ENISA reports on Cyber Europe 2022, tests business continuity and crisis management across EU healthcare sector

The European Union Agency for Cybersecurity (ENISA) published on Tuesday an ‘after action’ report of Cyber Europe 2022, the cybersecurity exercise aimed at testing the resilience of the region’s healthcare sector. The report compiles information about the Cyber Europe exercise organized by ENISA earlier this year while serving the purpose to identify potential challenges and suggest recommendations.

Cyber Europe 2022 revolved around the healthcare ecosystem. It tested the resilience of several relevant stakeholders, including national Computer Security Incident Response Teams (CSIRTs), cybersecurity authorities, ministries of health, healthcare organizations such as hospitals and clinics, eHealth service providers, and health insurance providers. 

According to the report titled ‘Cyber Europe 2022: After Action Report,’ the participants had to address an escalating cyber crisis, tackling multiple incidents simultaneously. The scenario aimed at realistically mimicking technical incidents. These incidents highlight how they covered several elements, with some aimed at gaining a foothold and others aimed at tampering with medical devices. 

Cyber Europe 2022 planners developed a scenario revolving around healthcare, which can include national/governmental CSIRTs, cybersecurity authorities, ministries of health, healthcare organizations, eHealth service providers, and health insurance providers. The scenario will contain real-life inspired technical incidents that can be analyzed using forensic and malware analysis, open source intelligence, and of course also non-technical incidents. 

Additionally, the incidents will build up into a major crisis at all levels, including local, organizational, national, and European. Business continuity plans and crisis management procedures will be put to the test.

The report also describes the sectors targeted by the attacks and their potential impacts. The objective of the scenario was to enable the players to react accordingly to each incident in order to minimize the damage incurred, with the general objective of testing the operational and technical layers. The scenario, which spanned two days, began on the first day by engaging the participants around a disinformation campaign of manipulated laboratory results and a cyberattack targeting the networks of European hospitals, as well as internet and cloud service providers.

The report identified that the targeted sectors and potential impact of the attack included sensitive (medical) or confidential data loss, compromised integrity of sensitive medical data, misuse of resources (crypto miner), mainstream news outlets covering major attacks/events, cyber-physical attack (pharmacy storage), sensitive (medical) or confidential data for sale on the darknet, and the threats of exposing sensitive (medical) or confidential data through social media. The sectors included the government, industry, networks, and healthcare providers. 

The participants tested the EU-level technical and operational cooperation mechanism during cyber crises. They also tested the incident response and resilience plans at local levels. The exercise also allowed stakeholders to be trained on technical capabilities. By engaging in these activities, participants benefited from a high-level engagement on the different aspects of cooperation needed to address the issues presented in the scenario developed.

An in-depth analysis of the findings was shared with the planners which is expected to result in the improvement of procedures, communication, and coordination processes already in place at local, sectoral, national, cross-border, and EU-wide levels. This is why such exercises are positively welcomed by participants who are given a chance to perform practical testing and to train in the process, developing expertise in cybersecurity and crisis management skills in doing so. 

Participating stakeholders joined in the efforts to identify gaps and development points to further improve the cybersecurity posture of the health sector. It emerged from the analysis that allocating commensurate budget and resources to cybersecurity teams within health organizations is key to ensuring the cybersecurity resilience needed in the health sector. Regular testing at the local level also emerged as a recommended best practice.

Following the completion of Cyber Europe 2022, a survey was circulated to collect feedback from the participants. The data collected was complemented by findings from the planners collected during the exercise, observations from the ENISA exercise team, and subsequently analyzed by ENISA. The detailed findings were compiled in a report shared with the planners. One key takeaway is that Cyber Europe 2022 can be regarded as having been a success as all parties involved identified areas for improvement. This proves that Cyber Europe is helpful in identifying what works, but also where there are shortcomings and areas for improvement. 

The report identified that the goals and objectives set by Cyber Europe 2022 were mainly achieved. The primary goal of delivering testing and training opportunities to the participants was achieved, while the more detailed analysis confirmed that the exercise also achieved secondary (implicit) goals. Although not every participating entity was able to engage in all secondary areas, the exercise scenario offered the opportunity to all participating countries and institutions to do so. 

“The uptake of the detailed findings at the Objectives level, which were shared with the planners, should result in the improvement of procedures, communication, and coordination processes that are in place at local, sectoral, national, cross-border, and EU-wide levels,” the report added.

Cyber Europe 2022 confirmed the importance of allocating sufficient budget and resources to cybersecurity teams in the healthcare sector, given the severity of the challenges linked to cyber-attacks. It also provided a training ground for standard operating procedures and business continuity plans. The exercise confirmed the need for frequent testing at the local level in order to continuously improve and strengthen the healthcare sector’s resilience with regard to cybersecurity threats. 

In October, the American Gas Association (AGA) announced that it carried out a nationwide tabletop drill focused on natural gas distribution and transmission cybersecurity, physical security, and business continuity last month. The Natural Gas Exercise (NGX) covered nearly 300 industry professionals representing 50 natural gas utilities, transmission companies, and municipalities participating in the inaugural event.

While natural gas companies conduct security exercises internally and are invited to other energy-related exercises, the AGA said there had not been a nationwide exercise focused on natural gas, until now.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.