Presentation on theme: "FOR OFFICIAL USE ONLY National Cyber Exercise: Cyber Storm National Cyber Security Division New York City Metro ISSA Meeting June 21, 2006 This document."— Presentation transcript:
FOR OFFICIAL USE ONLY National Cyber Exercise: Cyber Storm National Cyber Security Division New York City Metro ISSA Meeting June 21, 2006 This document is FOR OFFICIAL USE ONLY (FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official.
FOR OFFICIAL USE ONLY 1 Agenda Cyber Storm Overview Exercise Objectives Exercise Construct Player Universe Scenario Context and Scope Scenario and Adversary Scope and Scale Overarching Lessons Learned Way Ahead Cyber Storm II
FOR OFFICIAL USE ONLY 3 Cyber Storm Overview What: Provided a controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance Large scale exercise through simulated incident reporting only – no actual impact or attacks on live networks Specifically directed by Congress in FY05 appropriations language and coordinated with DHS National Exercise Program Who: 300+ participants from Federal D/As:Support and/or participation by 8 Departments and 3 Agencies States: Michigan, Montana, New York, Washington (Exercise Control) International:Australia, Canada, New Zealand, UK Private Sector –IT: 9 major IT firms –Energy:6 electric utility firms (generation, transmission & grid operations) –Airlines:2 major air carriers –ISACs:Multi-State, IT, Energy, Finance (off the record participant) (Nebraska, North Carolina, South Carolina, Texas @ MS-ISAC) When: February 6-10, 2006 Where: distributed participation from ~ 60 locations including US, Canada, and UK
FOR OFFICIAL USE ONLY 4 Exercise the national cyber incident response community with a focus on: Interagency coordination under the Cyber Annex to the National Response Plan: –Interagency Incident Management Group (IIMG) –National Cyber Response Coordination Group (NCRCG) Intergovernmental coordination and incident response: –Domestic: State – Federal –International: Australia, Canada, NZ, UK & US Identification and improvement of public-private collaboration, procedures and processes Identification of policies/issues that affect cyber response & recovery Identification of critical information sharing paths and mechanisms Raise awareness of the economic and national security impacts associated with a significant cyber incident Exercise Objectives
FOR OFFICIAL USE ONLY 5 Exercise Construct Mon. 4 hrsTue. 8 hrsWed.-Thurs. 36 hrs Build-Up [D-300 - D-14] Build-Up [D-7&D-1] Crisis Phase [D Day] Response & Recovery [D+1] Response & Recovery [D+5-7] Fri. 4 hrs Feb. 6 Feb. 7 Feb. 8 Feb. 9 Feb. 10 Live Play TTX & Hotwash Federal Players Private Sector Players State Government Players International Players Exercise Control United Kingdom Canada US Australia New Zealand State Play & Hotwash State Prep Aus & NZ TTXs Thurs
FOR OFFICIAL USE ONLY 6 Cyber Storm Player Universe The N 2 Problem
FOR OFFICIAL USE ONLY 7 Player Universe FAA CSIRC DOT TCIRC TSA TSOC Air Carrier 1 Transportation Sector Australia Canada 13 Players 11 SimCell United Kingdom 3 Players New Zealand International MichiganMS-ISAC MontanaNew York States IIMGHSOCNCRCG NICC DHS & Interagency OPA IP NCSNCSD US-CERT IT-ISAC NCC IT/Telecom DOEES-ISAC Utility 1 Energy State/LocalInternat’l Energy Fed D/As Main Exercise Control (75 / 20) LE/Intell Trans DHS IT/Telcom NSACIAFBI Comms ISAC ISP/Telco Sim Cell Regional Pwr Admins Utility 2 Utility 3 Utility 6 Utility 5 Utility 4 Air Carrier 2HSCOMBNSCDOC Federal Department/Agencies DOJ DOD DOS Red Cross Treasury Fed. Reserve Bank FDIC DHS I&A USSS DNI IMC HITRAC MSV 1 MSV 2 CA MHV 1 MSV 3 MSSP Ag PA/Media LE/ Intell
FOR OFFICIAL USE ONLY 8 A simulated large-scale cyber incident affecting Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors. Cyber Storm scenario included: Cyber attacks through control systems, networks, software, and social engineering to disrupt transportation and energy infrastructure elements Cyber attacks targeted at the IT infrastructure of State, US Federal and International Government agencies intended to: –degrade government operations/delivery of public services –diminish the ability to remediate impacts on other infrastructure sectors –undermine public confidence The exercise was NOT focused on the consequence management of the physical infrastructures affected by the attacks Physical consequence management aspects largely provided to players via robust Exercise Control cell Scenario Context and Scope
FOR OFFICIAL USE ONLY 9 Tricare Site Defaced NIPRNET Probing increases More Extensive Power Outages EWA’s No Fly List Altered Software Update crashes FAA Control System Metros Stop Running Scenario Timeline by Thread ThursdayWednesdayTuesdayMonday Threats on Metro Websites False NOTAM Distribution SCADA System Probing Minor Commuter Rail Trouble Unauthorized FAA Network access DOS Attack on FAA Oil and Gas Pipeline Map DOS Delay of FAA Real-time Systems OPC Vulnerabilitie s Identified OASIS DDOS Attack WAGA calls for DOS Attacks & Cooperation Transmission line breakers tripped More Power Outages Threatened Ongoing Protests Surrounding WTO and DEUI Meetings Wireless RTU Problems Confusing Network Data State Estimators Fail Claims of Responsibility Rogue Certificate Authority DNS Cache Poisoning Attack using Malware distributed via Counterfeit CD Internet Extortion DDOS Attacks on Power Admin and DOE Servers Trusted Insider System Infection WAGA Virtual Sit-In 1 Jan 05 – 30 Jan 061 Feb 06 – 7 Feb 068 Feb 069 Feb 06 TRANSCOM Log Info Manipulated Newspaper Sites Defaced Tricare BotNet Discovery MSSP Malware Distribution via Malicious Code Spoofed Red Cross Messages Malware CD Distributed HIPAA DB Compromised Cascading RTR Failure RTR Control from Offsite Rogue Wireless Device Discovered Logs Compromised (FW, IDS, RTR) Logic Bomb planted in PWGSC Server Intel Reports on Heat Outage Sources Claims of Responsibility for Heat Outages Transportation Intel/LE Energy IT States International MRG posts No Fly List on Website Utility Bomb Threat Wide Area Electrical Failure Wireless Comm Device SVR Corrupted Email Threat to CIOs False Amber Alert TWIC Problems Plague Ports Heat goes out in Govt Buildings SIN # Postings Australia / New Zealand Table Tops
FOR OFFICIAL USE ONLY 10 Worldwide Anti-Globalization Alliance (WAGA) Freedom Not Bombs The Peoples Pact Auggie Jones, “Cyber Saboteur” Maintain Cultural Diversity Target Language Standardization Target Currency Standardization (Euro- Dollar) Target “U5” for pushing English around the globe Anti-Imperialism Computer virus attacks SCADA system disruptions and attacks Military Disruption Port and Rail Closures Pipeline Cyber Attacks International Network attacks Anti-NATO Non-Violent Disruption Anti-Nuclear Group Power Outages Threaten Meltdowns Target DC Infrastructure Global Website Defacement Independent Actors The Tricky Trio Located in Berlin, Germany Fighting Back Clogging the Bandwidth Internet Techno politic Front (ITF) Opportunistic Launch of worms Direct Cyber attacks on software/systems providers Target Multinationals Port and Rail Closures International Network attacks Anti-Capitalist Nation reliance on cyber services are a product of Globalization. (The irony of its attacker) Adversary Disgruntled Airport Employee “Watch List” Irregularities Cargo Threats Tower Disruptions Black Hood Society Faction of Freedom Not Bombs IT Opportunistic Hackers Purchase of Personal Identity information Malware Distribution Internet Extortion
FOR OFFICIAL USE ONLY 11 New SSL Vulnerability Discovered Internet Connectivity Losses Tricare Site Defaced NIPRnet Probing increases More Extensive Power Outages Software Update crashes FAA Control System Metros Stop Running Scenario Timeline Thread/Villain Threats on Metro Websites SCADA System Probing Minor Commuter Rail Trouble Unauthorized FAA Network access Oil and Gas Pipeline Map DOS Delay of FAA Realtime Systems OPC Vulnerabilities Identified OASIS DDOS Attack More Power Outages Threatened Wireless RTU Problems Confusing Network Data Utility Bomb Threat State Estimators Fail Claims of Responsibility Rogue Certificate Authority Attack using Malware distributed via Counterfeit CD Internet Extortion DDOS Attacks on Power Admin and DOE Servers WAGA Virtual Sit-In 8 Feb 069 Feb 06 Tricare BotNet Discovery MSSP Malware Distribution via Malicious Code Malware CD Distributed HIPAA DB Compromised Cascading RTR Failure RTR Control from Offsite Rogue Wireless Device Discovered Transportation Intel/LE Energy IT States International MyPay Balances Zeroed Disgruntled Employee DOWN Independent Actor Tricky Trio BBB MRG WAGA Black Hood Society People’s Pact ITF Transmission line breakers tripped WAGA calls for DOS Attacks & Cooperation Ongoing Protests Surrounding WTO and DEUI Meetings Newspaper Sites Defaced MRG posts No Fly List on Website Wireless Comm Device SVR Corrupted Email Threat to CIOs False Amber Alert ThursdayWednesdayTuesdayMonday 1 Jan 05 – 30 Jan 061 Feb 06 & 7 Feb 068 Feb 069 Feb 06 Spoofed Red Cross Messages Logic Bomb planted in PWGSC Server Intel Reports on Heat Outage Sources Claims of Responsibility for Heat Outages Heat goes out in Govt Buildings SIN # Postings Australia / New Zealand Table Tops EWA’s No Fly List Altered WAGA Associates WAGA Sympathizers Trusted Insider System Infection DNS Cache Poisoning False NOTAM Distribution DOS Attack on FAA Wardial attack on AFSS NORTHCOM Comm System Info Manipulated Logs Compromised (FW, IDS, RTR)
FOR OFFICIAL USE ONLY 12 Scope and Scale Planning: 18 months 5 major planning conferences 100-150 participants @ each 5 AAR conferences ExCon: ~100 Exercise network & workstations NXMSEL, web and email servers Simulate media website Hacker websites Physical build Observer group Observation database Players: 300+ Scenario: 800+ injects Player emails: 21,000+ captured Cost: $$ Exercise Management Team: peaked @ ~20 FTEs
FOR OFFICIAL USE ONLY 13 Overarching Lessons Learned Correlation of multiple incidents is challenging at all levels: Within enterprises / organizations Across critical infrastructure sectors Between states, federal agencies and countries Bridging public – private sector divide Communication provides the foundation for response Processes and procedures must address communication protocols, means and methods Collaboration on vulnerabilities is rapidly becoming required Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum Coordination of response is time critical Cross-sector touch points, key organizations, and SOPs must be worked out in advance Coordination between public-private sectors must include well articulated roles and responsibilities
FOR OFFICIAL USE ONLY 14 Overarching Lessons Learned Strategic Communications / Public Messaging Critical part of government response that should be coordinated with partners at all levels Policy Coordination Senior leadership / interagency bodies should develop more structured communication paths with international counterparts Strategic situational awareness picture cannot be built from a wholly federal or domestic perspective in the cyber realm Operational Cooperation True situational awareness will always include an external component Initial efforts at international cooperation during CS provided concrete insights into of near term development of way ahead for ops/tech info sharing Communication paths, methods, means and protocols must be solidified in advance of crisis/incident response –Who do I call? When do I call? How do I call them? –Secure and assured communications are critical in order to share sensitive information Cooperation must include ability to link into or share info in all streams: e.g., Cyber, Physical, LE, Intelligence
FOR OFFICIAL USE ONLY 15 Way Ahead– Cyber Storm II Tentatively scheduled for March 2008 Fall 2006, DHS and key stakeholders will begin development of CSII overall concept and scenario focus Spring 2007, CSII CONOPS will be finalized Based on the scenario focus areas, DHS will coordinate with the sector specific agencies and the relevant Information Sharing Analysis Centers and Private Sector Coordinating Councils (NIPP) for individual private sector participants.