The urgency behind NATO’s deepening interest in cyber defense is driven by the increasing sophistication of cyberthreats against member states, according to Brig. Gen. Christos Athanasiadis, assistant chief of staff cyber at SHAPE. NATO reported earlier this year that its infrastructure came under threat from 500 cyberattacks monthly in 2016.The United States and other NATO states have become increasingly vocal about cyber-attacks launched from Russia, China and Iran, but officials say it remains hard to determine if such attacks stem from government bodies or private groups. In recent events, cyber-attacks have been part of hybrid warfare.
NATO held its annual Locked Shields exercise in April 2018, now in its eighth year. The five-day live-fire drill, led by NATO’s Communications and Information (NCI) agency and NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), simulated an attack on the critical infrastructure of a fictional country, Berylia.
The scenario for the exercise saw virtual country Berylia under attack on multiple fronts: through someone that had the resources to coordinate attacks on an ISP and a military air base, along the way disrupting “the electric power grid, 4G public safety networks, drone operation and other critical infrastructure components.”
This is in response to growing number of cyber attacks that have been part of hybrid warfare. These include the use of ransomware to hold NATO assets at risk, DDoS to interrupt NATO command and control (C2) and interoperability, and physical disabling of electrical power generation and communications rendering militaries ineffective and worse, threatening domestic public safety.
Involving as many as 4,000 virtualised systems and more than 2,500 attacks, the real-time defence exercise was designed to enable national cyber defenders to practice the protection of national IT systems and critical infrastructure under the intense pressure of a severe cyberattack. Involving more than 1,000 cybersecurity experts from 30 countries, the drill was a red versus blue scenario.
CCDCOE described it as the world’s “largest and most advanced international live-fire cyber defence exercise”. The ping-ping-ping-pew-pew-pew ran from April 23rd to April 27th, and NATO said it will let participants “practice the entire chain of command” covering civilian and military systems and capabilities. Locked Shields is a scenario-based exercise aimed at helping to train participating security experts in protecting national IT infrastructure.
Techs involved in the exercise were tasked with keeping the notional nation’s networks alive, while “the strategic part should serve as a forum to understand the impact of decisions made at the strategic and policy level”, NATO’s announcement said.
“This year the exercise involved critical infrastructure that our entire modern lifestyle depends upon: power supply, clean water and emergency communications,” says CCDCOE Kadri Kütt. “The exercise trains the teams in how to protect unfamiliar environments and to make the right decisions with incomplete information, as computer emergency specialists often have to do in real-life situations.” The exercise addressed areas noted for their particular difficulty, she adds, including protecting unfamiliar specialised systems, writing good situation reports under serious time pressure, detecting and mitigating attacks in large and complex IT environments and well-coordinated teamwork. “In 2018 the exercise highlighted the growing need to enhance dialogue between technical experts and decision-makers.”
Locked Shields offers a unique opportunity for NATO as well as national cyber defenders to test the protection of respective IT systems and critical infrastructure in a safe environment, while being aggressively challenged by world-class opponents. It focuses on realistic and cutting-edge technologies, scenarios, networks and attack methods. CCDCOE integrates the technical and strategic game, enabling participating nations to practice the entire chain of command in the event of a severe cyber incident, from strategic to operational level and involving both civilian and military capabilities.
NATO wins largest cyber-defence exercise
In Locked Shields 2018, the world’s largest and most complex international live-fire cyber-defence exercise, has just completed in Tallinn under the auspices of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), featuring 22 Blue Teams, including teams from NATO and the EU.
This year’s exercise highlighted the growing need to enhance dialogue between technical experts and decision-makers. CCDCOE integrated the technical and strategic game, enabling participating nations to practice the entire chain of command in the event of a severe cyber-incident involving both civilian and military players. Considering the current cyber-threats that are of most concern, the exercise addressed the critical information infrastructure protection.
The NATO team won the overall competition with the French and Czech teams taking second and third place respectively. “The winning team excelled in all categories of the exercise. It was the first time NATO participated with a team representing different NATO agencies,” said Aare Reintam, project manager of technical exercises at CCDCOE.
He added, “However, every single participating team deserves credit for handling the complex cyber-challenges of Locked Shields. The exercise involved around 4,000 virtualised systems and more than 2,500 attacks altogether. In addition to keeping up more than 150 complex IT systems per team, the Blue Teams had to be efficient in reporting incidents, executing strategic decisions and solving forensic, legal and media challenges. Protection of critical infrastructure is essential for ensuring the efficient operation of both military and civilian organisations, it is the foundation of our modern digital lifestyle,” added Reintam.
Merle Maigre, director of CCDCOE earlier issued a statement welcoming Portugal to the grouping as, “… another strong NATO Ally joining the Centre. Then during opening of Australia’s pop-up embassy in Estonia, Australia also announced it was joining CCDCOE as a member, and took part in Locked Shields as an observer nation. “Accession of Australia expands the reach and cooperation of like-minded nations in cyber-defence beyond the Euro-Atlantic area, making our cyber-defence hub truly global. We are glad to welcome Australia becoming a member nation,” commented Maigre.
Locked Shields 2018 was organised by CCDCOE in cooperation with the Estonian Defence Forces, the Finnish Defence Forces, the Swedish Defence University, the British Joint Army, the United States European Command, CERT.LV, National Security Research Institute of the Republic of Korea and Tallinn University of Technology. Industry partners in the exercise include Siemens AG, Ericsson, Bittium, Goodmill, Threod Systems, Cyber Test Systems, Clarified Security, Iptron, Bytelife, BHC Laboratory, openvpn.net, GuardTime and numerous others.
2017 NATO “Locked Shields”
Locked Shields exercise has been organised by the NATO Cooperative Cyber Defence Centre of Excellence since 2010. Every year, teams are put under intense pressure to maintain the networks and services of a fictional country. This includes handling and reporting incidents, solving forensic challenges, and responding to legal and strategic communications and scenario injects. To stay abreast of market developments, Locked Shields focuses on realistic and cutting-edge technologies, networks and attack methods.
Earlier April 2017, NATO “Locked Shields” exercise scenario directed teams security experts to defend the networks of a fictional country’s military air base when its electric power grid, drones, military command and control systems and operational infrastructure fall under severe cyberattack. The exercise featured about 800 participants from 25 different nations worldwide and also involves protecting several specialized IT systems, including a large-scale system that controls the power grid and a system used for military planning.
“The exercise was particularly challenging for all participants this year due to the increased scope and size of specialised systems involved. The teams had to protect large scale SCADA system controlling the power grid, military AirC2 system, military surveillance drone and Ground Station controlling the drone and Programmable Logic Controllers (PLCs) under intense pressure,” says Reintam. “In the end all the teams have gained a valuable training experience, which is the ultimate goal of this defensive exercise.”
“Taking into consideration current key trends in cybersecurity, we are introducing even more specialized systems to the exercise,” said Aare Reintam, the technical director at the center. “This enables us to prepare cybersecurity experts to protect even better vital networks and systems that they are not working with on a regular basis.”
NATO CCDCOE is a NATO-accredited cyber-defence hub focusing on research, training and exercises. The international military organisation based in Estonia is a community of of 20 nations currently providing a 360-degree look at cyber-defence.
The CCDCOE combines cyber technology, strategy, operations and law expertise to provide “a 360-degree look at cyber defense,” according to the agency. However, the CCDCOE was designed only as a research facility or think tank, outside of NATO’s military command structure, explains Kenneth Geers, a senior research scientist at Comodo and a CCDCOE ambassador.
CCDCOE carried out several simultaneous kinetic and cyber operations as part of its February Crossed Swords exercise. Held in Latvia in conjunction with that country’s CERT, the exercise focused on improving cooperation and information sharing among civilian organizations, critical information infrastructure providers and military units.
The simulation used mobile network technologies to identify targets and conduct drone surveillance, along with fifth-generation (5G) wireless network sensors to acquire location and other data. When a target was not reachable through cyberspace, military units deployed kinetic weapons. The exercise included about 80 participants from 15 countries and focused on enemy, or red team, posturing to have a “complete inside-out understanding of the most current cyber threats,” according to the agency. The exercise is a complement to the CCDCOE’s Locked Shields, a more extensive advanced live-fire cyber defense exercise.
The CCDCOE also is expanding the reach of its cyber education. In January, NATO’s supreme allied commander appointed the agency to coordinate all cyber education and training for cyber defense operations within NATO. The agency will work closely with NATO’s Allied Command Transformation in Norfolk, Virginia, to ensure the availability of such activities across the alliance.