This week, the State Information System Authority (RIA) held an exercise in which IT and cybersecurity professionals from the Cyber Reserve were tasked with discovering hackers in Tele2 and Elektrilevi's IT systems.
Cyber attacks in the shadow of the storm
According to the legend, the crisis began not with cyber-attacks, but with an intense storm in Estonia that caused widespread power and communication outages. When the storm damage was repaired, power to several substations and communications to mobile masts had not been restored, leaving tens of thousands of people without power and coverage, Kadri Masing, RIA communications specialist, said.
Legend has it that Tele2 and Elektrilevi initially attempted to repel the cyber attacks with their own forces. Upon realizing that this was a targeted and extensive assault, they sought the RIA's help in coordinating the efforts to halt the massive attack and in deploying specialists with the necessary technical expertise.
As time passed, it became evident that intrusive attackers were hindering the restart of critical infrastructure by hacking their way into IT systems. The cyber reserve was responsible for purging them from the systems.
"After receiving a request for help from Tele2 and Elektrilevi, the RIA, the agency in charge of the cyber reserve, had to determine what technical skills companies required to deal with the cyber crisis which resulted from the storm. The reserve has to be activated and sent to help companies," said Jaanus Heinsar, one of the exercise's organizers and a top RIA expert.
Cyber reserve of 150 specialists
IT and cyber security expertise are divided into three groups to fill the ranks of the cyber reserve.
The first tier works in the RIA's cyber incident handling department CERT-EE; the second tier is staffed by national IT departments: with experts from the Information Technology and Development Centre (ITDC) of the Ministry of the Interior, the Estonian Information and Communication Technology Center (RIT), the Health and Welfare Information Systems Centre (TEHIK), the Information Technology Centre for the Ministry of Finance, the Information Technology Centre of the Ministry of the Environment (KeMIT) and the Centre of Registers and Information Systems (RIK). The third tier is composed of the cyber defense unit of the Estonian Defense League.
The RIA manages a cyber reserve of about 150 specialists, more than 20 of whom participated in the exercise. The number of members is also continually changing and growing - at the start of the year, there were still approximately 100 members - and it should be emphasized that cyber reservists have a primary job as well.
The Cyber Reserve specialists were divided into two groups: Alfa and Bravo. Alfa's staff was assisting Elektrilevi one day, while Bravo set the pace for Tele2. The following day, the teams switched places. Tele2's situation was rectified at the company's office, while Elektrilevi's systems were installed at Tallinn University of Technology's campus, where a substation laboratory has been established.
The RIA's main expert, Ivo Vellend, said that "as a result of this exercise, there are now a dozen or so experts who know how to help Tele2 and Elektrilevi in such a situation."
"Of course, you can't be prepared for everything, but they now have knowledge that will help them respond faster and communicate better in the event of a real incident. Despite the fact that Estonia is a small country, each organization has its own set of systems. That is why, according to Vellend, "it is also necessary to organize exercises that get under the skin of the authorities."
Cyber reserve for major crises
The RIA intends to train and educate all members of the cyber reserve on a constant basis so that they can grow professionally and have the knowledge and abilities to help in the event of an attack. The pool can be used to help both the public and private sectors.
The concept for the cyber reserve was developed in 2020 and so far it has not yet been called upon to respond to a real-world incident.
The RIA is a national center of excellence which builds and secures Estonia's digital society's foundations: it develops and oversees the digital state's core technology platforms and ensures the state's cybersecurity.
The Cybersecurity Center of the RIA is responsible for 24-hour cyberspace monitoring, cyber incident response, critical infrastructure protection, cyberspace analysis, surveillance, information security standards, cyber crisis management and exercises, research and development coordination.
Editor: Aleksander Krjukov, Kristina Kersa