Securing the Critical Infrastructures: Security Exercises

1
Securing the Critical InfrastructuresSecurity
Exercises

• Lesson 23

2
Securing the Critical Infrastructures

• Is this something that can be legislated?
• Is this best a top down effort or a bottom up
  effort?
• Ultimately, no matter what plans are created in
  D.C., it is the local first responders that will
  make the difference in responding to a terrorist
  event.

3
Conducting a Security Exercise

• Three different purposes for an exercise
• Awareness help make the participants aware of
  the issues
• Education/Training train the participants in
  how to respond to the issues
• Exercise
• Provide an opportunity for participants to
  practice their response procedures
• Evaluate the effectiveness of
• The security processes and procedures
• The training for participants (do they know what
  to do?)

4
Dark Screen

• Exercise examined
• Indications and Warning requirements and
  operations
• Vulnerability assessment and mitigation
  capabilities
• Security operations
• Application of security technologies
• Success measurement and incremental improvements

5
Original Challenge

• An exercise to identify and test resources and
  capabilities to detect, prevent, and respond to a
  cyber terrorist attack.
• the exercise will test the ability of federal,
  state, county, and local authorities to
  effectively communicate during and after a cyber
  terrorist attack.

6
Phase IThe Tabletop Exercise

• Scenario depicted fairly simple cyber security
  event
• A physical attack was not a part of the exercise.
• 3 modules
• Pre-event, Event, Post event/wrap-up
• 11 tables
• Each table housed a specific sector or
  organization
• Each table had their own scenario booklet and did
  not see the inputs for the other tables.
• No sharing of information between tables during
  the exercise.

7
Sample Event

• Friday, September 13, 2002 0001 AM (COSA,
  Bexar, Infrast.)
• The San Antonio Police Department, Bexar County
  Sheriffs office, and CPS receive an email
  threatening to shut down San Antonios power
  system. The anonymous sender claims to have
  inside knowledge of the CPS SCADA systems. The
  email demands that San Antonio police stop its
  harassment of fighters for world justice.
• Question 1 (to Infrastructure, COSA, Bexar)
• What actions would this report prompt?
• Who, if anybody, would your organization contact?
  

8
Participants

• The City of San Antonio 72
• Air Intelligence Agency 30
• Federal Agencies 20
• Other Military Bases 16
• Bexar County 15
• Critical Infrastructures 15
• The State of Texas 14
• Industry 14
• Media 8
• Visitors and Staff 26

9
Phase II

• Commenced at conclusion of Phase I and continued
  until Phase III started.
• Consisted of actions taken as a result of Phase I
  lessons learned.
• Included vulnerability assessments (deeper
  penetration) of various local infrastructures.

10
Phase III

• 15-26 September 2003
• Similar participating organizations to Phase I
• Bexar Metro E-911 and other local 911 entities
  added
• SBC participated in exercise events with E-911
• Consisted of electronic and white card events

11
Phase III Sample Event

• Friday, May 23, 2003 0001 AM (COSA,
  Bexar,Infrastructure)
• The San Antonio Police Department and Bexar
  County Sheriffs office receive an email
  threatening to shut down San Antonios power
  system. The anonymous sender claims to have
  inside knowledge of the CPS SCADA systems. The
  email demands that San Antonio police stop its
  harassment of fighters for world justice.
• Expected Action COSA, Bexar
• Contact should be made with CPS ltnumber/officegt
• Was contact made? Was the number readily
  available?
• How long did it take to make the contact?
• Expected Action Infrastructures (CPS)
• Should receive contact from Bexar and COSA
• When was contact made?
• Individual receiving call should contact
  ltnumber/officegt
• Was contact made? Was the number readily
  available?
• The following emergency procedure should be
  followed
• Contact ltnumber/officegt to determine if claim is
  possible

12
Phase III Sample Event

• Friday, May 23, 2003 0201 AM (COSA)
• The GOLD team will conduct a ping sweep of the IP
  address range 10.10.250.. Immediately following
  this sweep, a port scan will be conducted for TCP
  ports 1-1024 for the IP addresses 10.10.250..
• (Black Team observers) Expected Action COSA
• Personnel at ltlocation/officegt should detect the
  scan
• Was the scan detected? By whom and how long did
  it take?
• Had the initial ping sweep been detected? What
  actions were taken?
• Once detected, personnel should ltdescribe actions
  that should be takengt
• Were the proper procedures taken?
• EMERGENCY PROCEDURE Should a real event occur,
  or actions appear to be disruptive to operations,
  immediately contact ltphone numbergt
• Gold Team Actions
• Conduct Ping Sweep of IP address range
  10.10.250.
• What systems responded as being active?
• Conduct Port Scan of TCP ports 1-1024 for IP
  addresses 10.10.250.
• What ports were open on what systems? Was any
  other useful information obtained?

13
Results/Lessons Learned

• All organizations should be involved in the
  exercise and plan
• Just meeting to discuss the issues provides a
  better understanding of what could occur and will
  lead to improved procedures
• Mechanisms to easily share information between
  organizations do not always exist -Timing is
  critical
• Strict rules hamper the Military from sharing
  information with various civilian government
  organizations
• State Guard may be possible link
• High level of interest by Guard in the exercise
• Recommendation to create better channels for
  sharing of information at the local level
• Creation of a COSA/Bexar CERT
• Creation of a cyber security advisory group for
  the city
• Development of MOAs between City and AIA

14
Sector-Based Exercises

• Sponsored by the USSS and ISACs
• Designed to address threats to the various
  critical infrastructures and help them to
  organize sector-based responses.
• Two-day tabletop scenario-based events
• Three completed
• NY FS-ISAC
• Chicago FS-ISAC
• San Francisco IT-ISAC
• Future events
• Houston (Oil and Gas)

15
The Role of ExercisesinHomeland Security
16
Different Exercise Different Audience
City Level
17
City/County Exercise

• Model for this type of exercise is Dark Screen
• Purpose is to exercise the city and/or countys
  ability to prevent-detect-respond to a cyber
  security incident
• Involves many different sectors working together
  as a physical and cyber community
• The Communitys cyber first-responders
• Should also include federal and state level
  communication (actual or simulated)
• Should include all infrastructures as well as
  local industry representatives
• Depending on level of experience, may involve
  electronic/technical hands-on piece
• Usually will initially be tabletop exercises
• Technical may be accomplished via vulnerability
  assessments

18
Different Exercise Different Audience
19
State Exercise

• An extended version of the city/county exercise
• Purpose is to exercise the states ability to
  prevent-detect-respond to a cyber security
  incident
• Involves federal, state and city government
  agencies
• Communication between state agencies stressed
• Protection of state critical infrastructures
• The state as a conduit for alert and warning
  messages to/from the federal and local levels
• Depending on level of experience, may involve
  electronic/technical hands-on piece
• Usually will initially be tabletop exercises
• Can be conducted in conjunction with city/county
  exercises within the state

20
Different Exercise Different Audience
21
Different Exercise Different Audience
22
Sector-based Exercise

• Modeled after the FS/ISAC exercise in New York
• Purpose is to exercise the sectors ability to
  prevent-detect-respond to a cyber security
  incident
• Involves organizations within a specific sector
• Communication between the organizations, stresses
  ISACs
• Protection of sectors critical assets, more
  narrowly focused threats
• Examines the individual sectors reliance on
  other sectors
• Cross-sector communication
• Communication with Federal/State/Local government
  officials
• Multi-sector exercises can examine
  interdependencies.
• Can be tabletop or hands-on technical exercise
• Both types are important, initial exercise may be
  just tabletop.
• Military can be treated as a specialized sector

23
Different Exercise Different Audience
24
Corporate Exercises

• Similar to the sector-based exercise but focused
  on a single organization/corporation
• Purpose is to exercise the organizations ability
  to prevent-detect-respond to a cyber security
  incident
• Self-contained within the organization
• Communication between the organization and ISAC,
  law enforcement, and other entities simulated.
• Opportunity to exercise cyber-security procedures
  at all levels throughout the organization.
• Main individuals involved will be those
  responding to a cyber incident
• Incident response team, corporate officers, PA,
  legal, IT
• A good opportunity to include a technical piece
  to provide hands-on experience in handling
  specific cyber-related threats.

25
Different Exercise Different Audience
26
National-level Exercises

• An extended version of the state-level exercise
• Should not be a hands-on technical exercise
• Sector-based exercises provide an opportunity for
  the individual critical infrastructures to
  explore interdependencies and technical
  vulnerabilities.
• Should explore what is important at the national
  level
• Communication between federal agencies
• Communication between federal and state agencies
• Communication between federal agencies and ISACs
• Ability to handle
• Incident notification and Alerts
• Correlation of indications and warnings from
  multiple sectors
• Most ambitious national exercise would be one in
  conjunction with sector, state, and city
  exercises
• This should actually be treated as multiple
  concurrent exercises, not one large exercise.
  This will help to define roles and
  responsibilities.

27
Common Model

• All exercises should be built around the
  operational model proven in industry and
  government
• Proliferate a common framework, terminology and
  processes
• All exercises should deliver Practical Best
  Practices that are entity specific but
  cross-entity coordinated
• The ongoing exercises will allow for the
  evolution of all of the above as needed

28
Operational Mode

• Pro-active!!
• Strategically threat basednot driven by specific
  threats
• Business driven
• Goal is near real-time visibility and control for
  the enterprise, city, sector and nation

29
The Role of the Military

• Need to separate Federal from State missions.
• Active duty limited to federal role.
• Can sponsor exercises in communities where they
  have bases they are a member of the community
  and rely on the services provided by the
  community.
• Can help train the Guard in cyber security
  tactics.
• Important intelligence piece for indications and
  warnings of attacks.
• National Guard has state and federal missions
• Can assist Active Duty in their security mission
• Can provide a trained force for the states to
  rely on in their cyber response plans.
• Can take significant or lead role in state cyber
  exercises
• Traditional mindset is to ask how the Guard can
  assist the active duty military in their mission.
  New paradigm should ask how the military can
  assist the Guard in its homeland mission.

30
Summary

• What is the Importance and Significance of this
  material?
• How does this topic fit into the subject of
  Voice and Data Security?