Debrief & Conclusion

27 May 2024 14:45h - 15:00h

Table of contents

Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.

Full session report

Cybersecurity Experts Analyse Response Strategies in Simulated Critical Infrastructure Attack

In a comprehensive debriefing session, cybersecurity experts Anastasiya Kazakova and Manuel Preciozo Ruiz discussed the outcomes of a group exercise that simulated a sophisticated cyber-attack on a critical infrastructure facility. The scenario presented to the participants was a complex one, involving a supply chain attack on a supplier followed by a ransomware attack on the infrastructure itself, leading to a potential data breach.

Anastasiya Kazakova began by summarising her group’s discussions, which delved into the appropriate response strategies following the cyber-attack. The group debated the extent of their responsibility in mitigating the consequences, pondering whether they should have had robust security measures in place or if some of the responsibility lay with the service provider. They also considered the criticality of the compromised data and its impact on operations, the existence of any relevant insurance coverage, and the presence of an incident response plan.

A key point of the discussion was the need for immediate and clear communication with stakeholders, particularly customers who might also be part of critical infrastructure, to explain the situation and share any response plans. The group suggested that containment measures, such as isolating affected systems, could help ensure that operations could continue despite the attack.

Manuel Preciozo Ruiz then provided a summary of his group’s discussions, which focused on assessing the nature of the incidents and their potential connection. The group was uncertain whether the attacks were related or if the ransomware was intended to disrupt operations or simply to extract a ransom. They also considered the importance of adhering to international norms and the benefits of establishing an information-sharing mechanism to provide mutual assistance in such cybersecurity incidents.

The session concluded with both speakers emphasising the importance of the exercise in understanding the nuances of cybersecurity norms and the need for preparedness and collaboration among stakeholders. They agreed to share a summary report with the participants, respecting the confidentiality of the discussions in accordance with Chatham House rules.

The discussions during the session highlighted the complexities involved in responding to cybersecurity incidents, particularly when they involve third-party service providers. The exercise underscored the necessity of clear communication channels, the importance of international cooperation in addressing cross-border cybersecurity threats, and the critical role of incident response planning. It also pointed to the potential benefits of having cyber insurance to support recovery efforts in the aftermath of a cyber-attack.

Session transcript

Anastasiya Kazakova:
So welcome back. Just wait a few seconds for everyone. So I hope you had also a fun time within the group discussion. We now will actually open the floor to share briefly the summary of the discussions before passing the floor to Manuel and to his group. I’ll just make a summary of what we discussed within our group. We’ve been assigned with the role of the critical infrastructure facility. And within our situation, we found out that our supplier has been hit with a supply chain operation. And further, we also learned that most likely as a result of the supply chain operation, our data has been compromised, though we didn’t really have further details on that on the scale on the impact of the attack. And as a last factor, in several days, our infrastructure was hit with ransomware. And we were certain that the service and the infrastructure where we host our data as a critical infrastructure facility has been hit with ransomware. And our security team suggested us to reach out to the third party company who could help us with the countermeasures against the ransomware gang to avoid paying ransom. So given this fascinating situation, we had several questions, and particularly the questions were about how do we assess this security with this situation? What could be our response to service supplier provider? And what could be immediate action in response to overall this situation, both with the supply chain operation of our supplier and the ransomware? So we discussed this and heard a number of the views, particularly one of the first reflections were about understanding better the situation, whether this is mostly our responsibility to deal with the consequences, whether this is our responsibility to have implemented the necessary security measures, or we have delegated actually part of the responsibility or responsibility within our existing relationships to the service provider, and therefore also to get in touch with the service provider for immediate assessment of the supply chain operation of the supply chain attack. Another feedback as well was to better understand in the beginning what we’re dealing with, what kind of the data has been compromised, whether it is a critical data, what sort of the understanding of how critical it could be for our services and operations, whether we have an insurance in place that might also help us in this situation. And whether we already have kind of prepared incident response plan or the list of the questions to ask ourselves as a critical infrastructure facility and also to reach out to our service providers as well to get further details, what we might be dealing with. And in terms of the stakeholders that we need to get in touch, participants have mentioned that get in touch with the customers would be one of the important steps to explain the most important or the biggest customers as well, maybe we also have the customers that are also considered as a critical infrastructure facilities to explain them the current situation. Maybe we have further information to share the plan that we already developed. And in terms of the condom measures, we heard the views that this would primarily include in our case, most likely the isolating the affected infrastructure from non affected infrastructure to at least make sure that our operations may proceed. Participants from my group, let us know if I have missed anything or you would like to compliment here with any other points. Just feel free to raise your hand. This sounds so good. Manuel, I’m passing the floor to you for the summary of the situation that you’ve been dealing with.

Manuel Preciozo Ruiz:
Thank you, Nastia. So, on our group we we had regarding the assessment part. We had some questions about the incidents and their nature. So we were not sure whether on our assessments. We were not sure where the both incidents were related. We were also not sure whether the second one wanted to disrupt critical infrastructure just as the main purpose or or if the main purpose was to ask for a ransom. We were also not sure whether the second one wanted to disrupt critical infrastructure just as the main purpose or or if the main purpose was to ask for a ransom. We also on our assessment identified that we were not in the know whether both countries have a relationship and were able to freely share information if there’s an information sharing platform established between them. And also how we obtain this information where you know this was obtained. You know from as Orhan said from the dark web or where did we obtain the information and of course one points that was made was to consider our role. And responsibilities. In light of norms one, two, seven and eight. To report on the incident. And then in terms of the immediate actions. Some are more immediate than others, but obviously we we quickly identified that we needed to gather more information on both the incidents to be able to determine the impact. And again, if they’re related. I think colleagues from the Gambia also said that it would be good to identify to inform other critical infrastructure providers in the constituency also to establish communication strategy. And also, you know, regarding some of the points in our assessments, where we should establish an ad hoc information sharing mechanism and also consider establishing one in the future if there isn’t one to, you know, provide mutual assistance going forward. And regarding our response to the national search. Yes, we said we will provide assistance, provided there was a previous relationship with this other set and that he has, for example, less capacities, but we also noticed that the incident was well underway. And you know how much could we actually do in this situation. And if we are looking for a solution to decrypt the encrypted information or data. Again, as you did not see if I miss anything or if anyone wants to comment on on this, raise your hand and let us know. Hope I didn’t miss anything. Silence is good.

Anastasiya Kazakova:
Well, you managed to cover pretty, pretty a lot of aspects and a good and you mentioned that you would actually proceed with the providing assistance. So that was really, really interesting as well. Thank you so much. Well, you have today actually a little bit of overview of what we do within Geneva dialogue with the regular consultations with our experts with the representatives of different stakeholder groups. We also try to put experts in a different situation in a context and ask them many questions to get further nuances while unpacking this this norms. Thank you so much. I hope you enjoyed Our session. If you have any questions so far, feel free to feel free to to ask But I guess our time is up. And again, thank you so much and Hope you hope you also Had also fun interacting with this in this situation with with your peer colleagues.

Manuel Preciozo Ruiz:
And we will Sarah our report or summary of the session afterwards right now. Yeah.

Anastasiya Kazakova:
Yes, the report we record the session, but we don’t publish the recording. So exactly everything that we discuss take place on the China mouse rules, but we will provide the Just the summary. Hopefully that might be helpful as well.

Manuel Preciozo Ruiz:
Thank you. Thank you, everyone.

Anastasiya Kazakova:
Thank you so much. And do I wish you all a good

AK

Anastasiya Kazakova

Speech speed

148 words per minute

Speech length

857 words

Speech time

348 secs

MP

Manuel Preciozo Ruiz

Speech speed

137 words per minute

Speech length

458 words

Speech time

201 secs