ICS-CERT: From the Trenches - A Tabletop Exercise

Tuesday, May 22, 2012

Infosec Island Admin


The conference room was heating up 3 months ago on a cold January day as law enforcement, a county emergency planner, and the staff for a small municipal utility dealt with cyber attacks on the utility’s power generation, water, and wastewater control systems.

Fortunately for the 25 participants, this was only a test; actually, it was table top exercise facilitated by Control Systems Security Program (CSSP) staff.

The exercise tested the municipality’s cybersecurity incident response plan with the specific objectives to:

• Test the staff’s understanding of the policies and procedures for handling a cyber incident

• Review the effectiveness and suitability of the policies and procedures

• Evaluate coordination with federal, state, and local government

• Identify gaps and mitigations to the cyber response plan

• Educate-if it just doesn’t look right-report it

The facilitators, with the exercise play book in hand, released a series of “injects” or story lines throughout the day. The injects were designed to test the utility’s response to internal and external cyber attacks on its control systems.

The facilitators followed up with probing questions to generate discussions on how the participants would handle the topic at hand. A variety of subjects were covered, including the traditional cybersecurity issues of access control, remote access, perimeter defenses, logging, and auditing. The exercise also covered noninformation technology subjects.

For example, one of the injects produced conversations on the human resources policies and procedures for dealing with an employee suspected of an internal cyber attack. Another inject forced the agency to think about recommended practices for handling local and national media coverage caused by disruption of services because of the cyber attack.

The participants then held “hot washes” that highlighted key points and takeaways following the completion of each scenario. The notes and hot washes were used by the utility’s staff to develop an action plan.

Was it worth it? According to both the utility’s security and safety specialists who were responsible for coordinating the exercise, it definitely was. As a result of the exercise, utility staff will review and update policies and procedures, mitigate identified security gaps, strengthen cyber defenses, and provide more cybersecurity training for the staff.

But perhaps the most valuable benefit of the exercise was that it jump-started crucial conversations and interactions between stakeholders that will undoubtedly lead to a more secure environment for their ICSs.

According to the security specialist, “The tabletop was a way for us to put our heads together and collaborate on how we would handle specific, realistic cybersecurity incidents. With the expertise of the DHS CSSP staff that created the scenarios and injects, we were forced to work together and talk through what we are doing already and where we have more work to do.

Incident response is critical. During a real incident, you don’t want to discover major gaps in policy/procedure and/or technology tools. In addition, the collaboration that occurred during the day of the tabletop helps us all to understand the roles and responsibilities that each of us have in situations such as those we worked through for the tabletop exercise.

My hope is that we could do a tabletop exercise like this on a recurring basis so that the participants continue to improve our incident response capabilities and security posture.

Lastly, the tabletop gives everyone the opportunity to build relationships with DHS CSSP, FBI, state/local law enforcement and others; which is a huge win. If - or more likely when an incident is going down, that is not the time I want to be introducing myself for the first time to the people who are equipped to help us get through it as quickly and efficiently as possible.”

Are you interested in conducting a table top exercise to test your organization’s response to a cyber attack on your ICS? If so, here are a few tips for organizing the exercise:

• Identify the goals and objectives for the exercise, for example testing an incident response plan

• Develop relevant and realistic scenarios and injects to achieve those goals and prepare a situation manual or play book documenting the scenario

• Prepare briefing slides for guiding the participants through the exercise

• Generate a facilitator handbook that provides instructions to guide the facilitator during the exercise, capture information and document action items, and develop an Action Report/Plan

• Invite all crucial stakeholders to the exercise including technical and nontechnical staff and managers

• Select a facilitator that will draw out comments from all participants and a scribe who will capture the key points of the exercise

Want to learn more?

• Homeland Security Exercise and Evaluation Program (HSEEP) website information on establishing an exercise program for all types of disasters https://hseep.dhs.gov/ pages/1001_HSEEP7.aspx

• Tabletop Exercises for Incident Response Plans Under NERC Reliability Standard CIP-008¾Good resource for setting up a cyber table top exercise http://www.us-cert.gov/ control_systems/icsjwg/presentations/fall2010/Simon%20 -%20Tabletop%20Exercise%20Webinar.pdf

• Creating Cyber Forensics Plans for Control Systems–CSSP Recommend Practices http://www.us-cert.gov/control_ systems/practices/documents/Forensics_RP.pdf

• Developing an Industrial Control Systems Cybersecurity Incident Response Capability–CSSP Recommended Practices http://www.us-cert.gov/control_systems/ practices/documents/final-RP_ics_cybersecurity_incident_ response_100609.pdf

If you have questions or want more information on conducting a table top exercise for your ICS please contact us at cssp@hq.dhs.gov.

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf

Possibly Related Articles:
Industrial Control Systems
SCADA Incident Response Training Cyber Security Network Security Infrastructure ICS-CERT Industrial Control Systems CSSP
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.