CyberWar-Exercise-CyberStorm

Document Sample
CyberWar-Exercise-CyberStorm Powered By Docstoc
					National Cyber Exercise: Cyber Storm
National Cyber Security Division
New York City Metro ISSA Meeting
June 21, 2006




                               This document is FOR OFFICIAL USE ONLY (FOUO). It contains
                               information that may be exempt from public release under the Freedom of
                               Information Act (5 U.S.C. 552). It is to be controlled, stored, handled,
                               transmitted, distributed, and disposed of in accordance with DHS policy
                               relating to FOUO information and is not to be released to the public or other
                               personnel who do not have a valid ´need-to-knowµ without prior approval of an
                               authorized DHS official.           FOR OFFICIAL USE ONLY
Agenda

    Cyber Storm Overview
       Exercise Objectives
       Exercise Construct
       Player Universe
       Scenario Context and Scope
       Scenario and Adversary
       Scope and Scale
    Overarching Lessons Learned
    Way Ahead Cyber Storm II



                                                1
                        FOR OFFICIAL USE ONLY
Cyber Storm




                                      2
              FOR OFFICIAL USE ONLY
Cyber Storm Overview
What:
  Provided a controlled environment to exercise State, Federal, International, and
   Private Sector response to a cyber related incident of national significance
  Large scale exercise through simulated incident reporting only ± no actual
   impact or attacks on live networks
  Specifically directed by Congress in FY05 appropriations language and
   coordinated with DHS National Exercise Program
Who: 300+ participants from
    Federal D/As:       Support and/or participation by 8 Departments and 3 Agencies

    States:             Michigan, Montana, New York, Washington (Exercise Control)
    International:      Australia, Canada, New Zealand, UK
    Private Sector
           ± IT:         9 major IT firms
           ± Energy:     6 electric utility firms (generation, transmission & grid operations)
           ± Airlines:   2 major air carriers
           ± ISACs:      Multi-State, IT, Energy, Finance (off the record participant)
                         (Nebraska, North Carolina, South Carolina, Texas @ MS-ISAC)

When: February 6-10, 2006
Where: distributed participation from ~ 60 locations including US, Canada, and UK


                                                                                             3
                                         FOR OFFICIAL USE ONLY
Exercise Objectives
 Exercise the national cyber incident response community with a
 focus on:
     Interagency coordination under the Cyber Annex to the National Response
      Plan:
       ± Interagency Incident Management Group (IIMG)
       ± National Cyber Response Coordination Group (NCRCG)
     Intergovernmental coordination and incident response:
       ± Domestic: State ± Federal
       ± International: Australia, Canada, NZ, UK & US
     Identification and improvement of public-private collaboration, procedures
      and processes
     Identification of policies/issues that affect cyber response & recovery
     Identification of critical information sharing paths and mechanisms
 Raise awareness of the economic and national security impacts
 associated with a significant cyber incident


                                      FOR OFFICIAL USE ONLY                  4
Exercise Construct
  Feb. 6                 Feb. 7                Feb. 8                                 Feb. 9                  Feb. 10
   Build-Up               Build-Up             Crisis Phase                     Response & Recovery         Response & Recovery
 [D-300 - D-14]          [D-7&D-1]                [D Day]                              [D+1]                      [D+5-7]


Mon. 4 hrs Tue. 8 hrs                                  Wed.-Thurs. 36 hrs                                      Fri. 4 hrs


                                           Live Play                                                        TTX & Hotwash
State Prep

                                            State Play & Hotwash

                                                                                          Aus & NZ TTXs
                                                                                          Thurs


                                          Canada
Federal Players
Private Sector Players                                                                   United Kingdom
State Government Players
International Players                US
Exercise Control
                                                                                                                     New
                                                                                                Australia
                                                                                                                     Zealand



                                                              FOR OFFICIAL USE ONLY                                         5
Cyber Storm Player Universe




                              The N2 Problem
                  FOR OFFICIAL USE ONLY    6
Player Universe                                                       LE/ Intell

                                                         NSA         DNI           CIA       FBI                     DHS &
                     IT/Telecom                                                                                    Interagency
           US-CERT       NCC       Comms ISAC                  DHS I&A             USSS
                                                                                                      IIMG             HSOC             NCRCG
       IT-ISAC              ISP/Telco Sim Cell                            HITRAC
                                                                                                       NCSD                NICC              NCS
            MSV 1          CA         MSSP
                 MSV 2             MHV 1                                                                       OPA          IP         IMC
                           MSV 3                          Main Exercise
                                                         Control (75 / 20)
                                                 Internat¶l     State/Local     Fed D/As                              Energy
                  States
                                                    Energy        Trans         IT/Telcom                 ES-ISAC                  DOE
      MS-ISAC            Michigan                                                                  Utility 1           Regional Pwr Admins
                                                         LE/Intell        DHS

      New York           Montana                                 PA/Media                             Utility 2            Utility 4    Utility 6
                                                                                                               Utility 3          Utility 5
                                                              Transportation
                                                                  Sector
          Federal                                     DOT           FAA          TSA
    Department/Agencies                              TCIRC                      TSOC                            International
                                                                   CSIRC
OMB        HSC     NSC      DOC      DOD            Air Carrier 1          Air Carrier 2                                          Australia
                                                                                                         New Zealand
Treasury     Fed. Reserve Bank FDIC                                                             Canada                        United Kingdom
                  Ag                                                                           13 Players                        3 Players
    DOJ                     DOS
              Red Cross
                                                                                               11 SimCell                                7
                                                                     FOR OFFICIAL USE ONLY
Scenario Context and Scope
 A simulated large-scale cyber incident affecting Energy, Information
 Technology (IT), Telecommunications and Transportation infrastructure
 sectors.
 Cyber Storm scenario included:
     Cyber attacks through control systems, networks, software, and social
      engineering to disrupt transportation and energy infrastructure elements
     Cyber attacks targeted at the IT infrastructure of State, US Federal and
      International Government agencies intended to:
       ± degrade government operations/delivery of public services
       ± diminish the ability to remediate impacts on other infrastructure sectors
       ± undermine public confidence
 The exercise was NOT focused on the consequence management of the
 physical infrastructures affected by the attacks
     Physical consequence management aspects largely provided to players via
      robust Exercise Control cell




                                        FOR OFFICIAL USE ONLY                        8
                      Scenario Timeline by Thread
                       Monday                                Tuesday                                     Wednesday                                                          Thursday
                  1 Jan 05 ± 30 Jan 06               1 Feb 06 ± 7 Feb 06                                     8 Feb 06                                                          9 Feb 06
                                SCADA System Probing                                             Threats on Metro Websites                                              Oil and Gas Pipeline Map
                                                                       Minor                                                                                                      DOS
                                                                     Commuter                          Metros Stop Running
 Transportation




                           Unauthorized FAA                             Rail                                                                                    Delay of FAA Real-time Systems
                            Network access                            Trouble                               Claims of                 EWA¶s No
                                                                                                          Responsibility
                                                                                                                                       Fly List
                                                 Software Update                                                                       Altered
                                                  crashes FAA                         False NOTAM Distribution
                                                 Control System                             DOS Attack on FAA
                                                                    TWIC Problems Plague Ports

                                                      Spoofed                                           Newspaper                                    MRG
                                                     Red Cross             WAGA Virtual                                                            posts No
                                                                              Sit-In                      Sites
                                                     Messages                                            Defaced                                  Fly List on
 Intel/LE




                                                                                                                                                   Website                     Tricare
                                                Ongoing Protests Surrounding WTO and DEUI Meetings                                                                             BotNet
                                     WAGA calls for DOS Attacks & Cooperation                           TRANSCOM                                                              Discovery
                                                                                                         Log Info
                               NIPRNET Probing                   Tricare Site                           Manipulated
                                  increases                        Defaced


                                                                                                       State
                                                                        OASIS DDOS Attack            Estimators       Utility Bomb                        More Power
 Energy




                            OPC
                       Vulnerabilitie                     Wireless RTU Problems                          Fail            Threat                            Outages
                        s Identified                       Confusing Network Data                                                                         Threatened
                                                                                                     Transmission line breakers tripped
                                                                                                               More Extensive Power Outages

                                                                               Attack using Malware distributed via Counterfeit CD
                                                              MSSP Malware Distribution via Malicious Code
                                                                                    DDOS Attacks on Power Admin and DOE Servers
                       Malware CD
IT




                       Distributed                                                    Rogue Certificate Authority
                                                                                      Internet Extortion
                                                                          DNS Cache Poisoning
                                                                            Trusted Insider System Infection

                                          Rogue Wireless                                                                                                                 Cascading RTR Failure
                                                                                                                                          Wireless Comm
States




                                         Device Discovered                                                        False       Email
                                Logs                                                                              Amber      Threat to     Device SVR                   RTR Control from Offsite
                            Compromised             HIPAA DB                                                       Alert       CIOs         Corrupted
                                                   Compromised                                                                                                         Wide Area Electrical Failure
                           (FW, IDS, RTR)

                                                              Logic Bomb planted in         Intel Reports on Heat
                                                                 PWGSC Server                  Outage Sources
International




                                        Heat goes out in Govt Buildings
                                                                                       SIN #
                                                                Claims of             Postings
                                                             Responsibility for
                                                               Heat Outages                      Australia / New Zealand Table Tops
                                                                                                       FOR OFFICIAL USE ONLY                                                              9
Adversary
                                                           Worldwide Anti-Globalization Alliance
                                                                        (WAGA)

                                 Freedom Not                      ‡Target Multinationals               ‡Maintain Cultural Diversity         The Peoples
                                    Bombs                         ‡Port and Rail Closures              ‡Target Language                        Pact
                                                                                                       Standardization
                                                                  ‡International Network
                                                                  attacks                              ‡Target Currency
                                                                                                       Standardization (Euro-
                                                                  ‡Anti-Capitalist
                                                                                                       Dollar)
                                                                  ‡Nation reliance on cyber
      Black                ‡Military Disruption                                                        ‡Target ³U5´ for pushing         ‡Anti-Nuclear Group
                                                                  services are a product of
                                                                                                       English around the globe
      Hood                 ‡Port and Rail Closures                Globalization. (The irony of                                          ‡Power Outages
     Society                                                      its attacker)                        ‡Anti-Imperialism
                           ‡Pipeline Cyber Attacks                                                                                      ‡Threaten Meltdowns
     Faction of            ‡International Network                                                                                       ‡Target DC
     Freedom               attacks                                                                                                      Infrastructure
        Not
      Bombs                ‡Anti-NATO                                                                                                   ‡Global Website
                                                                                                                                        Defacement
                           ‡Non-Violent Disruption



                                                                     Independent Actors

  Internet Techno politic                 Auggie Jones, ³Cyber                   IT Opportunistic          Disgruntled Airport              The Tricky Trio
        Front (ITF)                            Saboteur´                             Hackers                   Employee



                                                                                                                                        ‡Located in Berlin,
‡Opportunistic Launch of                                                   ‡Purchase of Personal                                        Germany
worms                                 ‡Computer virus attacks              Identity information          ‡³Watch List´ Irregularities
                                      ‡SCADA system disruptions                                          ‡Cargo Threats                 ‡Fighting Back
‡Direct Cyber attacks on                                                   ‡Malware Distribution
software/systems providers            and attacks                                                                                       ‡Clogging the Bandwidth
                                                                           ‡Internet Extortion           ‡Tower Disruptions




                                                                                        FOR OFFICIAL USE ONLY                                                     10
                                                                                                                                      WAGA                               Tricky Trio              Disgruntled Employee
                                                                                                                                      Black Hood Society                 BBB                      DOWN

            Scenario Timeline Thread/Villain                                                                                          People¶s Pact
                                                                                                                                      ITF
                                                                                                                                                                         MRG                      Independent Actor


                      Monday                                   Tuesday                                        Wednesday                                                                      Thursday
                 1 Jan 05 ± 30 Jan 06                  1 Feb 06 & 7 Feb 06                                        8 Feb 06
                                                                                                                  8 Feb 06                                                                    9 Feb 06
                                                                                                                                                                                              9 Feb 06
                               SCADA System Probing                      Minor                        Threats on Metro Websites                                                         Oil and Gas Pipeline Map
Transportation




                                                                       Commuter                             Metros Stop Running                                                                   DOS
                        Unauthorized FAA                                  Rail
                         Network access                                 Trouble                                  Claims of                     EWA¶s No
                                                                                                               Responsibility                   Fly List                    Delay of FAA Realtime Systems
                                                Software Update
                                                                                                                                                Altered
                                                 crashes FAA
                                                Control System              False NOTAM Distribution
                                                                               DOS Attack on FAA          Wardial attack on AFSS

                                                        Spoofed
                                                       Red Cross            WAGA Virtual                      Newspaper                                       MRG
                                                                               Sit-In                           Sites                                       posts No
                                                       Messages
                                                                                                               Defaced                                     Fly List on                           Tricare
Intel/LE




                                              Ongoing Protests Surrounding WTO and DEUI Meetings                                                            Website                              BotNet
                                    WAGA calls for DOS Attacks & Cooperation                                    NORTHCOM                                                                        Discovery
                                                                                                               Comm System
                               NIPRnet Probing                              Tricare Site                           Info
                                  increases                 MyPay
                                                           Balances           Defaced                           Manipulated
                                                            Zeroed


                                                                            OASIS DDOS Attack               State           Utility Bomb
Energy




                                                                                                          Estimators           Threat                              More Power
                          OPC                                                                                                                                       Outages
                      Vulnerabilities                       Wireless RTU Problems                             Fail
                                                                                                                                                                   Threatened
                        Identified                                                                        Transmission line breakers tripped
                                                               Confusing Network Data
                                                                                                                       More Extensive Power Outages

                                                                                 Attack using Malware distributed via Counterfeit CD
                                                                MSSP Malware Distribution via Malicious Code
                     Malware CD                                                       DDOS Attacks on Power Admin and DOE Servers
IT




                     Distributed                                                        Rogue Certificate Authority
                                                                                        Internet Extortion
                                                                            DNS Cache Poisoning
                                        New SSL Vulnerability Discovered
                                                                              Trusted Insider System Infection

                                            Rogue Wireless                                                                                                                               Cascading RTR Failure
                                           Device Discovered
States




                                                                                                                        False       Email          Wireless Comm
                                Logs                                                                                    Amber      Threat to        Device SVR                          RTR Control from Offsite
                            Compromised               HIPAA DB                                                           Alert       CIOs            Corrupted                         Internet Connectivity Losses
                           (FW, IDS, RTR)            Compromised

                                                                Logic Bomb planted in            Intel Reports on Heat
                                                                   PWGSC Server                     Outage Sources
International




                                          Heat goes out in Govt Buildings
                                                                                            SIN #
                                                                  Claims of                Postings                                                                                             WAGA Associates
                                                               Responsibility for                           FOR OFFICIAL USE ONLY                                                                        11
                                                                                                      Australia / New Zealand Table Tops                                                     WAGA Sympathizers
                                                                 Heat Outages
Scope and Scale
 Planning: 18 months
     5 major planning conferences
     100-150 participants @ each
     5 AAR conferences

 ExCon: ~100
     Exercise network & workstations
     NXMSEL, web and email servers
     Simulate media website
     Hacker websites
     Physical build
     Observer group
     Observation database

 Players: 300+
 Scenario: 800+ injects
 Player emails: 21,000+ captured
 Cost: $$
 Exercise Management Team: peaked @ ~20 FTEs




                                        FOR OFFICIAL USE ONLY   12
Overarching Lessons Learned
 Correlation of multiple incidents is challenging at all levels:
     Within enterprises / organizations
     Across critical infrastructure sectors
     Between states, federal agencies and countries
     Bridging public ± private sector divide
 Communication provides the foundation for response
   Processes and procedures must address communication protocols, means
    and methods
 Collaboration on vulnerabilities is rapidly becoming required
   Reliance on information systems for situational awareness, process
    controls and communications means that infrastructures cannot operate in
    a vacuum
 Coordination of response is time critical
   Cross-sector touch points, key organizations, and SOPs must be worked
    out in advance
   Coordination between public-private sectors must include well articulated
    roles and responsibilities


                                      FOR OFFICIAL USE ONLY                     13
Overarching Lessons Learned
 Strategic Communications / Public Messaging
     Critical part of government response that should be coordinated with partners at all
      levels

 Policy Coordination
     Senior leadership / interagency bodies should develop more structured
      communication paths with international counterparts
     Strategic situational awareness picture cannot be built from a wholly federal or
      domestic perspective in the cyber realm

 Operational Cooperation
     True situational awareness will always include an external component
     Initial efforts at international cooperation during CS provided concrete insights into of
      near term development of way ahead for ops/tech info sharing
     Communication paths, methods, means and protocols must be solidified in advance of
      crisis/incident response
        ± Who do I call? When do I call? How do I call them?
        ± Secure and assured communications are critical in order to share sensitive
           information
     Cooperation must include ability to link into or share info in all streams: e.g., Cyber,
      Physical, LE, Intelligence



                                             FOR OFFICIAL USE ONLY                            14
Way Ahead± Cyber Storm II
 Tentatively scheduled for March 2008
 Fall 2006, DHS and key stakeholders will begin
 development of CSII overall concept and scenario focus
 Spring 2007, CSII CONOPS will be finalized
 Based on the scenario focus areas, DHS will coordinate
 with the sector specific agencies and the relevant
 Information Sharing Analysis Centers and Private Sector
 Coordinating Councils (NIPP) for individual private sector
 participants.




                            FOR OFFICIAL USE ONLY         15
FOR OFFICIAL USE ONLY

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:6
posted:5/9/2012
language:
pages:17