The world discovered the existence of the word “ransomware” with the WannaCry and NotPetya attacks in 2017. Those events accelerated for many companies their awareness of their potential vulnerability to the rapidly expanding cyber threat.

It was in this context that SNCF, France’s national railway company , decided to strengthen its cyber-resilience system. The objective was twofold: to optimize its processes and to be more efficient in the face of cyber risk.

To support this effort, SNCF commissioned CGI Business Consulting to set up a large-scale crisis exercise, capable of testing the system across the entire chain of command and thus validating the company's capacity to react and manage a cybersecurity crisis. The mechanics of a cyber crisis are different from those generated by a train breakdown. It has a darker and more complex side, involving one or more attackers whose only motivation is to cause harm. The Chief Information Security Officer of SNCF therefore wanted to understand how their executive committee (Comité exécutif in French or Comex ) would react to this new type of crisis.

4 months of preparation

The first exercise of this type took place in July 2018. To prepare, the SNCF and CGI Business Consulting teams worked for four months to construct a crisis scenario, as credible and relevant as possible in relation to the reality of the situation and the railway company. In all, around twenty workshops were conducted to validate the very nature of the exercise.

On the big day, the entire management committee was mobilized and the exercise was led by some 80 people over half a day. With this format, the Comex must necessarily make decisions with the best possible information according to the proposed scenario.

A highlight of the Comex, included in the SNCF calendar

At the immediate end of the exercise, a live debriefing was carried out with all the actors who contributed. It was a way to collect feedback and give a voice to members of the executive committee so that they can express themselves on the experience.

A little later, a debriefing was organized, which allows, with hindsight, to share strengths and areas for improvement. This discussion constitutes the starting point for building the continuous improvement plan whose actions aim to improve the agility and reaction capacity of SNCF in the face of cyber threats.

The event is now planned as part of the SNCF's annual crisis exercise calendar. A second exercise of the same type was carried out in September 2019 with another planned for 2021.