National Cyber Exercise: Cyber Storm National Cyber Security Division New York City Metro ISSA Meeting June 21, 2006 This document is FOR OFFICIAL USE.
Download ReportTranscript National Cyber Exercise: Cyber Storm National Cyber Security Division New York City Metro ISSA Meeting June 21, 2006 This document is FOR OFFICIAL USE.
National Cyber Exercise: Cyber Storm National Cyber Security Division New York City Metro ISSA Meeting June 21, 2006 This document is FOR OFFICIAL USE ONLY (FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid “need-to-know” without prior approval of an FOR OFFICIAL USE ONLY authorized DHS official. Agenda Cyber Storm Overview Exercise Objectives Exercise Construct Player Universe Scenario Context and Scope Scenario and Adversary Scope and Scale Overarching Lessons Learned Way Ahead Cyber Storm II 1 FOR OFFICIAL USE ONLY Cyber Storm 2 FOR OFFICIAL USE ONLY Cyber Storm Overview What: Provided a controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance Large scale exercise through simulated incident reporting only – no actual impact or attacks on live networks Specifically directed by Congress in FY05 appropriations language and coordinated with DHS National Exercise Program Who: 300+ participants from Federal D/As: Support and/or participation by 8 Departments and 3 Agencies States: International: Private Sector – IT: – Energy: – Airlines: – ISACs: Michigan, Montana, New York, Washington (Exercise Control) Australia, Canada, New Zealand, UK 9 major IT firms 6 electric utility firms (generation, transmission & grid operations) 2 major air carriers Multi-State, IT, Energy, Finance (off the record participant) (Nebraska, North Carolina, South Carolina, Texas @ MS-ISAC) When: February 6-10, 2006 Where: distributed participation from ~ 60 locations including US, Canada, and UK 3 FOR OFFICIAL USE ONLY Exercise Objectives Exercise the national cyber incident response community with a focus on: Interagency coordination under the Cyber Annex to the National Response Plan: – Interagency Incident Management Group (IIMG) – National Cyber Response Coordination Group (NCRCG) Intergovernmental coordination and incident response: – Domestic: State – Federal – International: Australia, Canada, NZ, UK & US Identification and improvement of public-private collaboration, procedures and processes Identification of policies/issues that affect cyber response & recovery Identification of critical information sharing paths and mechanisms Raise awareness of the economic and national security impacts associated with a significant cyber incident FOR OFFICIAL USE ONLY 4 Exercise Construct Feb. 6 Feb. 7 Feb. 8 Build-Up [D-300 - D-14] Build-Up [D-7&D-1] Crisis Phase [D Day] Mon. 4 hrs Tue. 8 hrs Feb. 9 Feb. 10 Response & Recovery [D+1] Wed.-Thurs. 36 hrs Fri. 4 hrs TTX & Hotwash Live Play State Prep Response & Recovery [D+5-7] State Play & Hotwash Aus & NZ TTXs Thurs Canada Federal Players Private Sector Players United Kingdom State Government Players International Players US Exercise Control Australia New Zealand FOR OFFICIAL USE ONLY 5 Cyber Storm Player Universe The N2 Problem FOR OFFICIAL USE ONLY 6 Player Universe LE/ Intell NSA DNI CIA DHS & Interagency FBI IT/Telecom US-CERT NCC IT-ISAC DHS I&A Comms ISAC ISP/Telco Sim Cell MSV 1 CA MSV 2 USSS HITRAC MSV 3 NCRCG NCSD NICC NCS State/Local Energy Trans LE/Intell Energy Fed D/As IT/Telcom ES-ISAC Utility 1 DHS PA/Media Montana OMB HSC Treasury DOJ NSC DOC DOT TCIRC DOD Fed. Reserve Bank FDIC Ag DOS Red Cross FAA CSIRC Air Carrier 1 DOE Regional Pwr Admins Utility 2 TSA TSOC Air Carrier 2 FOR OFFICIAL USE ONLY Utility 4 Utility 3 Transportation Sector Federal Department/Agencies IMC Main Exercise Control (75 / 20) Internat’l Michigan IP OPA States New York HSOC MSSP MHV 1 MS-ISAC IIMG Utility 6 Utility 5 International Australia New Zealand Canada 13 Players 11 SimCell United Kingdom 3 Players 7 Scenario Context and Scope A simulated large-scale cyber incident affecting Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors. Cyber Storm scenario included: Cyber attacks through control systems, networks, software, and social engineering to disrupt transportation and energy infrastructure elements Cyber attacks targeted at the IT infrastructure of State, US Federal and International Government agencies intended to: – degrade government operations/delivery of public services – diminish the ability to remediate impacts on other infrastructure sectors – undermine public confidence The exercise was NOT focused on the consequence management of the physical infrastructures affected by the attacks Physical consequence management aspects largely provided to players via robust Exercise Control cell FOR OFFICIAL USE ONLY 8 Scenario Timeline by Thread Monday Tuesday Wednesday 1 Jan 05 – 30 Jan 06 1 Feb 06 – 7 Feb 06 8 Feb 06 International States IT Energy Intel/LE Transportation SCADA System Probing Software Update crashes FAA Control System 9 Feb 06 Oil and Gas Pipeline Map DOS Threats on Metro Websites Metros Stop Running Minor Commuter Rail Trouble Unauthorized FAA Network access Thursday Claims of Responsibility False NOTAM Distribution DOS Attack on FAA TWIC Problems Plague Ports Spoofed Red Cross Messages MRG posts No Fly List on Website Newspaper Sites Defaced WAGA Virtual Sit-In Ongoing Protests Surrounding WTO and DEUI Meetings TRANSCOM WAGA calls for DOS Attacks & Cooperation Log Info NIPRNET Probing Tricare Site Manipulated increases Defaced State Estimators Fail OASIS DDOS Attack Wireless RTU Problems Confusing Network Data OPC Vulnerabilitie s Identified Delay of FAA Real-time Systems EWA’s No Fly List Altered Utility Bomb Threat Transmission line breakers tripped More Extensive Power Outages Tricare BotNet Discovery More Power Outages Threatened Attack using Malware distributed via Counterfeit CD MSSP Malware Distribution via Malicious Code DDOS Attacks on Power Admin and DOE Servers Rogue Certificate Authority Internet Extortion DNS Cache Poisoning Trusted Insider System Infection Malware CD Distributed Rogue Wireless Device Discovered Logs Compromised (FW, IDS, RTR) False Amber Alert HIPAA DB Compromised Logic Bomb planted in PWGSC Server Email Threat to CIOs Wireless Comm Device SVR Corrupted Cascading RTR Failure RTR Control from Offsite Wide Area Electrical Failure Intel Reports on Heat Outage Sources Heat goes out in Govt Buildings Claims of Responsibility for Heat Outages SIN # Postings Australia Zealand Table Tops FOR/ New OFFICIAL USE ONLY 9 Adversary Worldwide Anti-Globalization Alliance (WAGA) Freedom Not Bombs •Target Multinationals •Maintain Cultural Diversity •Port and Rail Closures •Target Language Standardization •International Network attacks •Anti-Capitalist •Nation reliance on cyber services are a product of Globalization. (The irony of its attacker) The Peoples Pact •Target Currency Standardization (EuroDollar) Black Hood Society •Military Disruption Faction of Freedom Not Bombs •International Network attacks •Target DC Infrastructure •Anti-NATO •Global Website Defacement •Port and Rail Closures •Pipeline Cyber Attacks •Target “U5” for pushing English around the globe •Anti-Imperialism •Non-Violent Disruption •Anti-Nuclear Group •Power Outages •Threaten Meltdowns Independent Actors Internet Techno politic Front (ITF) Auggie Jones, “Cyber Saboteur” IT Opportunistic Hackers Disgruntled Airport Employee The Tricky Trio •Opportunistic Launch of worms •Computer virus attacks •Purchase of Personal Identity information •“Watch List” Irregularities •Located in Berlin, Germany •Direct Cyber attacks on software/systems providers •SCADA system disruptions and attacks •Malware Distribution •Cargo Threats •Fighting Back •Internet Extortion •Tower Disruptions •Clogging the Bandwidth FOR OFFICIAL USE ONLY 10 Scenario Timeline Thread/Villain Transportation Intel/LE Tricky Trio BBB MRG Disgruntled Employee DOWN Independent Actor Monday Tuesday Wednesday Thursday 1 Jan 05 – 30 Jan 06 1 Feb 06 & 7 Feb 06 8 Feb 06 Feb 06 06 99 Feb SCADA System Probing Energy WAGA Black Hood Society People’s Pact ITF Threats on Metro Websites Metros Stop Running Minor Commuter Rail Trouble Unauthorized FAA Network access Software Update crashes FAA Control System MyPay Balances Zeroed Wardial attack on AFSS Newspaper Sites Defaced WAGA Virtual Sit-In Tricare Site Defaced Wireless RTU Problems MRG posts No Fly List on Website NORTHCOM Comm System Info Manipulated State Estimators Fail OASIS DDOS Attack OPC Vulnerabilities Identified Delay of FAA Realtime Systems False NOTAM Distribution Ongoing Protests Surrounding WTO and DEUI Meetings WAGA calls for DOS Attacks & Cooperation NIPRnet Probing increases EWA’s No Fly List Altered Claims of Responsibility DOS Attack on FAA Spoofed Red Cross Messages Oil and Gas Pipeline Map DOS Utility Bomb Threat More Power Outages Threatened Transmission line breakers tripped Confusing Network Data Tricare BotNet Discovery International States IT More Extensive Power Outages Malware CD Distributed Attack using Malware distributed via Counterfeit CD MSSP Malware Distribution via Malicious Code DDOS Attacks on Power Admin and DOE Servers Rogue Certificate Authority Internet Extortion DNS Cache Poisoning New SSL Vulnerability Discovered Trusted Insider System Infection Rogue Wireless Device Discovered Logs Compromised (FW, IDS, RTR) False Amber Alert HIPAA DB Compromised Logic Bomb planted in PWGSC Server Heat goes out in Govt Buildings Claims of Responsibility for Heat Outages Email Threat to CIOs Wireless Comm Device SVR Corrupted Cascading RTR Failure RTR Control from Offsite Internet Connectivity Losses Intel Reports on Heat Outage Sources SIN # Postings WAGA Associates FOR OFFICIAL USE ONLY Australia / New Zealand Table Tops 11 WAGA Sympathizers Scope and Scale Planning: 18 months 5 major planning conferences 100-150 participants @ each 5 AAR conferences ExCon: ~100 Exercise network & workstations NXMSEL, web and email servers Simulate media website Hacker websites Physical build Observer group Observation database Players: 300+ Scenario: 800+ injects Player emails: 21,000+ captured Cost: $$ Exercise Management Team: peaked @ ~20 FTEs FOR OFFICIAL USE ONLY 12 Overarching Lessons Learned Correlation of multiple incidents is challenging at all levels: Within enterprises / organizations Across critical infrastructure sectors Between states, federal agencies and countries Bridging public – private sector divide Communication provides the foundation for response Processes and procedures must address communication protocols, means and methods Collaboration on vulnerabilities is rapidly becoming required Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum Coordination of response is time critical Cross-sector touch points, key organizations, and SOPs must be worked out in advance Coordination between public-private sectors must include well articulated roles and responsibilities FOR OFFICIAL USE ONLY 13 Overarching Lessons Learned Strategic Communications / Public Messaging Critical part of government response that should be coordinated with partners at all levels Policy Coordination Senior leadership / interagency bodies should develop more structured communication paths with international counterparts Strategic situational awareness picture cannot be built from a wholly federal or domestic perspective in the cyber realm Operational Cooperation True situational awareness will always include an external component Initial efforts at international cooperation during CS provided concrete insights into of near term development of way ahead for ops/tech info sharing Communication paths, methods, means and protocols must be solidified in advance of crisis/incident response – Who do I call? When do I call? How do I call them? – Secure and assured communications are critical in order to share sensitive information Cooperation must include ability to link into or share info in all streams: e.g., Cyber, Physical, LE, Intelligence FOR OFFICIAL USE ONLY 14 Way Ahead– Cyber Storm II Tentatively scheduled for March 2008 Fall 2006, DHS and key stakeholders will begin development of CSII overall concept and scenario focus Spring 2007, CSII CONOPS will be finalized Based on the scenario focus areas, DHS will coordinate with the sector specific agencies and the relevant Information Sharing Analysis Centers and Private Sector Coordinating Councils (NIPP) for individual private sector participants. FOR OFFICIAL USE ONLY 15 FOR OFFICIAL USE ONLY