1. Host Logo / Seal Host/Sponsor Exercise Name 2015 Tabletop Exercise Month DD, YYYY

2. Host Logo / Seal Welcome and Opening Remarks Host/Sponsor POC Name Position Organization 2

3. Host Logo / Seal Exercise Overview and Facilitator Facilitator Name Organization / Department / Office Division Sub Office 3

4. Host Logo / Seal Exercise Structure  This exercise will be a multimedia, facilitated tabletop exercise  Players will participate in the following three modules: – :  Scenario updates will be provided at the beginning of each Module  Exercise will conclude with a brief Hot Wash 4

5. Host Logo / Seal Exercise Schedule 5 Time AllottedEvent 8:00 a.m. – 8:30 a.m.Registration/Sign-In 8:30 a.m. – 8:45 a.m.Introductions / Exercise Overview 8:45 a.m. – 9:20 a.m.Module 1 – 9:20 a.m. – 9:30 a.m.Break 9:30 a.m. – 10:30 a.m.Module 2 – 10:30 a.m. – 11:30 a.m.Module 3 – 11:30 a.m. – 12:00 p.m.Hot Wash – Closing Remarks 12:00 p.m.Closing Comments ADJUST TIMES AS NEEDED

6. Host Logo / Seal  Create an opportunity for stakeholders to explore and address cybersecurity challenges and increase cybersecurity awareness.  Assess the integration of cybersecurity into all-hazards preparedness.  Examine cybersecurity management structures, incident information sharing, escalation criteria, and related courses of action.  Identify cascading impacts of a cyber-attack to critical systems  6 Exercise Objectives

7. Host Logo / Seal Participant Roles and Responsibilities  Players: Respond to situation presented based on current plans, policies, and procedures  Observers: Support players in developing responses, but do not directly participate  Facilitators. Facilitators provide situation updates and moderate discussions. They also provide additional information or resolve questions as required  Evaluators. Evaluators are assigned to observe and document key findings during the exercise 7

8. Host Logo / Seal Exercise Guidelines  This is an open, low-stress environment. Varying viewpoints, even disagreements, are expected  Respond to the scenario using your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from your experience and training  Decisions are not precedent setting and may not reflect your organization’s final position on a given issue. This exercise is an opportunity to discuss and present multiple options and possible solutions  Be an active participant! 8

9. Host Logo / Seal Assumptions and Artificialities  The exercise is conducted in a no-fault learning environment wherein capabilities, plans, systems, and processes will not be evaluated  There is no “hidden agenda” nor are there any trick questions  The exercise scenario is plausible, and events occur as they are presented  All players receive information at the same time  The scenario is not derived from current intelligence 9

10. Host Logo / Seal Module 1: 10

11. Host Logo / Seal T – 2 Years: Initiation  According to an autopsy report, the sudden death of a 15- year-old girl who was treated at [hospital name here], was ruled to be the result of a severe type of pneumonia  Patient’s family suspects improper care as the true leading cause of death and blames the [hospital name]  Soon after the release of the autopsy report, the family of the girl begins to demand the medical center be held accountable and files a wrongful death lawsuit against [hospital name] 11

12. Host Logo / Seal T – 6 Months: Motivation  Upon presentation and litigation of the wrongful death lawsuit, the court rules in favor of [hospital name]  The family remains unconvinced, distraught, and angry over the verdict 12

13. Host Logo / Seal T – 5 Months: Advisory  The Multi-State Information Sharing and Analysis Center (MS-ISAC) in partnership with the National Health Information Sharing and Analysis Center (NH-ISAC) releases a joint advisory  Highlights several recent attacks against state health information exchanges 13

14. Host Logo / Seal T – 10 Days: Indication  The [hospital name] begins to notice an increase in scans and phishing campaigns, similar to those that were reported at other medical providers throughout the country, including a 25% increase in attempted attacks against their networks 14

15. Host Logo / Seal T – 2 Days: Slow Motion  Employees begin to report internal network latency  Members of the public report they cannot access [hospital name]’s website 15

16. Host Logo / Seal T – 1 Day: Degradation  [hospital name] systems performance continues to degrade, exacerbated by suspected data loss  Several nurses begin to report records that were available only a short time earlier are now completely unavailable 16

17. Host Logo / Seal 17 Module 1 Discussion

18. Host Logo / Seal 18  Information sharing by various constituents, to include government sources of indicators and warnings –Information sharing mechanism limitations and challenges within [hospital name]  Internal cyber threat information requirements and thresholds for reporting credible threats and incidents to organizational executive leadership  What types of security-related industry alerts does the [hospital name] receive? Those from NH-ISAC? US-CERT? Others? Consider the following during discussion…

19. Host Logo / Seal Module 2: 19

20. Host Logo / Seal T – Day: Investigation  In response to the extreme latency and unavailable medical records, [hospital name] begins to field an increase in help desk calls related to the EMR problems  During this period, technicians confirm that records are actually missing and notice unusual patterns in access logs, including unauthorized access to the EMR system 20

21. Host Logo / Seal T – Day: Escalation  The “News and Info” section of the [hospital name]’s public web site, including one of its social media platforms, is defaced  Defacement contains threats and a warning to the public about the [hospital name]’s level of care 21 Hospital THIS HOSPITAL WILL DECEIVE YOU – THEY CANNOT BE TRUSTED WITH YOUR INFORMATION, OR YOUR LIFE!!!

22. Host Logo / Seal T + 1 Day: Communication  A local media affiliate of Global Network News and other local media outlets start reporting on the defacement of the [hospital name] homepage 22

23. Host Logo / Seal T + 1 Day: Elevated  MS-ISAC and NH-ISAC issue an update to their recent joint advisory  Updated advisory indicates an increase in attacks to both public and private medical facilities, with significant impacts to ICS and SCADA systems  Both MS-ISAC and NH-ISAC raise their threat alert level to “ELEVATED” 23

24. Host Logo / Seal 24 Module 2 Discussion

25. Host Logo / Seal 25  Initial response measures and triggers for external incident response coordination  Existing incident response coordination, investigation, and mitigation efforts, and identification of impediments to timely response  Cyber incident escalation criteria and planned notifications  What is your planned cyber incident management structure?  How would external resources be requested and integrated?  Would legal department(s) be involved to address potential liability issues? How are they brought in appropriately? Consider the following during discussion…

26. Host Logo / Seal Module 3: 26

27. Host Logo / Seal T + 1 Day: Explanation  Further investigation indicates that malware infected [hospital name] via a spearphishing e-mail opened by a [hospital name] employee with privileged access / administrator rights several weeks ago  This malware was used to alter supply inventory records and exfiltrate more than 50,000 personally identifiable information (PII) and electronic protected health information (ePHI) records 27

28. Host Logo / Seal T + 1 Day: Intensification  Patients and staff report an extreme change in temperature in the medical facility, complaining it is too hot  As a result of the complaints, [hospital name] suspects a potential malfunction to SCADA-enabled devices within HVAC and building management systems 28

29. Host Logo / Seal T + 1 Day: Expansion  Building Operations reports that a facilities technician tasked to inspect the HVAC and BMS is unable to login to the server that controls the HVAC system  The technician entered his credentials as usual, but received an “access denied” message 29

30. Host Logo / Seal T + 1 Day: Exhaustion  [hospital name] has quickly exhausted all available resources to investigate the extent of the problem and restore affected systems, resulting in significant impacts to patient care and life safety concerns 30

31. Host Logo / Seal T + 2 Day: Attention  National media outlets begin reporting on the situation at [hospital name]  In particular, the media outlets are covering the messages posted on the [hospital name] website and social media platform 31

32. Host Logo / Seal T + 4 Day: Ramifications  During an in-depth log review, the [hospital name] discovers that 65 days ago, “[insert exercise malware name]” was implanted on the medical facility’s network, resulting in the creation of a “super user” with admin rights  Investigators strongly suspect that the infection vector is linked to the spearphishing and network scanning, which eventually exploited a vulnerability in the [hospital name]’s network  Both the [hospital name] and the investigation team continue the systematic process of malware remediation, removal, and patch updates 32

33. Host Logo / Seal 33 Module 3 Discussion

34. Host Logo / Seal 34  Identification of available response, investigation, and mitigation resources and capabilities  Identification of resource request coordination pathways  Cyber incident management structure  Role of public information during a cyber incident –Challenges when coordinating public communications –Public affairs playbook or pre-scripted statements  Processes or protocols when contacting and/or working with law enforcement  Processes and resources in place for evidence preservation and collection Consider the following during discussion…

35. Host Logo / Seal 35 Exercise Hot Wash

36. Host Logo / Seal Hot Wash  Strengths –  Areas for Improvement – 36

37. Host Logo / Seal Points of Contact For questions about this exercise or recommendations for improvement, contact: 37 Name of Facilitator Dept / Div / Office email