Post on 31-Mar-2015
FOR OFFICIAL USE ONLY
National Cyber Exercise: Cyber StormNational Cyber Security Division
New York City Metro ISSA Meeting
June 21, 2006
This document is FOR OFFICIAL USE ONLY (FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official.
2FOR OFFICIAL USE ONLY
Agenda
Cyber Storm OverviewExercise ObjectivesExercise ConstructPlayer UniverseScenario Context and ScopeScenario and AdversaryScope and Scale
Overarching Lessons Learned
Way Ahead Cyber Storm II
3FOR OFFICIAL USE ONLY
Cyber Storm
4FOR OFFICIAL USE ONLY
Cyber Storm OverviewWhat: Provided a controlled environment to exercise State, Federal, International, and
Private Sector response to a cyber related incident of national significance Large scale exercise through simulated incident reporting only – no actual impact
or attacks on live networks Specifically directed by Congress in FY05 appropriations language and
coordinated with DHS National Exercise Program
Who: 300+ participants from Federal D/As: Support and/or participation by 8 Departments and 3
Agencies States: Michigan, Montana, New York, Washington (Exercise
Control) International: Australia, Canada, New Zealand, UK Private Sector
– IT: 9 major IT firms– Energy: 6 electric utility firms (generation, transmission & grid
operations)– Airlines: 2 major air carriers– ISACs: Multi-State, IT, Energy, Finance (off the record participant)
(Nebraska, North Carolina, South Carolina, Texas @ MS-ISAC)
When: February 6-10, 2006
Where: distributed participation from ~ 60 locations including US, Canada, and UK
5FOR OFFICIAL USE ONLY
Exercise the national cyber incident response community with a focus on: Interagency coordination under the Cyber Annex to the National Response
Plan:– Interagency Incident Management Group (IIMG)– National Cyber Response Coordination Group (NCRCG)
Intergovernmental coordination and incident response:– Domestic: State – Federal– International: Australia, Canada, NZ, UK & US
Identification and improvement of public-private collaboration, procedures and processes
Identification of policies/issues that affect cyber response & recovery Identification of critical information sharing paths and mechanisms
Raise awareness of the economic and national security impacts associated with a significant cyber incident
Exercise Objectives
6FOR OFFICIAL USE ONLY
Exercise Construct
Mon. 4 hrs Tue. 8 hrs Wed.-Thurs. 36 hrs
Build-Up [D-300 - D-14]
Build-Up [D-7&D-1]
Crisis Phase [D Day]
Response & Recovery [D+1]
Response & Recovery [D+5-7]
Fri. 4 hrs
Feb. 6 Feb. 7 Feb. 8 Feb. 9 Feb. 10
Live Play TTX & Hotwash
Federal Players
Private Sector Players
State Government Players
International Players
Exercise Control
United Kingdom
Canada
US
AustraliaNew
Zealand
State Play & Hotwash
State Prep
Aus & NZ TTXsThurs
7FOR OFFICIAL USE ONLY
Cyber Storm Player Universe
The N2 Problem
8FOR OFFICIAL USE ONLY
Player Universe
FAACSIRC
DOTTCIRC
TSATSOC
Air Carrier 1
Transportation Sector
Australia
Canada13 Players11 SimCell
United Kingdom3 Players
New Zealand
International
MichiganMS-ISAC
MontanaNew York
States
IIMG HSOC NCRCG
NICC
DHS & Interagency
OPA IP
NCSNCSD
US-CERT
IT-ISAC
NCC
IT/Telecom
DOEES-ISAC
Utility 1
EnergyState/LocalInternat’l
Energy
Fed D/As
Main Exercise Control (75 / 20)
LE/Intell
Trans
DHS
IT/Telcom
NSA CIA FBI
Comms ISAC
ISP/Telco Sim Cell
Regional Pwr Admins
Utility 2
Utility 3
Utility 6
Utility 5
Utility 4
Air Carrier 2HSCOMB NSC DOC
Federal Department/Agencies
DOJ
DOD
DOSRed Cross
Treasury Fed. Reserve Bank FDIC
DHS I&A USSS
DNI
IMC
HITRAC
MSV 1
MSV 2
CA
MHV 1
MSV 3
MSSP
Ag
PA/Media
LE/ Intell
9FOR OFFICIAL USE ONLY
A simulated large-scale cyber incident affecting Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors.
Cyber Storm scenario included: Cyber attacks through control systems, networks, software, and social
engineering to disrupt transportation and energy infrastructure elements Cyber attacks targeted at the IT infrastructure of State, US Federal and
International Government agencies intended to:
– degrade government operations/delivery of public services
– diminish the ability to remediate impacts on other infrastructure sectors
– undermine public confidence
The exercise was NOT focused on the consequence management of the physical infrastructures affected by the attacks Physical consequence management aspects largely provided to players via
robust Exercise Control cell
Scenario Context and Scope
10FOR OFFICIAL USE ONLY
Tricare Site Defaced
NIPRNET Probing increases
More Extensive Power Outages
EWA’s No Fly List AlteredSoftware Update
crashes FAA Control System
Metros Stop Running
Scenario Timeline by ThreadThursdayWednesdayTuesdayMonday
Threats on Metro Websites
False NOTAM Distribution
SCADA System Probing Minor Commuter
Rail Trouble
Unauthorized FAA Network access
DOS Attack on FAA
Oil and Gas Pipeline Map DOS
Delay of FAA Real-time Systems
OPC Vulnerabilities Identified
OASIS DDOS Attack
WAGA calls for DOS Attacks & Cooperation
Transmission line breakers tripped
More Power Outages
Threatened
Ongoing Protests Surrounding WTO and DEUI Meetings
Wireless RTU Problems
Confusing Network Data
State Estimators
Fail
Claims of Responsibility
Rogue Certificate Authority
DNS Cache Poisoning
Attack using Malware distributed via Counterfeit CD
Internet Extortion
DDOS Attacks on Power Admin and DOE Servers
Trusted Insider System Infection
WAGA Virtual Sit-In
1 Jan 05 – 30 Jan 06 1 Feb 06 – 7 Feb 06 8 Feb 06 9 Feb 06
TRANSCOM Log Info
Manipulated
Newspaper Sites
Defaced
Tricare BotNet
Discovery
MSSP Malware Distribution via Malicious Code
Spoofed Red Cross Messages
Malware CD Distributed
HIPAA DB Compromised
Cascading RTR Failure
RTR Control from Offsite
Rogue Wireless Device Discovered
Logs Compromised (FW, IDS, RTR)
Logic Bomb planted in PWGSC Server
Intel Reports on Heat Outage Sources
Claims of Responsibility for
Heat Outages
Tra
nsp
ort
atio
nIn
tel/
LE
En
erg
yIT
Sta
tes
Inte
rnat
ion
al
MRG posts No Fly List
on Website
Utility Bomb Threat
Wide Area Electrical Failure
Wireless Comm Device SVR Corrupted
Email Threat to
CIOs
False Amber Alert
TWIC Problems Plague Ports
Heat goes out in Govt BuildingsSIN #
Postings
Australia / New Zealand Table Tops
11FOR OFFICIAL USE ONLY
Worldwide Anti-Globalization Alliance (WAGA)
Freedom Not Bombs
The Peoples Pact
Auggie Jones, “Cyber Saboteur”
•Maintain Cultural Diversity
•Target Language Standardization
•Target Currency Standardization (Euro-Dollar)
•Target “U5” for pushing English around the globe
•Anti-Imperialism
•Computer virus attacks
•SCADA system disruptions and attacks
•Military Disruption
•Port and Rail Closures
•Pipeline Cyber Attacks
•International Network attacks
•Anti-NATO
•Non-Violent Disruption
•Anti-Nuclear Group
•Power Outages
•Threaten Meltdowns
•Target DC Infrastructure
•Global Website Defacement
Independent Actors
The Tricky Trio
•Located in Berlin, Germany
•Fighting Back
•Clogging the Bandwidth
Internet Techno politic Front (ITF)
•Opportunistic Launch of worms
•Direct Cyber attacks on software/systems providers
•Target Multinationals
•Port and Rail Closures
•International Network attacks
•Anti-Capitalist
•Nation reliance on cyber services are a product of Globalization. (The irony of its attacker)
Adversary
Disgruntled Airport Employee
•“Watch List” Irregularities
•Cargo Threats
•Tower Disruptions
Black Hood
Society
Faction of Freedom
Not Bombs
IT Opportunistic Hackers
•Purchase of Personal Identity information
•Malware Distribution
•Internet Extortion
12FOR OFFICIAL USE ONLY
New SSL Vulnerability Discovered
Internet Connectivity Losses
Tricare Site Defaced
NIPRnet Probing increases
More Extensive Power Outages
Software Update crashes FAA
Control System
Metros Stop Running
Scenario Timeline Thread/Villain
Threats on Metro WebsitesSCADA System Probing Minor Commuter
Rail Trouble
Unauthorized FAA Network access
Oil and Gas Pipeline Map DOS
Delay of FAA Realtime Systems
OPC Vulnerabilities
Identified
OASIS DDOS AttackMore Power
Outages Threatened
Wireless RTU Problems
Confusing Network Data
Utility Bomb Threat
State Estimators
Fail
Claims of Responsibility
Rogue Certificate Authority
Attack using Malware distributed via Counterfeit CD
Internet Extortion
DDOS Attacks on Power Admin and DOE Servers
WAGA Virtual Sit-In
8 Feb 06 9 Feb 06
Tricare BotNet
Discovery
MSSP Malware Distribution via Malicious Code
Malware CD Distributed
HIPAA DB Compromised
Cascading RTR Failure
RTR Control from Offsite
Rogue Wireless Device Discovered
Tra
ns
po
rta
tio
nIn
tel/
LE
En
erg
yIT
Sta
tes
Inte
rna
tio
na
l
MyPay Balances Zeroed
Disgruntled Employee
DOWN
Independent Actor
Tricky TrioBBBMRG
WAGA
Black Hood SocietyPeople’s PactITF
Transmission line breakers tripped
WAGA calls for DOS Attacks & Cooperation Ongoing Protests Surrounding WTO and DEUI Meetings
Newspaper Sites
Defaced
MRG posts No Fly List
on Website
Wireless Comm Device SVR Corrupted
Email Threat to
CIOs
False Amber Alert
ThursdayWednesdayTuesdayMonday1 Jan 05 – 30 Jan 06 1 Feb 06 & 7 Feb 06 8 Feb 06 9 Feb 06
Spoofed Red Cross Messages
Logic Bomb planted in PWGSC Server
Intel Reports on Heat Outage Sources
Claims of Responsibility for
Heat Outages
Heat goes out in Govt BuildingsSIN #
Postings
Australia / New Zealand Table Tops
EWA’s No Fly List Altered
WAGA Associates
WAGA Sympathizers
Trusted Insider System Infection
DNS Cache Poisoning
False NOTAM Distribution
DOS Attack on FAA Wardial attack on AFSS
NORTHCOM Comm System
Info Manipulated
Logs Compromised (FW, IDS, RTR)
13FOR OFFICIAL USE ONLY
Scope and ScalePlanning: 18 months
5 major planning conferences 100-150 participants @ each 5 AAR conferences
ExCon: ~100 Exercise network & workstations NXMSEL, web and email servers Simulate media website Hacker websites Physical build Observer group Observation database
Players: 300+
Scenario: 800+ injects
Player emails: 21,000+ captured
Cost: $$
Exercise Management Team: peaked @ ~20 FTEs
14FOR OFFICIAL USE ONLY
Overarching Lessons LearnedCorrelation of multiple incidents is challenging at all levels: Within enterprises / organizations Across critical infrastructure sectors Between states, federal agencies and countries Bridging public – private sector divide
Communication provides the foundation for response Processes and procedures must address communication protocols, means
and methods
Collaboration on vulnerabilities is rapidly becoming required Reliance on information systems for situational awareness, process
controls and communications means that infrastructures cannot operate in a vacuum
Coordination of response is time critical Cross-sector touch points, key organizations, and SOPs must be worked
out in advance Coordination between public-private sectors must include well articulated
roles and responsibilities
15FOR OFFICIAL USE ONLY
Overarching Lessons LearnedStrategic Communications / Public Messaging Critical part of government response that should be coordinated with partners at all
levels
Policy Coordination Senior leadership / interagency bodies should develop more structured
communication paths with international counterparts Strategic situational awareness picture cannot be built from a wholly federal or
domestic perspective in the cyber realm
Operational Cooperation True situational awareness will always include an external component Initial efforts at international cooperation during CS provided concrete insights into of
near term development of way ahead for ops/tech info sharing Communication paths, methods, means and protocols must be solidified in advance of
crisis/incident response
– Who do I call? When do I call? How do I call them?
– Secure and assured communications are critical in order to share sensitive information
Cooperation must include ability to link into or share info in all streams: e.g., Cyber, Physical, LE, Intelligence
16FOR OFFICIAL USE ONLY
Way Ahead– Cyber Storm IITentatively scheduled for March 2008
Fall 2006, DHS and key stakeholders will begin development of CSII overall concept and scenario focus
Spring 2007, CSII CONOPS will be finalized
Based on the scenario focus areas, DHS will coordinate with the sector specific agencies and the relevant Information Sharing Analysis Centers and Private Sector Coordinating Councils (NIPP) for individual private sector participants.
FOR OFFICIAL USE ONLY