Community News Magazine

SURF’s cyber crisis exercise OZON: dozens of zero-days and insider threats


Words: Yvonne Klaassen, SURF

At the end of March 2023, SURF organised the sector-wide cyber crisis exercise OZON for the fourth time. This edition was by far the largest, with 72 organisations and over 2,000 people taking part. Ever since 2016, SURF’s members practice biennially how to respond skillfully to realistic cyber crises. “The biggest challenge this edition was to come up with a scenario that impacted all our members,” says Charlie van Genuchten, project leader of OZON at SURF, the Dutch NREN.

Two main scenarios

“The exercise participants were not only from the research and education sector but were also – for example – healthcare institutions. In early 2022, professionals from education, research and healthcare therefore came up with two main scenarios: an ongoing flow of zero-day exploits and an insider threat scenario, where employees from one’s own organisation work for a criminal party. We then specified these scenarios at operational, tactical, and strategic levels, taking into account the stages a real cyber crisis goes through. Based on these central scenarios, the exercise leaders of the participating institutions wrote their own scenarios that fit their organisation’s learning objectives. Furthermore, there was collaboration across the chain: parties such as the ministry and also sectoral organisations participated in the exercise.”


“It was quite a challenge to keep everyone on track with so many participants. Some institutions were already participating for the fourth time, but for a large part, this was the first time. From preparation to the date of the exercise, it takes an institution about 9 months to get ready. Obviously not full-time, but it does require the necessary coordination within one’s own institution. SURF organises various preparatory days and buddy groups where the more experienced participants help the less experienced. And as the date of the exercise approaches, there are also consultation hours where institutions can come to us with their (technical) questions.” Questions? Please contact Charlie van Genuchten if you have any questions about the OZON exercise or about CLAW:

Evaluation report follows, initial feedback is positive

“We are still in the middle of the evaluation process, but the first feedback is positive. Of course, there are also points for improvement – for us, SURF, it is also a learning process as organiser of the exercise. We evaluate at different levels: with the project team, with participating institutions, and the observers who observed the institutions during the exercise. We incorporate all the lessons learned, learning points and feedback into a report.”

CLAW: international cyber crisis management workshop for the NREN Community

“For all cyber crises, practice is key. For the NREN Community, the GN5-1 project organises the international cyber crisis exercise CLAW, of which I am Task Lead. On 5 and 6 December, CLAW 2023 will take place in Poznań at PSNC in Poland.”

Charlie van Genuchten, SURF
Charlie van Genuchten, Product Manager Security at SURF

Questions? Please contact Charlie van Genuchten if you have any questions about the OZON exercise or about CLAW:




This article is featured on CONNECT43! Read or download the full magazine here
Skip to content