on a general approach. We recently measured maturity of our various internal target groups. We’re currently working on a specific approach for each group, with associated content that is tailored to their needs and prior knowledge.”
In addition, Björn Abt sees other more general challenges: “The exponential increase in the data volume we generate at our large-scale research facilities will make connectivity and storage even more crucial in the future. Currently our researchers generate an output of a few PB per year – within the next years the volume will grow by a factor of 10 to 20. Managing this amounts of data is a big challenge for us. That’s why we’re focusing on research into the use of ‘reduction technology’, whereby data is reduced to a size that is easier to manage.”
About the Paul Scherrer Institute and Björn Abt
The Paul Scherrer Institute (PSI) is the largest research institute for natural and engineering sciences in Switzerland, conducting cutting-edge research in three main fields: matter and materials, energy and the environment and human health. PSI employs 2100 people, with an annual budget of approximately CHF 400 million, and is primarily financed by the Swiss Confederation. Every year, more than 2500 scientists (more than 5000 visits per year) from Switzerland and around the world come to PSI to use their unique facilities to carry out experiments that are not possible anywhere else.
Björn Abt developed his skills from a technical-project-oriented background in the direction of IT security. Thanks to the combination of sound technical IT know-how and knowledge in the field of IT security, he can provide PSI with valuable services. Through his work in EU projects, he is actively involved in a peers network, especially in other large European research institutions. He also maintains a professional exchange with IT security experts in Switzerland, especially within the ETH domain and through SWITCH with the entire Swiss university landscape.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020