Securing the Critical Infrastructures: Security Exercises - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Securing the Critical Infrastructures: Security Exercises

Description:

Involves many different sectors working together as a physical and cyber community ... How does this topic fit into the subject of 'Voice and Data Security' ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 31
Provided by: securelo
Category:

less

Transcript and Presenter's Notes

Title: Securing the Critical Infrastructures: Security Exercises


1
Securing the Critical InfrastructuresSecurity
Exercises
  • Lesson 23

2
Securing the Critical Infrastructures
  • Is this something that can be legislated?
  • Is this best a top down effort or a bottom up
    effort?
  • Ultimately, no matter what plans are created in
    D.C., it is the local first responders that will
    make the difference in responding to a terrorist
    event.

3
Conducting a Security Exercise
  • Three different purposes for an exercise
  • Awareness help make the participants aware of
    the issues
  • Education/Training train the participants in
    how to respond to the issues
  • Exercise
  • Provide an opportunity for participants to
    practice their response procedures
  • Evaluate the effectiveness of
  • The security processes and procedures
  • The training for participants (do they know what
    to do?)

4
Dark Screen
  • Exercise examined
  • Indications and Warning requirements and
    operations
  • Vulnerability assessment and mitigation
    capabilities
  • Security operations
  • Application of security technologies
  • Success measurement and incremental improvements

5
Original Challenge
  • An exercise to identify and test resources and
    capabilities to detect, prevent, and respond to a
    cyber terrorist attack.
  • the exercise will test the ability of federal,
    state, county, and local authorities to
    effectively communicate during and after a cyber
    terrorist attack.

6
Phase IThe Tabletop Exercise
  • Scenario depicted fairly simple cyber security
    event
  • A physical attack was not a part of the exercise.
  • 3 modules
  • Pre-event, Event, Post event/wrap-up
  • 11 tables
  • Each table housed a specific sector or
    organization
  • Each table had their own scenario booklet and did
    not see the inputs for the other tables.
  • No sharing of information between tables during
    the exercise.

7
Sample Event
  • Friday, September 13, 2002 0001 AM (COSA,
    Bexar, Infrast.)
  • The San Antonio Police Department, Bexar County
    Sheriffs office, and CPS receive an email
    threatening to shut down San Antonios power
    system. The anonymous sender claims to have
    inside knowledge of the CPS SCADA systems. The
    email demands that San Antonio police stop its
    harassment of fighters for world justice.
  • Question 1 (to Infrastructure, COSA, Bexar)
  • What actions would this report prompt?
  • Who, if anybody, would your organization contact?

8
Participants
  • The City of San Antonio 72
  • Air Intelligence Agency 30
  • Federal Agencies 20
  • Other Military Bases 16
  • Bexar County 15
  • Critical Infrastructures 15
  • The State of Texas 14
  • Industry 14
  • Media 8
  • Visitors and Staff 26

9
Phase II
  • Commenced at conclusion of Phase I and continued
    until Phase III started.
  • Consisted of actions taken as a result of Phase I
    lessons learned.
  • Included vulnerability assessments (deeper
    penetration) of various local infrastructures.

10
Phase III
  • 15-26 September 2003
  • Similar participating organizations to Phase I
  • Bexar Metro E-911 and other local 911 entities
    added
  • SBC participated in exercise events with E-911
  • Consisted of electronic and white card events

11
Phase III Sample Event
  • Friday, May 23, 2003 0001 AM (COSA,
    Bexar,Infrastructure)
  • The San Antonio Police Department and Bexar
    County Sheriffs office receive an email
    threatening to shut down San Antonios power
    system. The anonymous sender claims to have
    inside knowledge of the CPS SCADA systems. The
    email demands that San Antonio police stop its
    harassment of fighters for world justice.
  • Expected Action COSA, Bexar
  • Contact should be made with CPS ltnumber/officegt
  • Was contact made? Was the number readily
    available?
  • How long did it take to make the contact?
  • Expected Action Infrastructures (CPS)
  • Should receive contact from Bexar and COSA
  • When was contact made?
  • Individual receiving call should contact
    ltnumber/officegt
  • Was contact made? Was the number readily
    available?
  • The following emergency procedure should be
    followed
  • Contact ltnumber/officegt to determine if claim is
    possible

12
Phase III Sample Event
  • Friday, May 23, 2003 0201 AM (COSA)
  • The GOLD team will conduct a ping sweep of the IP
    address range 10.10.250.. Immediately following
    this sweep, a port scan will be conducted for TCP
    ports 1-1024 for the IP addresses 10.10.250..
  • (Black Team observers) Expected Action COSA
  • Personnel at ltlocation/officegt should detect the
    scan
  • Was the scan detected? By whom and how long did
    it take?
  • Had the initial ping sweep been detected? What
    actions were taken?
  • Once detected, personnel should ltdescribe actions
    that should be takengt
  • Were the proper procedures taken?
  • EMERGENCY PROCEDURE Should a real event occur,
    or actions appear to be disruptive to operations,
    immediately contact ltphone numbergt
  • Gold Team Actions
  • Conduct Ping Sweep of IP address range
    10.10.250.
  • What systems responded as being active?
  • Conduct Port Scan of TCP ports 1-1024 for IP
    addresses 10.10.250.
  • What ports were open on what systems? Was any
    other useful information obtained?

13
Results/Lessons Learned
  • All organizations should be involved in the
    exercise and plan
  • Just meeting to discuss the issues provides a
    better understanding of what could occur and will
    lead to improved procedures
  • Mechanisms to easily share information between
    organizations do not always exist -Timing is
    critical
  • Strict rules hamper the Military from sharing
    information with various civilian government
    organizations
  • State Guard may be possible link
  • High level of interest by Guard in the exercise
  • Recommendation to create better channels for
    sharing of information at the local level
  • Creation of a COSA/Bexar CERT
  • Creation of a cyber security advisory group for
    the city
  • Development of MOAs between City and AIA

14
Sector-Based Exercises
  • Sponsored by the USSS and ISACs
  • Designed to address threats to the various
    critical infrastructures and help them to
    organize sector-based responses.
  • Two-day tabletop scenario-based events
  • Three completed
  • NY FS-ISAC
  • Chicago FS-ISAC
  • San Francisco IT-ISAC
  • Future events
  • Houston (Oil and Gas)

15
The Role of ExercisesinHomeland Security
16
Different Exercise Different Audience
City Level
17
City/County Exercise
  • Model for this type of exercise is Dark Screen
  • Purpose is to exercise the city and/or countys
    ability to prevent-detect-respond to a cyber
    security incident
  • Involves many different sectors working together
    as a physical and cyber community
  • The Communitys cyber first-responders
  • Should also include federal and state level
    communication (actual or simulated)
  • Should include all infrastructures as well as
    local industry representatives
  • Depending on level of experience, may involve
    electronic/technical hands-on piece
  • Usually will initially be tabletop exercises
  • Technical may be accomplished via vulnerability
    assessments

18
Different Exercise Different Audience
19
State Exercise
  • An extended version of the city/county exercise
  • Purpose is to exercise the states ability to
    prevent-detect-respond to a cyber security
    incident
  • Involves federal, state and city government
    agencies
  • Communication between state agencies stressed
  • Protection of state critical infrastructures
  • The state as a conduit for alert and warning
    messages to/from the federal and local levels
  • Depending on level of experience, may involve
    electronic/technical hands-on piece
  • Usually will initially be tabletop exercises
  • Can be conducted in conjunction with city/county
    exercises within the state

20
Different Exercise Different Audience
21
Different Exercise Different Audience
22
Sector-based Exercise
  • Modeled after the FS/ISAC exercise in New York
  • Purpose is to exercise the sectors ability to
    prevent-detect-respond to a cyber security
    incident
  • Involves organizations within a specific sector
  • Communication between the organizations, stresses
    ISACs
  • Protection of sectors critical assets, more
    narrowly focused threats
  • Examines the individual sectors reliance on
    other sectors
  • Cross-sector communication
  • Communication with Federal/State/Local government
    officials
  • Multi-sector exercises can examine
    interdependencies.
  • Can be tabletop or hands-on technical exercise
  • Both types are important, initial exercise may be
    just tabletop.
  • Military can be treated as a specialized sector

23
Different Exercise Different Audience
24
Corporate Exercises
  • Similar to the sector-based exercise but focused
    on a single organization/corporation
  • Purpose is to exercise the organizations ability
    to prevent-detect-respond to a cyber security
    incident
  • Self-contained within the organization
  • Communication between the organization and ISAC,
    law enforcement, and other entities simulated.
  • Opportunity to exercise cyber-security procedures
    at all levels throughout the organization.
  • Main individuals involved will be those
    responding to a cyber incident
  • Incident response team, corporate officers, PA,
    legal, IT
  • A good opportunity to include a technical piece
    to provide hands-on experience in handling
    specific cyber-related threats.

25
Different Exercise Different Audience
26
National-level Exercises
  • An extended version of the state-level exercise
  • Should not be a hands-on technical exercise
  • Sector-based exercises provide an opportunity for
    the individual critical infrastructures to
    explore interdependencies and technical
    vulnerabilities.
  • Should explore what is important at the national
    level
  • Communication between federal agencies
  • Communication between federal and state agencies
  • Communication between federal agencies and ISACs
  • Ability to handle
  • Incident notification and Alerts
  • Correlation of indications and warnings from
    multiple sectors
  • Most ambitious national exercise would be one in
    conjunction with sector, state, and city
    exercises
  • This should actually be treated as multiple
    concurrent exercises, not one large exercise.
    This will help to define roles and
    responsibilities.

27
Common Model
  • All exercises should be built around the
    operational model proven in industry and
    government
  • Proliferate a common framework, terminology and
    processes
  • All exercises should deliver Practical Best
    Practices that are entity specific but
    cross-entity coordinated
  • The ongoing exercises will allow for the
    evolution of all of the above as needed

28
Operational Mode
  • Pro-active!!
  • Strategically threat basednot driven by specific
    threats
  • Business driven
  • Goal is near real-time visibility and control for
    the enterprise, city, sector and nation

29
The Role of the Military
  • Need to separate Federal from State missions.
  • Active duty limited to federal role.
  • Can sponsor exercises in communities where they
    have bases they are a member of the community
    and rely on the services provided by the
    community.
  • Can help train the Guard in cyber security
    tactics.
  • Important intelligence piece for indications and
    warnings of attacks.
  • National Guard has state and federal missions
  • Can assist Active Duty in their security mission
  • Can provide a trained force for the states to
    rely on in their cyber response plans.
  • Can take significant or lead role in state cyber
    exercises
  • Traditional mindset is to ask how the Guard can
    assist the active duty military in their mission.
    New paradigm should ask how the military can
    assist the Guard in its homeland mission.

30
Summary
  • What is the Importance and Significance of this
    material?
  • How does this topic fit into the subject of
    Voice and Data Security?
Write a Comment
User Comments (0)
About PowerShow.com