“In today’s digital era, where cyber threats are only growing, the ability to handle cyber incidents whilst being able to remain operational is paramount for all businesses and organisations.

As part of measures to ensure a common high level of security for networks and information systems in the European Union, the Institute is the competent authority in Luxembourg for the Energy, Transport, Health, Drinking Water and Digital Infrastructure sectors, and for digital service providers.

Therefore, it is part of the Institute’s missions to achieve a high-level of cybersecurity in the above-mentioned essential sectors.

To do so, the operators are recommended to not only perform a risk assessment on a regular basis and define security policies, but also to put these into test. It is obviously preferable to test the procedures and reactions in the context of an exercise rather than during a real-time attack or incident.

When it comes to testing internal procedures and policies in the context of cyber incidents, we gave the mandate to the LHC/NC3 experts, running the ROOM#42 exercise, to develop scenarios of current attack vectors.”

“This year was the 3rd edition of this national exercise, always in collaboration with LHC/NC3. Each year, the exercise addresses different types of sectors. This year, the focus was placed onto the digital infrastructure and telecom. 7 key players in this sector responded positively to the invitation to take part in the exercise, which was carried out on a voluntary basis. Each participant is given an individual feedback post-exercise.”

“It's a one-day exercise, but one that takes 3 months to prepare and several weeks to analyse the results and generate a report for each participant.

Before the exercise

The criticality of the exercise lies in the preparatory phase. Writing the scenario is essential. This must be coherent, well-paced and take into account current events. At the end, we need to create what we call "injects" to animate the exercise. These are characters (employees, partners, journalists, etc.) who will come into contact with the participants to help them (directly or indirectly) progress in the exercise. There's also the creation of websites, digital content and malware (dedicated to this type of exercise only).

During the exercise

As organisers, we have no right to make mistakes. Everything is sequenced and fine-tuned to the millimeter – each interaction having an impact of the next. We also do "warm-ups" to test the exercise beforehand, so as to detect any false notes.

After the exercise

Here comes the analysis phase with the writing of individual and detailed reports for each participant in order to highlight the areas for improvement and recommendations.”

“We seek to determine an organisation's readiness to cope with a cyber incident. While we expose them to different stimuli in a short period of time, the idea is to see how they organize themselves, and which departments are involved in the crisis (IT, HR, Communication, Management, etc.). Working together in normal times can be complicated... Imagine in a crisis! After all, isn't it said that it's when things get tough that you see who you really are? This type of exercise also seeks to define the participants' limits, i.e., to see the limits of their level of competence in dealing with "extraordinary" events. Time is also an essential factor in incident management, which is why participants are obliged to respond within short deadlines.”

“ROOM#42 is a real source of experience. We have carried out over 250 cyberattack management exercises in this simulator. We therefore draw our inspiration naturally from this environment. Indirectly, military techniques linked to training and the repetition of so-called "reflex" acts are strongly considered in the creation of this type of exercise. The idea is to take participants into uncomfortable territory, to push them to go beyond the implementation of procedures. We want to see their ability to adapt to sudden events. In a cyberattack, they will never have the initiative, and will often have to deal with the worst moment of the week or day. In this kind of exercise, we place them in the same logic.

[Anecdote] – Anything can happen, without warning and at the worst of times. That is what I teach in every ROOM#42 exercise. A personal situation just proved me right on that day, as I had to deal with a sick daughter just an hour before the start of the exercise – for which I was leading all the operations…”

“The ILR-organized cyberattack simulation was not only well-organized but also remarkably realistic.

It highlighted very practical areas and opportunities for improvements and emphasized the importance of better communication with external partners for faster, more efficient exchanges in a crisis situation.

The exercise was beneficial, and we're pleased to have participated, reinforcing our commitment to cybersecurity readiness.”

A scenario rooted in current events, developed by the Luxembourg’s National Cybersecurity Competence Center – NC3.

**