Cybersecurity Tabletop Exercise Overview
In this cybersecurity tabletop exercise, participants engage in scenario-based discussions and action planning to enhance readiness for cyber incidents. The exercise covers welcome and introductions, agenda review, administrative details, benefits, objectives, and more to improve response capabilities and roles in managing cybersecurity challenges.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Cybersecurity Scenario Tabletop Exercise 1
Tabletop Exercise Welcome and introductions Discuss agenda for the day Review administrative details Start the exercise 2
Welcome and Introductions Name Organization Emergency response experience 3
Agenda Review exercise materials and rules Review scenario(s) Break Facilitated discussion period Action planning session ( hot wash ) Review and conclusion Closing comments 4
Administrative Details Location of emergency exits Location of restrooms Cell phone/pager management Logging your time to fulfill training requirements Sign-in sheet and participant evaluation form 5
Exercise Benefits: Increase readiness in the event of an actual emergency Provide a means to assess effectiveness of response plans and response capabilities Serve as a training tool for response personnel and their involvement with other response agencies Provide an opportunity to practice skills and improve individual performance in a non- threatening environment 6
Exercise Benefits: (cont.) Require participants to network with each other and pre-plan decisions on resources Identify planning conflicts or gaps Identify resource needs and opportunities for sharing of resources Clarify internal and external roles and responsibilities 7
Exercise Objectives: At the conclusion of this exercise, participants should be able to do the following: Explore and address cybersecurity challenges Define or refine participants roles and responsibilities for managing the consequences of a cybersecurity incident, which should be reflected in their plans, policies and procedures and other preparedness elements currently in place or under development Build relationships between utilities and stakeholders 8
Exercise Objectives: (cont.) Increase awareness of the damage that can be caused by a cybersecurity incident on a business or control system Identify other needed enhancements related to training and exercises and other preparedness elements currently in place or under development This session will not be a success unless you as a participant go back to your office and follow through 9
Roles and Responsibilities: Players respond to the situation presented based on expert knowledge of response procedures, current plans and procedures and insights derived from training and experience Observers observe the exercise but do not participate in the facilitated discussion period Facilitators lead the exercise by presenting the scenario narrative and facilitating the discussion period and hot wash (Action planning session or review session) Evaluators monitor the exercise, track accomplishments according to objectives and may ask questions 10
Exercise Rules: This exercise will be held in an open, low-stress, no- fault environment varying viewpoints, even disagreements, are expected Respond to the scenario using your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from your training Decisions are not precedent setting and may not reflect your organization s final position on a given issue this exercise is an opportunity to discuss and present multiple options and possible solutions 11
Exercise Rules: (cont.) Issue identification is not as valuable as suggestions and recommended actions that could improve [prevention, protection, mitigation, response or recovery] efforts problem-solving efforts should be the focus Assume there will be cooperation and support from other responders and agencies The basis for discussion consists of the scenario narrative and modules, your experience, your understanding of your Emergency Response Plan (ERP), your intuition and other utility resources included as part of this material or that you brought with you Treat the scenario as if it will affect your area 12
Action Planning Session: Following the facilitated discussion period, the facilitator will lead an Action Planning Session, also known as a hot wash Participants are encouraged to identify, discuss and prioritize next steps, actions, tasks and other follow-up activities Identify additional collaborators if needed Schedule a follow-up meeting 13
Module 1 April 24 The Suspicious Email 15
Module 1 April 24, 0730 hrs John is a new office clerk for the public utility in Lakewood He receives an email with the subject title Failed Package Delivery Notice John opens the email When John opened the email, he noticed that the recipient name and address were not his, so he clicked the included link to find out more information The link took him to what appeared to be a blank webpage, but after a few seconds, it redirected him to Fedex.com Lacking any more information on the package, he closed the email and continued to go about his business 16
Key Issues Module 1 John receives a suspicious email and clicks on the link 17
Module 2 April 24 A Message Appears 18
Module 2 April 24,1030 hrs A few hours later, a message appears on John s computer screen that reads Your personal files are encrypted Files can be decrypted if a ransom for $300 is paid to receive a decryption key There is limited time to pay the ransom and get the key John sees all his files, but an error message appears when he tries to open them Afraid of disciplinary action, John decides to pay the ransom himself 19
Key Issues Module 2 The files on John s computer are encrypted John does not notify anyone or seek advice before paying the ransom John did not check the files on the town s server, which he can access from his computer 20
Module 3 April 24 The Malware Spreads 21
Module 3 April 24, 1130 hrs John is panicked because he has not received the decryption key Christina asks John if he is having trouble accessing server files, as she is Christina is worried because the town s server holds six years of critical files and customer billing information needed for daily operations John breaks down and tells Christina about the ransom and that he still doesn t have the key 22
Module 3 April 24, 1130 hrs (cont.) Christina responds to John that they must report the incident to their supervisor immediately They then call their IT vendor representative, Thomas he tells them to disconnect both John s computer and the infected server from the network Thomas goes to John s office and confirms that the files on both his computer and the town s server have been encrypted 23
Key Issues Module 3 The malware has spread to the town server and all the files are encrypted Business operations are frozen until the files can be accessed John has not received the decryption key 24
Module 4 April 24 SCADA Locked 25
Module 4 April 24, 1245 hrs Thomas is working on John s computer and the town s server when he receives an urgent call from the town s combined drinking water and wastewater treatment facility The operator there has observed that the Supervisory Control and Data Acquisition (SCADA) control screens are not showing updated data Instead, the screens have frozen, and critical process information is not current 26
Module 4 April 24, 1245 hrs (cont.) Thomas believes that the utility s SCADA problems are due to the malware infection on John s computer and the town s server Thomas tells the operator that if possible, the drinking water and wastewater processes should be operated in a manual mode 27
Key Issues Module 4 The town server and the SCADA system for the drinking water and wastewater utility are connected through a flat network, which means there is no firewall regulating traffic between the server and the SCADA system The integrity of the SCADA system has been compromised by the malware infection control screens are frozen, and utility process control system information is not being updated The utility must be operated in manual mode 28
Module 5 April 24 Malware Identified 29
Module 5 April 24, 1400 hrs After investigation, Thomas confirms that the malware did spread across the flat network from the town server to the SCADA system The malware encrypted critical data and program files that the SCADA system needs 30
Key Issues Module 5 The malware encrypted critical data files that the SCADA system reads and uses for communications with operators and between processes Thomas will need to investigate multiple components connected to the SCADA system to evaluate the extent of damage 31
Module 6 April 25 The System is Restored 32
Module 6 April 25, 0530 hrs After confirming malware contamination, Thomas backs up all the log files to keep a record of the incident He then wipes each infected computer and restores them with clean backups Next, Thomas retrieves the last set of backups (one month old) for the town s server he proceeds to restore the server from the backups Several errors are displayed Thomas checks the backup drive, and realizes that some files are not readable 33
Module 6 April 25, 0530 hrs (cont.) Thomas, unable to proceed with a quick restoration, decides to do a full reinstallation and reconfiguration of the file server Thomas works through the night to get the server back up and running Thomas repeats these procedures at the utility, allowing the utility to switch back to automated operation 34
Module 6 April 25, 0530 hrs (cont.) Thomas runs a couple of malware tools on John s individual workstation There were no backups of John s files, and all the impacted files are lost Thomas reports the incident to the Department of Homeland Security s Industrial Control Systems Cyber Emergency Response Team (ICS- CERT) 35
Key Issues Module 6 Backups were not routinely verified to ensure that they functioned as needed Thomas conducts a full system restoration and wipes all workstations clean of the malware Thomas reports the incident to ICS-CERT 36
Action Planning Session Post-Exercise Hot Wash 37
Review of Exercise Objectives Explore and address cybersecurity challenges Define or refine participants roles and responsibilities for managing the consequences of a cybersecurity incident, which should be reflected in their plans, policies and procedures and other preparedness elements currently in place or under development Build relationships between utilities and stakeholders Increase awareness of the damage that can be caused by a cybersecurity incident on a business or control system Identify other needed enhancements related to training and exercises and other preparedness elements currently in place or under development 38
Conclusion Please turn in your notes from the Action Planning Session, your participant evaluation form and any additional comments you wish to share This information will be used to develop an After Action Report and Improvement Plan 39
Closing Remarks Thank you for participating 40