On 23 and 24 March 2023, 72 organisations and over 2,000 people in education and research participated in SURF's cyber crisis exercise OZON 2023, including the University of Twente. Cyber threats are increasing worldwide, so too for education and research. It is one of the few sectors that has been doing full-scale cyber simulations since 2016 to learn to respond skillfully to realistic cyber crises. This time, the biennial exercise consists of an insider threat scenario where employees from its own organisation also work for a criminal party. Previous editions of OZON have included scenarios involving ransomware, ethical hackers and a state actor.
"This year, a record number of people played along and in this edition, too, we were quite challenged with this realistic scenario," said Jet de Ranitz, SURF CEO and chair of the board of directors. "The entire sector was again able to experience the necessity of working together in the event of a cyber crisis. That is why this kind of exercise remains of great value."
Scenario
On Thursday 23 March, the crisis exercise will start at 9.30 am. A few people from each participating organisation are in the loop; most employees know nothing about it. The central scenario is shaped by SURF, and institutions can vary on this to fit their own exercise objectives as much as possible. Throughout the day, the pressure on the participants increases more and more, until 4 pm when the first day ends. On Friday 24 March, the criminal associates are unmasked, the crisis builds and there is room for reflection. In the weeks that follow, SURF, together with participants, evaluates the exercise and incorporates lessons learned, learning points and feedback into a report.
Insider threat
For the fourth time, SURF, the ICT cooperative of Dutch education and research, organised this sector-wide crisis exercise for its members. Charlie van Genuchten, OZON project leader at SURF, started preparations at the beginning of 2021. In a brainstorm with professionals from education, research and healthcare, the insider threat scenario was created. The scenario was then worked out at operational, tactical and strategic levels, taking into account the stages a real cyber crisis goes through. The exercise involved cooperation across the chain: parties such as the ministry and umbrella and industry organisations also participated in the exercise.