Debrief & Conclusion
27 May 2024 14:45h - 15:00h
Table of contents
Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.
Knowledge Graph of Debate
Session report
Full session report
Cybersecurity Experts Analyse Response Strategies in Simulated Critical Infrastructure Attack
In a comprehensive debriefing session, cybersecurity experts Anastasiya Kazakova and Manuel Preciozo Ruiz discussed the outcomes of a group exercise that simulated a sophisticated cyber-attack on a critical infrastructure facility. The scenario presented to the participants was a complex one, involving a supply chain attack on a supplier followed by a ransomware attack on the infrastructure itself, leading to a potential data breach.
Anastasiya Kazakova began by summarising her group’s discussions, which delved into the appropriate response strategies following the cyber-attack. The group debated the extent of their responsibility in mitigating the consequences, pondering whether they should have had robust security measures in place or if some of the responsibility lay with the service provider. They also considered the criticality of the compromised data and its impact on operations, the existence of any relevant insurance coverage, and the presence of an incident response plan.
A key point of the discussion was the need for immediate and clear communication with stakeholders, particularly customers who might also be part of critical infrastructure, to explain the situation and share any response plans. The group suggested that containment measures, such as isolating affected systems, could help ensure that operations could continue despite the attack.
Manuel Preciozo Ruiz then provided a summary of his group’s discussions, which focused on assessing the nature of the incidents and their potential connection. The group was uncertain whether the attacks were related or if the ransomware was intended to disrupt operations or simply to extract a ransom. They also considered the importance of adhering to international norms and the benefits of establishing an information-sharing mechanism to provide mutual assistance in such cybersecurity incidents.
The session concluded with both speakers emphasising the importance of the exercise in understanding the nuances of cybersecurity norms and the need for preparedness and collaboration among stakeholders. They agreed to share a summary report with the participants, respecting the confidentiality of the discussions in accordance with Chatham House rules.
The discussions during the session highlighted the complexities involved in responding to cybersecurity incidents, particularly when they involve third-party service providers. The exercise underscored the necessity of clear communication channels, the importance of international cooperation in addressing cross-border cybersecurity threats, and the critical role of incident response planning. It also pointed to the potential benefits of having cyber insurance to support recovery efforts in the aftermath of a cyber-attack.
Session transcript
Anastasiya Kazakova:
So welcome back. Just wait a few seconds for everyone. So I hope you had also a fun time within the group discussion. We now will actually open the floor to share briefly the summary of the discussions before passing the floor to Manuel and to his group. I’ll just make a summary of what we discussed within our group. We’ve been assigned with the role of the critical infrastructure facility. And within our situation, we found out that our supplier has been hit with a supply chain operation. And further, we also learned that most likely as a result of the supply chain operation, our data has been compromised, though we didn’t really have further details on that on the scale on the impact of the attack. And as a last factor, in several days, our infrastructure was hit with ransomware. And we were certain that the service and the infrastructure where we host our data as a critical infrastructure facility has been hit with ransomware. And our security team suggested us to reach out to the third party company who could help us with the countermeasures against the ransomware gang to avoid paying ransom. So given this fascinating situation, we had several questions, and particularly the questions were about how do we assess this security with this situation? What could be our response to service supplier provider? And what could be immediate action in response to overall this situation, both with the supply chain operation of our supplier and the ransomware? So we discussed this and heard a number of the views, particularly one of the first reflections were about understanding better the situation, whether this is mostly our responsibility to deal with the consequences, whether this is our responsibility to have implemented the necessary security measures, or we have delegated actually part of the responsibility or responsibility within our existing relationships to the service provider, and therefore also to get in touch with the service provider for immediate assessment of the supply chain operation of the supply chain attack. Another feedback as well was to better understand in the beginning what we’re dealing with, what kind of the data has been compromised, whether it is a critical data, what sort of the understanding of how critical it could be for our services and operations, whether we have an insurance in place that might also help us in this situation. And whether we already have kind of prepared incident response plan or the list of the questions to ask ourselves as a critical infrastructure facility and also to reach out to our service providers as well to get further details, what we might be dealing with. And in terms of the stakeholders that we need to get in touch, participants have mentioned that get in touch with the customers would be one of the important steps to explain the most important or the biggest customers as well, maybe we also have the customers that are also considered as a critical infrastructure facilities to explain them the current situation. Maybe we have further information to share the plan that we already developed. And in terms of the condom measures, we heard the views that this would primarily include in our case, most likely the isolating the affected infrastructure from non affected infrastructure to at least make sure that our operations may proceed. Participants from my group, let us know if I have missed anything or you would like to compliment here with any other points. Just feel free to raise your hand. This sounds so good. Manuel, I’m passing the floor to you for the summary of the situation that you’ve been dealing with.
Manuel Preciozo Ruiz:
Thank you, Nastia. So, on our group we we had regarding the assessment part. We had some questions about the incidents and their nature. So we were not sure whether on our assessments. We were not sure where the both incidents were related. We were also not sure whether the second one wanted to disrupt critical infrastructure just as the main purpose or or if the main purpose was to ask for a ransom. We were also not sure whether the second one wanted to disrupt critical infrastructure just as the main purpose or or if the main purpose was to ask for a ransom. We also on our assessment identified that we were not in the know whether both countries have a relationship and were able to freely share information if there’s an information sharing platform established between them. And also how we obtain this information where you know this was obtained. You know from as Orhan said from the dark web or where did we obtain the information and of course one points that was made was to consider our role. And responsibilities. In light of norms one, two, seven and eight. To report on the incident. And then in terms of the immediate actions. Some are more immediate than others, but obviously we we quickly identified that we needed to gather more information on both the incidents to be able to determine the impact. And again, if they’re related. I think colleagues from the Gambia also said that it would be good to identify to inform other critical infrastructure providers in the constituency also to establish communication strategy. And also, you know, regarding some of the points in our assessments, where we should establish an ad hoc information sharing mechanism and also consider establishing one in the future if there isn’t one to, you know, provide mutual assistance going forward. And regarding our response to the national search. Yes, we said we will provide assistance, provided there was a previous relationship with this other set and that he has, for example, less capacities, but we also noticed that the incident was well underway. And you know how much could we actually do in this situation. And if we are looking for a solution to decrypt the encrypted information or data. Again, as you did not see if I miss anything or if anyone wants to comment on on this, raise your hand and let us know. Hope I didn’t miss anything. Silence is good.
Anastasiya Kazakova:
Well, you managed to cover pretty, pretty a lot of aspects and a good and you mentioned that you would actually proceed with the providing assistance. So that was really, really interesting as well. Thank you so much. Well, you have today actually a little bit of overview of what we do within Geneva dialogue with the regular consultations with our experts with the representatives of different stakeholder groups. We also try to put experts in a different situation in a context and ask them many questions to get further nuances while unpacking this this norms. Thank you so much. I hope you enjoyed Our session. If you have any questions so far, feel free to feel free to to ask But I guess our time is up. And again, thank you so much and Hope you hope you also Had also fun interacting with this in this situation with with your peer colleagues.
Manuel Preciozo Ruiz:
And we will Sarah our report or summary of the session afterwards right now. Yeah.
Anastasiya Kazakova:
Yes, the report we record the session, but we don’t publish the recording. So exactly everything that we discuss take place on the China mouse rules, but we will provide the Just the summary. Hopefully that might be helpful as well.
Manuel Preciozo Ruiz:
Thank you. Thank you, everyone.
Anastasiya Kazakova:
Thank you so much. And do I wish you all a good
Speakers
AK
Anastasiya Kazakova
Speech speed
148 words per minute
Speech length
857 words
Speech time
348 secs
Arguments
Addressing a critical infrastructure facility’s security breach involves immediate assessment and response.
Supporting facts:
- Supplier has been hit with a supply chain operation.
- Data has potentially been compromised.
- Infrastructure was hit with ransomware.
Topics: Cybersecurity, Ransomware, Supply Chain Attack
Report
The recent cybersecurity incident highlights the vulnerabilities in modern supply chains, where a supplier’s digital infrastructure has been significantly compromised due to a sophisticated supply chain attack involving ransomware. This raises critical concerns regarding data security and the resilience of essential infrastructure.
A strategic and immediate response is required to mitigate further damage. The initial actions necessitate a thorough assessment of the breach, emphasising the need for clarity on the security obligations within the relationships between the affected parties. Understanding the contractual responsibilities with service providers is particularly crucial, as their role in managing cybersecurity threats needs to be explicit.
Prompt engagement with service providers for an in-depth assessment is vital in the early stages of incident response. Moreover, effectively addressing the breach involves steps to isolate the impacted systems. This preventative measure is essential to prevent the malware from spreading to unaffected areas, minimising the potential for further issues.
Alongside containment, transparent communication with stakeholders is paramount. Informing customers and relevant parties of the breach is not only a good practice for transparency but also helps prevent misinformation and maintain trust during such a crisis. Preparation is key when dealing with such incidents, underlined by the importance of having an incident response plan and adequate insurance coverage in place.
These preparations offer organizations a strategic, rehearsed, and financially backed approach to managing the consequences of cybersecurity incidents. The implications of this cybersecurity event resonate with Sustainable Development Goal (SDG) 9, which promotes resilient infrastructure and inclusive and sustainable industrialisation. Additionally, it aligns with SDG 16’s focus on building accountable institutions, emphasised by the requirement for robust cybersecurity, and SDG 11’s call for safe and resilient urban environments, critical as cities increasingly rely on digital infrastructure.
In summary, the cybersecurity event is a chance for organisational learning and development in the sphere of digital infrastructure protection. It exemplifies the interconnected nature of modern systems and the necessity for comprehensive security measures within innovative, resilient communities and industries.
Effective management of this incident may set a precedent, promoting a stronger security culture and contributing to the broader aims of peace, justice, and robust institutional frameworks.
MP
Manuel Preciozo Ruiz
Speech speed
137 words per minute
Speech length
458 words
Speech time
201 secs
Report
During our group’s detailed evaluation of recent disturbing events, several uncertainties emerged. We were unable to establish a definitive connection between the incidents, leaving us questioning whether they were related or distinct. The motive behind the disruption of critical infrastructure in the second incident remains unclear, with doubts over whether the aim was disruption alone or an unverified ransom demand.
Our understanding of the bilateral relationships between the affected countries was inadequate, particularly regarding their information-sharing protocols, which are crucial in crisis management. The origins of our intelligence were also unclear, with unconfirmed suggestions of dark web involvement. To address our role and responsibilities, we examined operational norms one, two, seven, and eight, which dictate reporting in such scenarios.
Recognising the need for more detailed information to establish any links and fully comprehend the incidents was essential. Colleagues from the Gambia highlighted the need for communication with other key infrastructure bodies. As a result, we agreed on forming a robust communication strategy and an ad hoc information-sharing mechanism as a step towards a more lasting solution for mutual assistance.
Regarding international cooperation, we acknowledged that assistance to national Computer Emergency Response Teams (CERTs) depended on pre-existing collaborations. Preference was given to CERTs with fewer resources, although the practical limits of such support during ongoing incidents were questioned, as was the viability of decrypting compromised data, which could be crucial for recovery.
Our discussions concluded with a commitment to document and share a summary of our findings, which not only records our deliberations but also epitomises the collaborative spirit of the exchange. [The summary provided above captures the essence of the group’s analysis, focusing on key points such as the connection between incidents, intent of disruption, international relations, communication strategies, and support for CERTs.
It maintains UK spelling and grammar consistency, refines sentence structure for clarity, and incorporates relevant long-tail keywords without compromising the summary’s quality.]