students at national cyber range
Crisis staff are engaged in a full-scale exercise at NTNU’s Norwegian Cyber Range. This time it was fortunately just an exercise, but such attacks can happen at any time. Photo: Kenneth Nordahl Pedersen, NTNU

NTNU has a training arena for handling cyber attacks

Unauthorized people who break into an organization’s computer system can create a serious crisis. It’s critical that businesses, organizations and governments practise for possible attacks. The Norwegian Cyber Range at NTNU offers full-scale simulations of handling cyber and information security incidents.

The alarm has gone off. Someone has carried out a comprehensive cyber attack on one of the largest organizations in central Norway. Experts have been called in at short notice to contain the security breach. If they fail to do so quickly, hypersensitive information could end up in the wrong hands. They work furiously, all the while feeling the pressure from the affected parties and the media. So far, the hackers are ahead.

Just an exercise this time

This was the scenario during a full-scale crisis management exercise recently carried out at the Norwegian Cyber ​​Range at NTNU in Gjøvik. Fortunately it was just an exercise this time, but attacks like this could happen at any time. The work at the cyber range plays a critical role in enabling both internal and external actors to train in how to handle real cyber attacks.

The exercise described was part of Grethe Østby’s doctoral dissertation. She studies how best to equip public and private sectors to withstand a cyber attack.

Østby is a PhD candidate and lecturer at the Department of Information Security and Communication Technology at NTNU in Gjøvik and has carried out a lot of research on digital security.

Cyber attack research

In her doctoral dissertation, Østby investigates how much society pays attention to information security in general. She also assesses the ability of Norwegian, and Nordic, emergency preparedness organizations to handle crises in the event of information security incidents. Emergency response organizations, such as municipalities, county governors and emergency services, have emergency response responsibilities.

photo of Grete Østby

Grete Østby is researching cyberattacks. Photo: Merete Nyheim

 

“In other words,” says Østby, “I look at what responsibility the leaders in these emergency preparedness organizations have in these kinds of incidents, by measuring organizational maturity, how previous incidents have been handled, what risk assessments have been done and what contingency plans exist.”

Expertise in cyber security is key

Østby also examines exercises that are relevant for improving maturity by looking at factors like structure, culture and methods. These factors translate into organizational structure, the information security culture that exists and the security methods the organization uses.

“ I also look at system security in the organization’s databases, programs and applications,” she says.

Digital security is extremely important, and the need for relevant expertise is only growing in importance. Even small towns in Norway are not exempt, she says.

“In a recent cyber attack in Østre Toten municipality, data were stolen from the municipality, and sensitive personal information was hacked. The municipality’s ability to collect income due from residents was impacted for a long time as well,” she said.

Practising with real organizations

The exercise carried out at the cyber range in October was based on a real incident. The scenario involved an unknown actor carrying out a cyber attack on a large organization in Norway’s Innland county.

This was a test exercise, and the roles in the game were played by students in the master’s degree programme in Information Security, exchange students, a PhD candidate and a post-doctoral fellow. The roles of the Norwegian Police Security Service (PST), the press and affected entities were played by representatives from Innlandet’s county governor office, the Armed Forces, NTNU and Innlandet Hospital.

Exercises with real organizations will be carried out in 2022.

“Now we’re planning and testing the various exercises for students and emergency response organizations,” Østby says. “For the students, we want to incorporate exercises as part of their leadership classes. For organizations, we carry out analyses as well as exercises like the full-scale scenario we ran in October. We’ll compile and evaluate the results before finally presenting the study in academic articles and the doctoral dissertation at the end of January 2023.”

NTNU Gjøvik carries out a great deal of research activity on digital security and offers an IT security system study programme. The Department of Information Security and Communication Technology offers a bachelor’s degree in digital infrastructure and cyber security and a master’s degree in information security.

Facts about the Norwegian Cyber ​​Range

The Norwegian government introduced a new national strategy to strengthen societal cyber security in 2019. Norway thus became one of the first countries to establish a national cyber security strategy. One of the measures implemented was the Norwegian Cyber ​​Range, an arena for cyber security testing and training.