BCI North East Forum, 28 June 2016Cyber Exercise

DWP, Quarry House, Leeds

2Department for Work & Pensions

Background

The DWP Security Incident Response Team (SIRT) has developed a theoretical scenario of cyber attack.

• Today’s scenario is based on actual events• This type of cyber threat scenario is one of the most serious

• impacts Critical National Infrastructure (CNI)• relevant to any industry that uses Industrial Control Systems (ICS).

• Will talk shortly about ICS being a growing target of cyber attacks

• After the exercise, additional detail will be provided to reflect what happened in real life

• Further reading is available online plus we are providing links to further information about Industrial Control Systems (ICS) and CNI.

3Department for Work & Pensions

Exercise scenario

A coal-fired power station in the North East of England is experiencing technical difficulties. The power it is producing is not being transferred to the National Grid. There are six generators at this power station and each one of them is capable of supplying electricity to a million homes (roughly the size of Leeds), therefore 6 million homes in total are potentially affected. The power supply to businesses and a vast range of public organisations is also affected.

Points to note:

• The usual supply of power to the region ceased at 15:35 on Monday 27 June

• The power station’s Industrial Control Systems are not working and their staff cannot access the internal computer network

• Power station engineers are trying to identify the cause of the outage

• People’s lives are already affected because the water supply is off, the electricity supply is off and this in turn affects some public transportation

• It is proving difficult to contact the power station, lines are constantly engaged.

4Department for Work & Pensions

Industrial Control Systems (ICS)

Targeted cyber attacks on ICS are now said to be one of the biggest threats to our critical national infrastructure.

ICS is a general term for different types of control systems used in industrial production such as supervisory control systems, data acquisition (SCADA) systems and distributed control systems (DCS).

These systems have evolved and are typically used in industries such as electrical, water, oil, gas, chemical, pharmaceutical, some food and beverage, wastewater, pulp and paper, utility power, mining, metals.

In an ICS, data can be received from and pushed between remote stations to control devices. These devices can follow either automated commands or operator commands and are used to control local operations such as opening and closing valves and breakers, collecting data from sensor systems, or monitoring the local environment for alarming conditions.

Some ICS are large and complex distributed control systems (DCS). These gather data and control large campus systems in real time. They are often used to control industrial processes such as electric power generation, oil and gas refineries, water and wastewater treatment, chemical, food, and automotive production.

5Department for Work & Pensions

Exercise groups

We are splitting you into eight groups with a mix of backgrounds in each:

Groups 1-4: the North East Power Station

Groups 5-8: The Leeds Teaching Hospitals NHS Trust

Find your group and we will provide each with your brief and subsequent injects.

6Department for Work & Pensions

Groups 1-4: Power Station – leadership team summary 1

Power Station – Operations situation report 1: 27 May, 16.00.

• Your press office has acted on instructions and announced you have technical difficulties and are unable to transfer power to the National Grid

• Your ICS systems are not functioning

• Your staff cannot access your internal computer network

• Substations in the outlying area are also affected

• You have no water supply.

Power Station – Security situation report 1: 27 May, 16.00

• Power Station cyber experts in your IT department have identified indicators of a potential security incident

• Early reports suggest that a foreign attacker may have remotely controlled the distribution management system and it has come to light that, 2 months ago, the power station was subject to a sustained spear phishing attack

• Your cyber experts have identified the presence of software at the power station - BlackEnergy 3. This has been used to establish a foothold on your internal network and is being used by ‘keystroke loggers’ to perform credential theft.

What are you going to do?

7Department for Work & Pensions

Groups 1-4: Power Station – leadership team summary 2

Power Station – Operations situation report 2: 28 May, 10.00.

• Your headquarter’s Press Office has been successfully contacted by the regional office of the BBC and you are being asked what is going on

• Staff are asking questions about the safety of their personal data as rumours are circulating that data theft has taken place.

Power Station – Security situation report 2: 28 May, 10.00

Your cyber experts have:

• advised that remote connections have been established between the power station network and unauthorised external parties

• The Uninterruptible Power Supply (UPS) systems have been impacted and are not providing power to the appropriate systems.

What are you going to do?

8Department for Work & Pensions

Groups 1-4: Power Station – leadership team summary 3

Power Station – Operations situation report 3: 28 May, 13.00.

• Your security team has reported that a crowd has gathered outside the entrance gates to your complex. This seems to be mixture of local and national media journalists, union representatives and relatives of some of your staff who are anxious to know what is going on

• COBR (Cabinet Office Briefing Rooms) are asking for an urgent update on when the power station will become operational, and want to know whether you have identified the cause of the disruption, what you are doing about it, and how you are going to handle the media.

Power Station – Security situation report 3: 28 May, 13.00

• Experts in your IT department have confirmed that a telephone denial-of-service attack has succeeded on your call centre.

What are you going to do?

9Department for Work & Pensions

Groups 5-8: Leeds Teaching Hospitals – leadership team - summary 1

NHS Trust – Operations situation report 1: 27 May, 16.00.

You are one of the largest and busiest NHS acute health providers in the UK. You manage seven Leeds-based health institutions, including Leeds General Infirmary and St James’s.

• Your two big Leeds hospitals have lost power. Your staff are putting local business continuity arrangements into place and asking for a co-ordinated response and more information

• You want to avoid becoming a contributor to an emerging public safety situation by protecting the health, safety and security of staff , patients, suppliers and customers.

NHS Trust – Security situation report 1: 27 May, 16.00

• Rumours on social media suggest that a foreign attacker has taken control of the local power supply. Your press office reports people are tweeting claims that North East infrastructure is undergoing a sustained cyber attack designed to disable the region

• You are concerned at the impact on you of the power station attack and that your organisation could be the next target for cyber attack on infrastructure.

What are you going to do?

10Department for Work & Pensions

Groups 5-8: Leeds Teaching Hospitals – leadership team - summary 2

NHS Trust – Operations situation report 2: 28 May, 10.00am

• Your A&E departments are starting to see an influx of patients who have been involved in accidents during the power outage across the city. Some waiting rooms are overflowing

• Your HR and Communications departments are asking what to say to staff who are having to deal with frightened, confused and angry patients and their relatives

• Your hospital managers are saying that if power loss continues they will encounter further problems in keeping services running.

NHS Trust – Security situation report 2: 28 May, 10.00

• Experts in your IT department have reported that the Leeds General Infirmary has lost central heating

• They are warning that they might lose heating at other sites, that they cannot access hospital network data, and that we are now unable to manage sensitive equipment in operating theatres.

What are you going to do?

11Department for Work & Pensions

Groups 5-8: Leeds Teaching Hospitals – leadership team - summary 3

NHS Trust – Operations situation report 3: 28 May, 13.00am

• Some people are still arriving at hospital receptions for pre-booked appointments and treatments

• You are at risk of running out of food and stocks of other essentials as suppliers and distributors are saying they are unable to maintain deliveries due to infrastructure problems

• Emergency response services are saying they are at now at full capacity.

NHS Trust – Security situation report 3: 28 May, 13.00

• Your IT experts have highlighted a potential for the general public to suffer a significant increase in health and safety incidents and accidents - resulting from the general loss of Industrial Control Systems for managing infrastructure and/or heavy machinery. This will put even more pressure on hospitals and emergency services.

What are you going to do?

12Department for Work and Pensions

Cyber attack desk top exercise

Feedback from groups

13Department for Work and Pensions

Technical components used in Ukraine attack

• Spear phishing to access to the power station’s business networks (the adversary sent a targeted email with a malicious attachment to specific individuals within the station, which appeared to come from a trusted source). Initial mitigation recommendations would point to the need for end-user awareness training and on-going phishing testing

• BlackEnergy 3 was found at all the attacked sites based at the Power Station. The adversary appears to have used this to establish a foothold and utilised keystroke loggers to perform credential theft

• Theft of credentials from the business networks• Virtual private networks (VPNs) to enter the ICS network (no 2 factor

authentication was in place at the time)• existing remote access tools within the environment, or issued commands directly

from a remote station similar to an operator HMI (Human Machine Interface)• Serial-to-ethernet communications devices, impacted at a firmware level15• Modified KillDisk to erase the master boot record of impacted organisation

systems, as well as the targeted deletion of some logs• Uninterruptible Power Supply (UPS) systems to impact connected load with a

scheduled service outage• A telephone denial-of-service attack on the call centre.

Attackers used:

14Department for Work and Pensions

15Department for Work and Pensions

Raise awareness of cyber basics – Staff need to have a knowledge of the basic facts of the cyber world, data breaches, impacts and reputational challenges. This enhances not only ability to measure response, but the ability to know what to ask technical staff!

Know your facts / business – basically, understand your information assets; how they are protected; and what can be done with the info if stolen / breached. Questions from the media now come quicker and from a more informed perspective. Know the impact on the customer.

Understand your response capability – Understand how you would communicate and who responsible; how long it would take; and through what channel? Comms messages ‘could’ swamp call centres if not managed. Ignore social media at your peril (monitor/respond/ignore). What support for forensic analysis?

Understand requirements of Information Commissioners Office (ICO) - Find out about your obligations and how to comply, including protecting personal information and providing access to official information. https://ico.org.uk/for-organisations/ For an organisations responsibilities to report a Data Breach: https://ico.org.uk/for-organisations/report-a-breach/

Build relationships – use workshops, desktop walkthroughs, exercises to build internal relationships. Are Security & Business Continuity separate functions? Is Crisis Management a different team? The Communications Manager etc. Also look external to organisations such as ICO etc.

Develop plans! – put plans, play-books, guidance in place to support response. These should be exercised and reviewed as part of lessons learned.

Building cyber/data breach response capability:

16Department for Work and Pensions

Cyber Security

10 Steps to Cyber Security • Communications-Electronics Security Group (CESG), part of GCHQ, have published

10 Steps to Cyber Security on GOV.UK – 10 Steps: A Board Level Responsibility.

• https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

Key points• Establish an Information Risk Management regime• Establish an effective governance structure and determine your risk appetite• Maintain the Boards engagement with the Cyber Risk• Underpin everything with user education and awareness, produce user security

policies covering acceptable and secure use of systems• Establish a staff training programme. Maintain user awareness of cyber risks.

Cyber Essentials Scheme• Department for Business Innovation and Skills is the government lead of this Scheme,

providing a UK Cyber Security Strategy.

• https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

17Department for Work and Pensions

Cyber Security

Patch Management The effective management of IT Patches is a key aspect to reducing the impact of certain cyber threats. Deployment of Patches closes identified vulnerabilities. See Common Cyber Attacks: Reducing The Impacts• https

://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf

Cyber Essentials - further information• http://www.cyberstreetwise.com/cyberessentials • http://www.cesg.gov.uk/servicecatalogue/cyber-essentials/Pages/Scheme-

Library.aspx

Seven Tips for Cyber Exercises• https://crisisthinking.co.uk/2016/04/01/seven-tips-for-cyber-exercises/