Cybersecurity Tabletop Exercise Overview

 
 
1
 
C
y
b
e
r
s
e
c
u
r
i
t
y
 
S
c
e
n
a
r
i
o
 
Tabletop Exercise
 
Tabletop Exercise
 
2
 
Welcome and introductions
Discuss agenda for the day
Review administrative details
Start the exercise
 
Welcome and Introductions
 
Name
Organization
Emergency response experience
 
3
 
Agenda
 
4
 
Review exercise materials and rules
Review scenario(s)
Break
Facilitated discussion period
Action planning session (“hot wash”)
Review and conclusion
Closing comments
 
Administrative Details
 
Location of emergency exits
Location of restrooms
Cell phone/pager management
Logging your time to fulfill training requirements
Sign-in sheet and participant evaluation form
 
5
 
Exercise Benefits:
 
Increase readiness in the event of an actual
emergency
Provide a means to assess effectiveness of
response plans and response capabilities
Serve as a training tool for response personnel
and their involvement with other response
agencies
Provide an opportunity to practice skills and
improve individual performance in a non-
threatening environment
 
6
 
Exercise Benefits: (cont.)
 
Require participants to network with each other
and pre-plan decisions on resources
Identify planning conflicts or gaps
Identify resource needs and opportunities for
sharing of resources
Clarify internal and external roles and
responsibilities
 
7
 
8
 
Exercise Objectives:
 
At the conclusion of this exercise, participants should
be able to do the following:
 
Explore and address cybersecurity challenges
Define or refine participants’ roles and
responsibilities for managing the consequences of a
cybersecurity incident, which should be reflected
in their plans, policies and procedures and other
preparedness elements currently in place or under
development
Build relationships between utilities and
stakeholders
 
9
 
Exercise Objectives: (cont.)
 
Increase awareness of the damage that can be
caused by a cybersecurity incident on a business
or control system
Identify other needed enhancements related to
training and exercises and other preparedness
elements currently in place or under
development
 
This session will not be a success unless you as a
participant go back to your office and follow through
 
Roles and Responsibilities:
 
10
 
Players respond to the situation presented based on
expert knowledge of response procedures, current
plans and procedures and insights derived from
training and experience
Observers observe the exercise but do not
participate in the facilitated discussion period
Facilitators lead the exercise by presenting the
scenario narrative and facilitating the discussion
period and “hot wash” (Action planning session or
review session)
Evaluators monitor the exercise, track
accomplishments according to objectives and may
ask questions
 
Exercise Rules:
 
This exercise will be held in an open, low-stress, no-
fault environment 
 varying viewpoints, even
disagreements, are expected
Respond to the scenario using your knowledge of
current plans and capabilities (i.e., you may use only
existing assets) and insights derived from your
training
Decisions are not precedent setting and may not
reflect your organization’s final position on a given
issue 
 t
his exercise is an opportunity to discuss and
present multiple options and possible solutions
 
11
 
Exercise Rules: (cont.)
 
Issue identification is not as valuable as suggestions and
recommended actions that could improve [
prevention,
protection, mitigation, response or recovery
] efforts 
problem-solving efforts should be the focus
Assume there will be cooperation and support from other
responders and agencies
The basis for discussion consists of the scenario narrative
and modules, your experience, your understanding of your
Emergency Response Plan (ERP), your intuition and other
utility resources included as part of this material or that
you brought with you
Treat the scenario as if it will affect your area
 
12
 
 
13
 
Action Planning Session:
 
Following the facilitated discussion period, the
facilitator will lead an Action Planning Session,
also known as a “hot wash”
Participants are encouraged to identify, discuss
and prioritize next steps, actions, tasks and
other follow-up activities
Identify additional collaborators if needed
Schedule a follow-up meeting
 
Cybersecurity Scenario
 
14
 
15
 
Module 1 – April 24
The Suspicious Email
 
16
 
Module 1 – April 24, 0730 hrs
 
John is a new office clerk for the public utility in Lakewood
He receives an email with the subject title “Failed Package
Delivery Notice” 
  
John opens the email
When John opened the email, he noticed that the recipient
name and address were not his, so he clicked the included
link to find out more information
The link took him to what appeared to be a blank webpage,
but after a few seconds, it redirected him to Fedex.com
Lacking any more information on the package, he closed the
email and continued to go about his business
 
Key Issues – Module 1
 
John receives a suspicious email and clicks
on the link
 
 
17
 
18
 
Module 2 – April 24
A Message Appears
 
Module 2 – April 24,
 
1030 hrs
 
A few hours later, a message appears on John’s
computer screen that reads “Your personal files
are encrypted”
Files can be decrypted if a ransom for $300 is
paid to receive a decryption key
There is limited time to pay the ransom and get
the key
John sees all his files, but an error message
appears when he tries to open them
Afraid of disciplinary action, John decides to pay
the ransom himself
 
19
 
Key Issues – Module 2
 
The files on John’s computer are encrypted
John does not notify anyone or seek advice before
paying the ransom
John did not check the files on the town’s server,
which he can access from his computer
 
 
20
 
21
 
Module 3 – April 24
The Malware Spreads
 
Module 3 – April 24, 1130 hrs
 
John is panicked because he has not received
the decryption key
Christina asks John if he is having trouble
accessing server files, as she is
Christina is worried because the town’s server
holds six years of critical files and customer
billing information needed for daily operations
John breaks down and tells Christina about the
ransom and that he still doesn’t have the key
 
22
 
Module 3 – April 24, 1130 hrs
(cont.)
 
Christina responds to John that they must
report the incident to their supervisor
immediately
They then call their IT vendor representative,
Thomas 
  h
e tells them to disconnect both
John’s computer and the infected server from
the network
Thomas goes to John’s office and confirms that
the files on both his computer and the town’s
server have been encrypted
 
23
 
Key Issues – Module 3
 
The malware has spread to the town server and
all the files are encrypted
Business operations are frozen until the files can
be accessed
John has not received the decryption key
 
24
 
25
 
Module 4 – April 24
SCADA Locked
 
Module 4– April 24, 1245 hrs
 
Thomas is working on John’s computer and the
town’s server when he receives an urgent call
from the town’s combined drinking water and
wastewater treatment facility
The operator  there has observed that the
Supervisory Control and Data Acquisition
(SCADA) control screens are not showing
updated data
Instead, the screens have frozen, and critical
process information is not current
 
26
 
Module 4 – April 24, 1245 hrs
(cont.)
 
Thomas believes that the utility’s SCADA
problems are due to the malware infection on
John’s computer and the town’s server
Thomas tells the operator that if possible, the
drinking water and wastewater processes should
be operated in a manual mode
 
27
 
Key Issues – Module 4
 
The town server and the SCADA system for the
drinking water and wastewater utility are
connected through a flat network, which means
there is no firewall regulating traffic between
the server and the SCADA system
The integrity of the SCADA system has been
compromised by the malware infection 
c
ontrol screens are frozen, and utility process
control system information is not being
updated
The utility must be operated in manual mode
 
28
 
29
 
Module 5– April 24
Malware Identified
 
Module 5– April 24, 1400 hrs
 
After investigation, Thomas confirms that the
malware did spread across the flat network from
the town server to the SCADA system
The malware encrypted critical data and
program files that the SCADA system needs
 
30
 
Key Issues – Module 5
 
The malware encrypted critical data files that
the SCADA system reads and uses for
communications with operators and between
processes
Thomas will need to investigate multiple
components connected to the SCADA system to
evaluate the extent of damage
 
31
 
32
 
Module 6– April 25
The System is Restored
 
Module 6– April 25, 0530 hrs
 
After confirming malware contamination, Thomas
backs up all the log files to keep a record of the
incident
He then wipes each infected computer and restores
them with clean backups
Next, Thomas retrieves the last set of backups (one
month old) for the town’s server 
 h
e proceeds to
restore the server from the backups
Several errors are displayed 
 
Thomas checks the
backup drive, and realizes that some files are not
readable
 
33
 
Module 6 – April 25, 0530 hrs
(cont.)
 
Thomas, unable to proceed with a quick
restoration, decides to do a full reinstallation
and reconfiguration of the file server
Thomas works through the night to get the
server back up and running
Thomas repeats these procedures at the utility,
allowing the utility to switch back to automated
operation
 
34
 
Module 6 – April 25, 0530 hrs
(cont.)
 
Thomas runs a couple of malware tools on
John’s individual workstation
There were no backups of John’s files, and all the
impacted files are lost
Thomas reports the incident to the Department
of Homeland Security’s Industrial Control
Systems Cyber Emergency Response Team (ICS-
CERT)
 
35
 
Key Issues – Module 6
 
Backups were not routinely verified to ensure
that they functioned as needed
Thomas conducts a full system restoration and
wipes all workstations clean of the malware
Thomas reports the incident to ICS-CERT
 
36
 
Action Planning Session
 
P
o
s
t
-
E
x
e
r
c
i
s
e
 
H
o
t
 
W
a
s
h
 
37
 
38
 
Review of Exercise Objectives
 
Explore and address cybersecurity challenges
Define or refine participants’ roles and
responsibilities for managing the consequences of
a cybersecurity incident, which should be reflected
in their plans, policies and procedures and other
preparedness elements currently in place or under
development
Build relationships between utilities and
stakeholders
Increase awareness of the damage that can be
caused by a cybersecurity incident on a business or
control system
Identify other needed enhancements related to
training and exercises and other preparedness
elements currently in place or under development
 
39
 
Conclusion
 
Please turn in your notes from the Action
Planning Session, your participant evaluation
form and any additional comments you wish to
share
This information will be used to develop an
After Action Report and Improvement Plan
 
Closing Remarks
 
T
h
a
n
k
 
y
o
u
 
f
o
r
 
p
a
r
t
i
c
i
p
a
t
i
n
g
 
40
Slide Note

The Scenario Presentation is a multimedia presentation used by the facilitator during the tabletop exercise to present the material in the Situation Manual (SitMan). The Scenario Presentation is put together from and follows the same order as the SitMan. Most users will find it easier to develop the Scenario Presentation after they have finalized the SitMan.

All of the slides presented here may be modified as needed. For example, an Exercise Development Team (EDT) may decide not to include all or part of the slides presented here since the same information is already available to participants through their SitMan.

Facilitators are encouraged to use this “notes” section on each slide to incorporate additional material, such as follow-up questions or comments.

Embed
Share

In this cybersecurity tabletop exercise, participants engage in scenario-based discussions and action planning to enhance readiness for cyber incidents. The exercise covers welcome and introductions, agenda review, administrative details, benefits, objectives, and more to improve response capabilities and roles in managing cybersecurity challenges.


Uploaded on Jul 22, 2024 | 1 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Cybersecurity Scenario Tabletop Exercise 1

  2. Tabletop Exercise Welcome and introductions Discuss agenda for the day Review administrative details Start the exercise 2

  3. Welcome and Introductions Name Organization Emergency response experience 3

  4. Agenda Review exercise materials and rules Review scenario(s) Break Facilitated discussion period Action planning session ( hot wash ) Review and conclusion Closing comments 4

  5. Administrative Details Location of emergency exits Location of restrooms Cell phone/pager management Logging your time to fulfill training requirements Sign-in sheet and participant evaluation form 5

  6. Exercise Benefits: Increase readiness in the event of an actual emergency Provide a means to assess effectiveness of response plans and response capabilities Serve as a training tool for response personnel and their involvement with other response agencies Provide an opportunity to practice skills and improve individual performance in a non- threatening environment 6

  7. Exercise Benefits: (cont.) Require participants to network with each other and pre-plan decisions on resources Identify planning conflicts or gaps Identify resource needs and opportunities for sharing of resources Clarify internal and external roles and responsibilities 7

  8. Exercise Objectives: At the conclusion of this exercise, participants should be able to do the following: Explore and address cybersecurity challenges Define or refine participants roles and responsibilities for managing the consequences of a cybersecurity incident, which should be reflected in their plans, policies and procedures and other preparedness elements currently in place or under development Build relationships between utilities and stakeholders 8

  9. Exercise Objectives: (cont.) Increase awareness of the damage that can be caused by a cybersecurity incident on a business or control system Identify other needed enhancements related to training and exercises and other preparedness elements currently in place or under development This session will not be a success unless you as a participant go back to your office and follow through 9

  10. Roles and Responsibilities: Players respond to the situation presented based on expert knowledge of response procedures, current plans and procedures and insights derived from training and experience Observers observe the exercise but do not participate in the facilitated discussion period Facilitators lead the exercise by presenting the scenario narrative and facilitating the discussion period and hot wash (Action planning session or review session) Evaluators monitor the exercise, track accomplishments according to objectives and may ask questions 10

  11. Exercise Rules: This exercise will be held in an open, low-stress, no- fault environment varying viewpoints, even disagreements, are expected Respond to the scenario using your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from your training Decisions are not precedent setting and may not reflect your organization s final position on a given issue this exercise is an opportunity to discuss and present multiple options and possible solutions 11

  12. Exercise Rules: (cont.) Issue identification is not as valuable as suggestions and recommended actions that could improve [prevention, protection, mitigation, response or recovery] efforts problem-solving efforts should be the focus Assume there will be cooperation and support from other responders and agencies The basis for discussion consists of the scenario narrative and modules, your experience, your understanding of your Emergency Response Plan (ERP), your intuition and other utility resources included as part of this material or that you brought with you Treat the scenario as if it will affect your area 12

  13. Action Planning Session: Following the facilitated discussion period, the facilitator will lead an Action Planning Session, also known as a hot wash Participants are encouraged to identify, discuss and prioritize next steps, actions, tasks and other follow-up activities Identify additional collaborators if needed Schedule a follow-up meeting 13

  14. Cybersecurity Scenario 14

  15. Module 1 April 24 The Suspicious Email 15

  16. Module 1 April 24, 0730 hrs John is a new office clerk for the public utility in Lakewood He receives an email with the subject title Failed Package Delivery Notice John opens the email When John opened the email, he noticed that the recipient name and address were not his, so he clicked the included link to find out more information The link took him to what appeared to be a blank webpage, but after a few seconds, it redirected him to Fedex.com Lacking any more information on the package, he closed the email and continued to go about his business 16

  17. Key Issues Module 1 John receives a suspicious email and clicks on the link 17

  18. Module 2 April 24 A Message Appears 18

  19. Module 2 April 24,1030 hrs A few hours later, a message appears on John s computer screen that reads Your personal files are encrypted Files can be decrypted if a ransom for $300 is paid to receive a decryption key There is limited time to pay the ransom and get the key John sees all his files, but an error message appears when he tries to open them Afraid of disciplinary action, John decides to pay the ransom himself 19

  20. Key Issues Module 2 The files on John s computer are encrypted John does not notify anyone or seek advice before paying the ransom John did not check the files on the town s server, which he can access from his computer 20

  21. Module 3 April 24 The Malware Spreads 21

  22. Module 3 April 24, 1130 hrs John is panicked because he has not received the decryption key Christina asks John if he is having trouble accessing server files, as she is Christina is worried because the town s server holds six years of critical files and customer billing information needed for daily operations John breaks down and tells Christina about the ransom and that he still doesn t have the key 22

  23. Module 3 April 24, 1130 hrs (cont.) Christina responds to John that they must report the incident to their supervisor immediately They then call their IT vendor representative, Thomas he tells them to disconnect both John s computer and the infected server from the network Thomas goes to John s office and confirms that the files on both his computer and the town s server have been encrypted 23

  24. Key Issues Module 3 The malware has spread to the town server and all the files are encrypted Business operations are frozen until the files can be accessed John has not received the decryption key 24

  25. Module 4 April 24 SCADA Locked 25

  26. Module 4 April 24, 1245 hrs Thomas is working on John s computer and the town s server when he receives an urgent call from the town s combined drinking water and wastewater treatment facility The operator there has observed that the Supervisory Control and Data Acquisition (SCADA) control screens are not showing updated data Instead, the screens have frozen, and critical process information is not current 26

  27. Module 4 April 24, 1245 hrs (cont.) Thomas believes that the utility s SCADA problems are due to the malware infection on John s computer and the town s server Thomas tells the operator that if possible, the drinking water and wastewater processes should be operated in a manual mode 27

  28. Key Issues Module 4 The town server and the SCADA system for the drinking water and wastewater utility are connected through a flat network, which means there is no firewall regulating traffic between the server and the SCADA system The integrity of the SCADA system has been compromised by the malware infection control screens are frozen, and utility process control system information is not being updated The utility must be operated in manual mode 28

  29. Module 5 April 24 Malware Identified 29

  30. Module 5 April 24, 1400 hrs After investigation, Thomas confirms that the malware did spread across the flat network from the town server to the SCADA system The malware encrypted critical data and program files that the SCADA system needs 30

  31. Key Issues Module 5 The malware encrypted critical data files that the SCADA system reads and uses for communications with operators and between processes Thomas will need to investigate multiple components connected to the SCADA system to evaluate the extent of damage 31

  32. Module 6 April 25 The System is Restored 32

  33. Module 6 April 25, 0530 hrs After confirming malware contamination, Thomas backs up all the log files to keep a record of the incident He then wipes each infected computer and restores them with clean backups Next, Thomas retrieves the last set of backups (one month old) for the town s server he proceeds to restore the server from the backups Several errors are displayed Thomas checks the backup drive, and realizes that some files are not readable 33

  34. Module 6 April 25, 0530 hrs (cont.) Thomas, unable to proceed with a quick restoration, decides to do a full reinstallation and reconfiguration of the file server Thomas works through the night to get the server back up and running Thomas repeats these procedures at the utility, allowing the utility to switch back to automated operation 34

  35. Module 6 April 25, 0530 hrs (cont.) Thomas runs a couple of malware tools on John s individual workstation There were no backups of John s files, and all the impacted files are lost Thomas reports the incident to the Department of Homeland Security s Industrial Control Systems Cyber Emergency Response Team (ICS- CERT) 35

  36. Key Issues Module 6 Backups were not routinely verified to ensure that they functioned as needed Thomas conducts a full system restoration and wipes all workstations clean of the malware Thomas reports the incident to ICS-CERT 36

  37. Action Planning Session Post-Exercise Hot Wash 37

  38. Review of Exercise Objectives Explore and address cybersecurity challenges Define or refine participants roles and responsibilities for managing the consequences of a cybersecurity incident, which should be reflected in their plans, policies and procedures and other preparedness elements currently in place or under development Build relationships between utilities and stakeholders Increase awareness of the damage that can be caused by a cybersecurity incident on a business or control system Identify other needed enhancements related to training and exercises and other preparedness elements currently in place or under development 38

  39. Conclusion Please turn in your notes from the Action Planning Session, your participant evaluation form and any additional comments you wish to share This information will be used to develop an After Action Report and Improvement Plan 39

  40. Closing Remarks Thank you for participating 40

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#