The Netherlands works on resilience with large-scale national cyber exercise

With ISIDOOR, the cyber exercise organised by the National Cyber Security Centre (NCSC) in cooperation with the National Coordinator for Counterterrorism and Security, the Netherlands looks to guard itself against potentially devastating cyber attacks.

During the biennial exercise, agreements, structures and processes from the National Cyber Crisis Plan (NCP-Digitaal) are practised. ISIDOOR 2021 took place in June, and saw 96 organisations and more than 1,500 people active in the infrastructure of central government take part.

It is crucial for companies and nations alike to be well prepared for cyber incidents. Incidents are reported every day, some with limited impact, others with very large consequences. In the Netherlands, there has previously been an attack on a national transport company, which temporarily halted the distribution of cheese to supermarkets. 

“The physical and digital chains are becoming more complex and more dependent on each other,” said Kees Verkade, national project leader of ISIDOOR 2021, in his blog for the NCSC. “This makes them more susceptible to cyber attacks, and the consequences of disruptions are getting bigger all the time.”

That is why it is important to work together, to share information and to follow a joint strategy in the event of a national cyber disaster. The NCP-Digitaal offers the building blocks to do this, but in order to keep it up to date, it is necessary to test, practice and review. The lessons learned can then be used to update the national crisis plan and gather best practices for future cyber exercises.  

Verkade said no crisis ever turns out the way it’s expected. That’s why, in his view, it’s important to be able to “improvise in a coordinated way”. This requires a certain degree of professional competence and task maturity. “An exercise such as ISIDOOR contributes to this, but the greatest benefit is not obtained during the exercise,” he said. “The biggest gain is in the preparatory phase and in identifying and learning the lessons afterwards.”

That is why ISIDOOR consists not only of a large-scale exercise, but also of additional masterclasses and in-depth training sessions. In addition, the participating organisations are put in touch with each other beforehand to organise their preparations. “One of the biggest lessons from this is that it is far from self-evident that within organisations the departments or persons that deal with cyber security are linked to the departments or persons that deal with crisis management,” said Verkade.  

This year, the Dutch national cyber exercise focused on office automation systems and involved a vulnerability in a widely used operating system. There was still no patch available, so malicious parties could abuse the vulnerability to their heart’s content. This caused a lot of inconvenience and minor disruptions.

That created a smoke screen that distracted attention away from a much larger and more complex problem, namely a state actor that had been able to access the systems of central government and vital services in the Netherlands for two months through the vulnerability.

This meant that the actor was able to view sensitive data and to gain access to it, such as information about sensitive criminal cases, tender procedures, access data to crucial systems in process automation, sensitive files and security information. There was plenty of cause for concern, both at an organisational and national level – enough reason to ask questions about what data was stolen and how serious this was, but also about how the Netherlands deals with a state actor that attacks the country.  

Verkade reports in his blog that ISIDOOR produced a lot of learning points, three of which stand out for him as project leader and crisis management advisor at the NCSC.

First, the fact that a cyber crisis is a crisis of uncertainty. “The speed with which a cyber incident develops and the need for clarity and perspectives for action from the outside world do not match the required care in the response, the technical clarification and the interpretation of the consequences,” he said.

The project leader also said that the connections between different worlds are crucial. “A cyber crisis is more than just a technical problem for the cyber experts,” he continued. “It often means something to the continuity of the services the organisation provides and the position it occupies in its network. This means that the crisis organisation, the communication department, the business continuity manager and the legal department also have to act. Only then can problems be identified quickly and properly at the right level and integrated measures taken.”

Verkade concluded that finding each other does not necessarily mean that people also understand each other. “There is still room for improvement here,” he said. “It’s mainly about having a clear idea of the purpose of information sharing. Not only internally in an organisation, but also within the cyber system. For example, the NCSC is often expected to provide a certain interpretation, but this can only be provided when organisations supply more than just a report that they have been affected.”