ENISA teams up with US to test EU cyber security

Agency attempts to attack member states' defences with advanced persistent threats in first joint EU-US cyber security exercise

The European Network and Information Security Agency (ENISA) yesterday joined forces with the US Department of Homeland Security to test EU and US responses to sophisticated cyber attacks.

In an operation dubbed Cyber Atlantic 2011, simulated cyber crisis scenarios are played out with the participation of 20 EU member states' own cyber security agencies.

ENISA's executive director, professor Udo Helmbrecht, said that cyber security is high on both the EU and US agendas.

"European vice president Neelie Kroes has spoken of the importance of information communications technology for today's citizens and for the economy.

"The involvement of the commission, EU member states and, of course, the US in today's exercise shows the high level of commitment we have to ensuring we protect our digital infrastructures for the benefit of all citizens."

One of today's scenarios involves the use of an Advanced Persistent Threat (APT), a targeted and stealthy cyber attack, to attempt to steal and publish sensitive information from EU member states.

This is a sophisticated but increasingly common form of attack, referred to recently by Jonathan Shaw, the head of the British military's cyber security programme.

As has been widely reported, Shaw gave the example of a UK firm based in Cheshire, which had its intellectual property stolen from its servers following an APT attack, which ultimately led to the company going out of business.

The second simulates an attack on a country's critical national infrastructure. Specifically, the attack attempts to disrupt supervisory control and data acquisition (SCADA) systems in power generation infrastructures.

This is similar to last year's Stuxnet attack, which Kaspersky Lab founder and CEO Eugene Kaspersky recently stated he expected to see more of.

"I'm sure Stuxnet will happen again and again," he said.

He recommended industrial systems be redesigned to be more secure.

"It's extremely complicated and expensive to redesign industrial systems, but there's no other way. We depend on electricity, transport, information – everything depends on industrial systems."

ENISA says that lessons learned from Cyber Atlantic 2011 will be used to plan further potential joint EU-US cyber exercises in the future.