The multitude of reports, newspaper articles and features on cybersecurity and cybercrime (e.g., ransomware, phishing, DDoS, CEO fraud) shows how multi-layered and complex cyber incidents can be by now. These attacks take advantage of known as well as unknown attack vectors in the wake of sophisticated APT attacks that affect both SMEs and large enterprises. The occurrence of a nationwide cyber incident, caused by multiple cyber attacks, for example on critical infrastructure operators, and a related possible activation of the nationwide crisis mechanisms provided for in the Network and Information Security Act (NISG), including cyber crisis management (CKM), thus seems to be only a matter of time.

The development of strategies for the best possible preparation for large-scale and long-lasting cyber incidents is thus essential and has been appropriately recognized and addressed by the project partners and stakeholders of the KIRAS project ACCSA. Finally, the structures of the CKM are not only shaped in working groups of the responsible ministries (BMI, BKA, BMLV). Both the NIS Directive (NIS-RL) and the NIS Act (NISG), as well as the Austrian Cyber Security Strategy (ÖSCS), provide in particular for preparation through exercises, in which scenarios involving security incidents are simulated in real time, and training. Accordingly, a wide variety of initiatives already exist in a wide variety of circles and at a wide variety of levels (e.g., KSÖ Cybersecurity Simulation; ENISA Cyber Europe; NATO CCD CoE; activities of the Cyber PPP, the ECSO (European Cyber Security Organization)).

In classic crisis and disaster management, regular large-scale exercises (e.g., chemical incident exercises) have already proven to be an effective means of providing practice for all participants. However, a comparable use of training and exercise concepts specifically for CKM with technical-organizational support did not exist before the implementation of the ACCSA project. Classical exercises often focus only on non-dynamic and linear exercise opportunities. Technical products for training are usually only commercial, only available to members of certain professional groups, or not publicly available.

ACCSA aimed to fill exactly this gap and enable cyber crisis preparedness with comprehensive training, exercise, and evaluation concepts for all stakeholders in CKM (see Figure 1), thereby reducing response times and error rates in the event of a real cyber crisis. The CKM concepts, processes and methods were supported by the realization of a CKM Toolbox, a system for software-based training and exercise execution that spans multiple CKM communication levels (e.g., engineering, management, first responder, policy). The project was the first to develop CKM training and exercise concepts for all relevant stakeholders, as well as technical/organizational support measures incorporating the state of the art and previous project results for exercises.

The results from ACCSA are directly incorporated into the further development of incident, emergency and crisis management operational baselines at organizations and companies in terms of consulting services. This know-how is essential for critical infrastructures and operators of essential services according to NISG and NIS-VO. The maturity model developed in ACCSA as well as the CKM tools can also be used for auditing and for proving the effectiveness of conceptual foundations in business continuity management and business continuity for operators of essential services. Furthermore, the KoordTool developed in ACCSA as part of the CKM Toolbox, which was tested in the course of dedicated workshops with the stakeholders involved in the project, is to be further developed for real-world use in ongoing R&D activities and ultimately rolled out at CERT.at. The KoordTool enables the collaboration of dislocated CKM experts for joint situation assessment in the cyber domain.

Based on the findings of the final simulation, but especially on the experiences from COVID-19, training and further education on distant collaboration mechanisms became necessary. Among other things, the focus was on staff work procedures based on simple video conferencing systems. In parallel, the aspects of court-proof documentation for decisions in/at videoconferences using qualified signature mechanisms were considered.

Thus, ACCSA laid the foundations for a variety of follow-up activities and exploitation opportunities, namely (i) the preparation, execution, evaluation of intra-organizational CKM exercises based on the methods developed in ACCSA; (ii) inter-organizational exercises using the developed tools up to state crisis management (not only in Austria); (iii) training, education and advanced training of CKM fundamentals at operators of essential services; (iv) detailed competence and training profiles for all CKM actors, which can be used to fill critical functions; and (v) the integration of findings on NIS audit criteria.