Resilient and Ready: Setting the Stage for ČEZ's Cybersecurity Exercise (Part I)

A Puzzle for You: Inspired by INDUSTROYER2 and CADDYWIPER incidents, utilizing OT devices, storytelling, gamification, and, of course, ChatGPT! What could it be?

19 Jul 2023

We again joined forces with ČEZ, the largest electricity producer in the Czech Republic, to reinforce their cybersecurity preparedness. Being a critical entity within the Czech critical infrastructure, ČEZ understands the importance of cybersecurity. We organized an exercise utilizing the KYPO Cyber Range Platform that exceeded the usual training. Read more to find out what it was about.

Informative statistics related to the preparation phase of our recent exercise

Initial Analysis

Everything began several months before the exercise when we conducted an ideation meeting with ČEZ's company management. During this session, we aligned on the exercise's goals and key aspects, resulting in a customized five-day program consisting of two briefing days and three action-packed, hands-on days.

While this collaboration isn't our first with ČEZ, nor is it the first exercise we have organized, the stakes are consistently high when preparing a new scenario for a team of highly skilled professionals. The exercise participants bring diverse work experience and skillsets, which we carefully consider during preparation. One of our primary challenges is forming well-balanced teams that harness these differences effectively.

The hands-on part of our exercise took place in our training facility, where all participants formed their assigned teams.

Scenario and Infrastructure

Another significant challenge is crafting a scenario that aligns with the exercise's goals and engages the participants. Given the energy industry focus, we deliberately incorporated malicious software like Industroyer2 and CaddyWiper into the practical part. This decision was inspired by actual cybersecurity incidents attributed to the Sandworm group in previous years, especially during the spring 2022. We emphasized key techniques, tactics, and procedures from the MITRE ATT&CK® database related to these malwares.

Regarding infrastructure, we developed complete IT and OT systems that emulate a fictional energy power plant. We aimed to create an immersive and realistic environment with all the necessary components. These infrastructures were closely monitored, with visualization of the data enhancing the gamification elements. To replicate real-life cyber-attack scenarios across different phases, we prepared for each team an infrastructure with slight variations. This enabled participants to experience the evolving challenges of a cyber-attack firsthand.

We tried to make the experience as captivating as possible for all participants, for example by using gamification elements such as manuals and graphic materials to operate the power plant.

Gamification and Generative AI

Additionally, we crafted a captivating story and integrated gamification elements such as employee personas, and scripted emails from external parties (GovCERT, CISO, employees). Throughout the exercise preparation and execution, we seamlessly integrated chatGPT into our workflow, leveraging its capabilities to enhance our outputs. In particular, chatGPT played a pivotal role in developing alternative storylines that inspired us and even generated content in our communication with participants.

Above all, our ultimate goal was to design an exercise that transcends a defense-oriented approach and places significant emphasis on fostering effective communication and collaboration among participants. For this reason, we also set a hierarchy of blue teams and a set of processes they must have followed during the exercise.

Excited to learn about the exercise experience and the lessons gleaned? Stay tuned for the second part of our case study, where we'll share all the details.

More articles

All articles

You are running an old browser version. We recommend updating your browser to its latest version.

More info