U.S., EU Conduct Joint Cyber-Security Exercise to Defend Against Attacks

Cyber-security experts from the European Union and United States took part in simulated cyber-attacks against supervisory control and data acquisition systems and advanced persistent threats as part of Cyber Atlantic 2011 exercises.

The United States and European Union took part in the first-ever joint cyber-security exercise addressing how to cooperate and respond in the event of a cyber-attack on critical infrastructure.

The European Network and Information Security Agency (ENISA) and the U.S. Department of Homeland Security conducted the daylong table-top exercise, Cyber Atlantic 2011, on Nov. 3. The cyber-security exercise used simulated scenarios to explore how EU and U.S. officials could improve how they work together and coordinate incident management and response, Lee Rock, acting director of Homeland Security's Computer Emergency Response Team (US-CERT) wrote on the DHS blog.

One exercise featured targeted advanced persistent threat attempts to infiltrate various EU cyber-security agencies and publish online the information extracted from the networks. Another simulation involved an attack against supervisory control and data acquisition (SCADA) systems in power grids and utilities.

Cyber Atlantic's goal was to "tackle new threats to the global networks upon which the security and prosperity of our free societies increasingly depend," ENISA said. Most of the exercises focused on European assets or agencies being attacked, with U.S. officials providing assistance, according to Rock.

Participating in the cyber-exercise would help "strengthen" how the U.S. handles cyber-attacks at home and how it collaborates with other countries "through mutual support systems," Rock said. US-CERT "supports international partners and the broader cyber-security communities in both the United States and abroad on a range of technical and operational cyber issues," Rock wrote.

Cyber Atlantic 2011 drew on lessons learned from last year's Cyber-Europe 2010 cyber-security exercise, and the lessons learned from this event will be used to plan "further potential joint" cyber-exercises, according to ENISA. The previous exercise was conducted as a way identify how member states should communicate and collaborate to defend against cyber-attacks and to strengthen Europe's overall cyber defenses in the event of a large-scale cyber-attack.

The DHS runs similar cyber-exercises through its biennial Cyber-Storm series to keep mitigation and prevention efforts up-to-date to handle the latest sophisticated attacks. The SANS Institute, a private nonprofit security research and education organization, also works with the Army and Air Force to train military personnel in cyber-security skills through its NetWars cyber-security challenge. Participants compete in a mock environment to test their defensive, analysis and offensive cyber skills, fighting off intruders trying to take over other target systems and networks.

Policy-makers on both sides of the Atlantic believe that it's not a question of "if" there will be a cyber-attack, but "when." The latest cyber-war exercise was part of a commitment to work together on cyber-security that was agreed upon at a EU-U.S. summit in Lisbon, Portugal, in November 2010. More than 20 EU member states attended the event, which was directed by the European Commission.

"It is an honor for ENISA to be facilitating this extremely important milestone in international cyber-security cooperation," said ENISA's executive director, Prof. Udo Helmbrecht.

A group of European ministers, senior officials from the North Atlantic Treaty Organization (NATO) and other influential European leaders participated in a different cyber-exercise organized by the European Security Round Table (ESRT) in Brussels, Belgium, in June.

The ESRT exercise simulated three distinct attacks against different European critical infrastructure sectors that had simultaneous impact on several member states. The attendees discussed existing EU cyber-security policies and initiatives as well as what new rules and regulations were needed.