Exercise Purple Lumi
Purple Lumi raised the operational resilience of the NDA group by simulating a series of cyber attacks which required different parts of the sector to work together, sharing information to defeat the aggressor.
Inside the cyber lab
Purple Lumi was a 5-day exercise run in February 2020 in which managerial and technical staff practised their defence skills in a simulated cyber attack. The exercise offered a good example of how the CSRP, working alongside others in the sector, can learn from each other and practise collective defence skills. The exercise was set up to deliver the following benefits:
Operational
Purple Lumi raised the operational resilience of the NDA group by simulating a series of cyber attacks which required different parts of the sector to work together, sharing information to defeat the aggressor. This allowed participants to experience how an adversary would look to identify and exploit any cyber defence by targeting the weakest links in a digitally interconnected sector.
The participants were able to test their detection and response capabilities while gaining a better awareness of how others in the sector would defend against an aggressor should the situation actually happen.
Efficiency
Any realistic scenario must reflect the inter-connectedness of systems, which is difficult for an individual business to achieve. Purple Lumi drew in staff from across the civil nuclear sector (fuel fabrication, fuel storage and electricity generation) to practise their responses to an incident.
The exercise tested staff on a cyber range (a virtual facility and environment which can replicate IT and industrial control systems in operation on a nuclear facility). These systems cannot be taken offline for testing because they are required for the continued safe operation of nuclear facilities, but were replicated in the NDA’s training facility based at Energus in West Cumbria and then digitally linked to the North Atlantic Treaty Organisation (NATO) cyber range in Tallinn, Estonia.
Running a range which could deliver a similar simulated environment for any single business would be uneconomical. However, for the NDA group (8 businesses and 17 sites) and the wider civil nuclear sector it is possible to justify the investment since working at group level is more cost effective.
Opportunities
Purple Lumi brought key staff together from across the sector to share their experiences, build relationships and create further opportunities to strengthen collective resilience.
Regulatory
The exercise involved regulatory authorities and the NCSC who were able to contribute and better understand their response to the management of a cyber incident within the sector.