For five weeks, EU member states will simulate attacks on their critical infrastructures. For the first time, the threshold of an armed attack will be surpassed. The rehearsal includes the provision of assistance in accordance with EU treaties, and the NATO case of alliance could also be triggered.
In the summer of 2017, Saudi Arabia almost suffered its first major disaster after a cyber attack. Unknown persons had infected the control system of a petrochemical plant with malware called “Triton”. The apparently planned shutdown of the plant might have caused explosions, possibly leading to the escape of hydrogen sulphide and thus to an environmental disaster with hundreds of deaths. A security system detected the intruder and stopped the sabotage.
Now the EU member states want to prepare for such a hacking attack with a “EU Cyber Crisis Linking Exercise on Solidarity” (EU CyCLES). The starting point is assumed to be attacks with “significant kinetic effects and casualties”. The EU then activates its technical, operational and political cybersecurity structures. Other member states also provide mutual assistance.
Aimed at states like Russia or Belarus
The British civil liberties organisation Statewatch has published an overview of the exercise and a briefing note from the French EU Presidency. According to it, the scenario is based on situations “that have already occurred in real life or that we fear could occur in a near future”. The assumed threat concerns the energy, industry and transport sectors, healthcare and shipping.
The exercise starts with a cyber attack on a fictitious large corporation with a “strong foothold in the EU market”. The originator is believed to be a “Blueland”, which appears to point to states such as Russia or Belarus. After a revolution, the political system there had changed into an authoritarian state. Its “leader” has “extended” his political mandate and now rules the country without time limit.
Parts of the opposition and former members of parliament from “Blueland” have emigrated to Finland and the Czech Republic, according to the exercise scenario. The governments in Helsinki and Prague are “encouraging” the remaining population to “express peacefully its discontent” and are themselves putting green ribbons on their windows.
Similar attacks in Iran and Ukraine
The cyberattacks are carried out by a group referred to in the EU paper as the “BlueDawn”. Also involved is a fictitious criminal organisation called “OT-Powner”, which seeks vulnerabilities in the control systems of industrial plants and sells access to them. The first attack from “blue land” begins with the penetration of such a SCADA system.
Scenarios like this are not plucked out of thin air, explains Manuel Atug, who co-founded the German independent AG KRITIS three years ago. The first attack of this kind was the computer worm “Stuxnet”, which Israel and the USA presumably used to destroy an Iranian uranium enrichment plant. According to Atug, this was a cyber-physical attack, i.e. a hacker attack that can cause physical damage, paralyse critical infrastructures and lead to the shutdown of other important systems in a chain reaction.
Two further examples are known from Ukraine. On 23 December 2015, 27 substations there failed, resulting in a complete power blackout in over 100 cities, and almost 200 other cities were partially affected. A year later, parts of the capital Kiev were without power for over an hour. Both hacks targeted the protective devices of the power plants and are said to have been carried out with the malware “Blackenergy” and “Industroyer” respectively. “Havex”, another malware targeting control systems in the energy sector, has been known since 2014 at the latest; however, reported attacks in the USA and Europe have not yet led to major damage.
In EU CyCLES, the spread of malware is to be stopped as early as possible. To do this, the EU first alerts its own cyber security structures. The Cyber Crisis Management Cooperation Network (CyCLONe) then determines the impact of such a “cyber crisis”. Established in 2020, the network supports member states in the event of “massive” cyber security incidents. Afterwards, the Intelligence Situation Centre INTCEN is supposed to determine the authorship of the cyber attack, for which the member states have recently equipped the hub in Brussels with new competences. The INTCEN can also propose a joint response by the EU and its member states.
The “technical response” to the simulated attack from “Blueland” is carried out by the EU network of Computer Emergency Response Teams (CERTs). According to AG KRITIS founder Atug, which authorities a member state sends there varies greatly. While Germany’s Federal Office for Information Security, for example, is represented there by the CERT-Bund, other countries are sending military or intelligence experts.
The reaction of the national emergency teams to malware infections is just as different; as in the case of “Emotet”, the authorities could also use malware themselves or manipulate it. At the EU level, the emergency teams are supposed to distribute warnings and concrete information about the incidents or secure digital traces. For this purpose, the CERTs network sends so-called response teams to the affected companies or institutions.
Injection with escalation
As far as is known, there are no plans in EU CyCLES to simulate the malware and its technical countermeasures (for example, with so-called Red Teams and Blue Teams that handle attack and defence); it is rather an exercise with a focus on the political response. To this end, the scenario is becoming more and more tense, with such “injections” taking place on the sidelines of real meetings of EU political bodies. First, the Permanent Representatives Committee, which is meeting today, is notified of the incident. There, high-ranking officials of the member states meet to prepare joint decisions of the Council.
Other important actors are the Council Working Group on Cyber Issues, which is to coordinate political and legislative measures, and the Political and Security Committee. The body is responsible, among other things, for police and military operations of the European Union, this is how NATO will also be involved in the exercise.
In the final phase of EU CyCLES, the fictitious crisis escalates to the point where it “could go as far as a situation corresponding to an armed attack”. Subsequently, the governments concerned are supposed to be free to activate Article 42(7) of the EU Treaty. This so-called mutual defence clause determines the foreign policy and, if necessary, military response of the entire EU in the event of an attack on an individual member.
Simulation of NATO alliance case
Most EU member states participate in NATO. If a cyber attack on these countries triggers the right to self-defence enshrined in Article 51 of the United Nations Charter, it would also be allowed to respond militarily with conventional weapons. This was decided by the organisation at its summit in Wales in 2014.
NATO wants to decide in each individual case when a cyber attack surpasses this threshold. This would have to be “equivalent to the use of conventional weapons and acts of war in terms of scope or effect”, writes the German government.
With the possible alliance case, EU CyCLES clearly goes beyond previous exercises. Most recently, on 17 November, the EU member states simulated powerful cyber attacks from a “Whiteland” on their facilities. This was to test the Cyber Diplomacy Toolbox for the EU’s response to “malicious cyber activities”. The scenario included terrorist attacks that could be responded to with the solidarity clause. This refers to Article 222 of the Treaty on the Functioning of the European Union, which stipulates mutual assistance in the event of a terrorist attack or disaster.
Exercises set precedent
The EU CyCLES exercise will end with the meeting of EU foreign ministers on 21 February. However, the of crossing the threshold of military escalation on a trial basis could soon be repeated; the Council and the EU Commission are already planning for EU Integrated Resolve 2022 in the autumn. It is to take place within the framework of the so-called EU PACE exercises together with NATO.
Do such exercises really help to protect power plants, factories or supply chains against cyber-physical attacks, or do they rather serve as political deterrents? The threat is undeniable, says Manuel Atug. However, malware with potential “kinetic effects and casualties”, which also plays a role in EU CyCLES, can still be counted on one hand.
Attacks could increase, however, because industrial control systems are becoming increasingly digitalised and thus more vulnerable. At the same time, the EU and NATO exercises also set a precedent that could pave the way for military escalation.