CyberSec4Europe Hosting Flagship 1: An Online Cybersecurity Exercise


CyberSec4Europe Hosting Flagship 1: An Online Cybersecurity Exercise

11 January 2021, BRUSSELS

CyberSec4Europe in collaboration with Finnish project partner JAMK University of Applied Sciences is running Flagship 1, a two-day innovative cybersecurity exercise that highlights real world scenarios. The event on 12-13 January 2021 will be the first of its kind and requires no previous experience for participants.

Over 40 participants representing different organisations from across Europe have been invited to jointly respond to a realistic cybersecurity incident. The exercise draws upon the rich variety of skills, capabilities and knowledge the participants bring and enables them to co-operate without having a shared background or training.

Throughout the course of the exercise, participants will work in teams and be assigned a range of roles and duties – from technical specialists to IT managers to communications managers – for a fictional organisation. In a cyber attack scenario, the fictional organisation’s internal and external communication representatives are alerted. With the information provided to them, the participant teams will examine and analyse the attack, seeking to mitigate the damage by providing timely and understandable information for decision-makers as well as collaborating with stakeholders.

The two-day event will be opened by Rauli Paananen, National Cyber Security Director at the Finnish Ministry of Transport and Communications. After JAMK specialists start the exercise with a simulated cyber attack on the fictional organisation, Flagship 1 participants then get to work with forensic and response activities relating to the digital incident.

Kai Rannenberg, CyberSec4Europe coordinator, says: “Recent events have shown that the initial response and communication of cyber attacks are usually the duty of non-technical employees. A detected cyber attack not only concerns the impacted organisation, but also the organisation’s ecosystem and its stakeholders who need to receive timely updates on the attack and its aftermath. One of the exercise’s key challenges is how untrained and unprepared participants can respond to a series of complex and tense learning situations in a very short time.”

Note to Editors:

About Cyber Security for Europe (CyberSec4Europe)

CyberSec4Europe is a research-based consortium consisting of over 50 leading cybersecurity organisations from 20 EU Member States and two Associated Countries. As a pilot for a Cybersecurity Competence Network, it is testing and demonstrating potential governance structures for the network of competence centres using the best practice examples from the expertise and experience of the participants.

CyberSec4Europe is addressing key EU Directives and Regulations, such as the GDPR, PSD2, eIDAS, and ePrivacy, and helping to implement the EU Cybersecurity Act including, but not limited to supporting the development of the European skills base, the certification framework and the role of ENISA.

CyberSec4Europe partners address 14 key cybersecurity domains, 11 technology/ application elements and nine crucial vertical sectors. With participation in over 100 cybersecurity projects amongst them, CyberSec4Europe partners have considerable experience addressing a comprehensive set of issues across the cybersecurity domain. The project demonstration cases will address cybersecurity challenges within the vertical sectors of digital infrastructure, finance, government and smart cities, health and medicine and transportation. In addition to the demonstration of the governance structure and the operation of the network, CyberSec4Europe will develop a roadmap and recommendations for the implementation of the Network of Competence Centres using the practical experience gained in the project.

CyberSec4Europe started on 1 February 2019 and will last until July 2022. CyberSec4Europe is funded by the European Union under the H2020 Programme Grant Agreement No. 830929

Twitter: @CyberSec4Europe


For further information on the Flagship 1 exercise: Jani Päijänen, JAMK University of Applied Sciences, [email protected], +358 40 7072 850

CyberSec4Europe press and media contact: David Goodman, [email protected], +44 7866 360 800


The Exercise Scenario

On Monday 2 November 2020, the Swiss University of Kybereo and the Italian train company CyberRails sign a mutual partnership agreement to launch research and development co-operation. By agreement, the parties express their intention to develop train connections and improve rail traffic. In the name of co-operation, the parties expect to share information with each other openly. A professor at the University tells journalists that combining large amounts of data will help predict travel flows and optimise train traffic and will be supported by new technologies such as artificial intelligence and machine learning.

Soon, the University of Kybereo shows signs of having been subject to a phishing campaign. The events come to a head when a university employee reports a suspicious email sent on behalf of the university’s IT management. The message directs the recipient to click on a link that takes them to the university intranet site – or is it a look-alike?

The technical exercise consists of office networks and IT services, data centres, public commercial cloud components and critical infrastructure services which are integrated to provide a large and highly realistic environment, including services and Internet-based functionalities. The exercise starts knowing that the University of Kybereo was subject to a successful phishing campaign, and that the origin of the attack came from a foreign country. Further cyber events unfold over the rest of the event that will tax the capability of the participant teams.

Participant Objectives

Exercise participants are part of an incident response team at the University of Kybereo. Because it would face considerable sanctions in case of non-compliance with the multi-million euro, CyberRails contract, the incident response team in collaboration with Kybereo’s top management are incentivised to mitigate the investigation of the situation. The personal identifiable information (PII) the University has in its possession, including sensitive health information collected in various research studies, creates possibilities to exercise actions that should be taken when such data is at risk, that is compliant with the General Data Protection Regulation (GDPR).

Attendees are expected to follow the provided incident response plans, which contain guidelines for the technical investigation team, communications managers for those specific tasks, and how they should support the top management communicate to the stakeholders and media. The incident response team investigates what has happened and if the attacker is still in the organisation’s network, as well as determining which, if any, digital or cyber-physical assets have been compromised or at risk. It even might be that the assets of CyberRails might be endangered because of the successful cyber attack, which the investigation might reveal.

Flagship 1 Technology Platform

The technology behind Flagship 1 is based on Realistic Global Cyber Environment (RGCE), a cyber arena developed in JAMK’s cybersecurity research, development and training centre, JYVSECTEC. The platform development started in 2011 and the first national cyber exercises were held in 2013. Since then, RGCE has been used in various realistic cybersecurity exercises and in cybersecurity masters’ level cybersecurity education at JAMK.

In Flagship 1 an open-source SD-WAN interconnection requirement specification is proven. It is used for interconnecting various cyber range internal and external services and endpoints as show in the picture below. The implementation is based on a requirement specification, documented in Part B of CyberSec4Europe deliverable D7.1.

A report on the experience and lessons learned during the course of the exercise will be published and made generally available.

For more on expectations, benefits and other information relating to Flagship 1 as well as cyber ranges, please the JAMK Flagship pages..

See also the Flagship 1 trailer video.