Can you and your critical systems withstand a cyber attack?

The number of cyber-attacks against government agencies and critical organisations has been on the rise significantly in recent years. This revealed an important issue. In 2024, the Swedish Civil Contingencies Agency (MSB) published a report showing that seven out of ten public organisations do not have the basics in place for cyber security work.

Private companies involved in critical activities seem to be slightly better prepared. According to a survey, small and medium-sized enterprises are getting better and better at the acquisition of cyber security knowledge. 

It is clear that all organizations that are connected to Sweden's infrastructure in different ways, from the energy company that supplies electricity and heat to the whole society to the municipal water company that controls the water supply, benefit from resilience training.

– Cyber security is largely about managing the attack. What are you going to do if you come into the office, you turn on your computer, and it doesn't work? It's hard to know unless you've been in that situation, says Karl Resare, business developer at Cyber Range, RISE's cyber security testbed.

Practice being attacked in a secure environment

In the Cyber Range it is possible to create virtual copies of IT environments. This could be a replica of a water treatment plant or a power station. RISE's ethical hackers, researchers who know how to exploit vulnerabilities, will then test how secure the facility is by attacking using different methods.  

– With us, you can practice being under attack in a secure facility. By simulating an attack, the management team has the opportunity to prepare for a real scenario and identify weaknesses, says Karl Resare, continuing.

– This is a site for the preparation of a cyber war, with real soldiers and real weapons. The scenarios played out are real, but there is no risk of things going wrong. A unique feature of the Cyber Range is that it can give no telltale signals. This means that the signals from the electronic equipment do not leave the facility and therefore cannot be intercepted by anyone. Information generated during exercises stays safely within us.

The exercises that take place within the walls of the test facility are just that - exercises. However, situations often arise that are perceived as serious and stressful for those involved. During the exercise, weaknesses are revealed, not only in the IT infrastructure, but also in the way teams work together. Predicting how people will react in a live situation is difficult, but Cyber Range provides the opportunity.

Complex operations to influence

In addition to management teams, the Cyber Range is also home to developers who are trained to think about cyber security during the development of new software. The aim is to start hardening IT environments while still developing.  

– Developers, who have high demands from their customers, usually have a focus on functionality. Cybersecurity is rarely an acute problem until someone malicious finds and exploits a vulnerability, says Resare.

A few years ago, threats to IT security were about money, as in the case of the attack on the Church of Sweden, where hackers locked down the church's digital systems to extort a ransom. That motive remains, but a new type of threat has also emerged - influence operations carried out by other states using IT as a means of support or communication.

– These attacks are much more complex than the financial attacks, which are easier to understand. In Sweden, we have ideals of democracy, openness, opportunity and choice. Hybrid warfare means that false information comes out, which makes these ideals take a step back. This is a very serious matter and makes it more important than ever for organisations that are important to society to be prepared, says Karl Resare.