1 The University of Southern Mississippi National Center for Spectator Sport Safety and Security Cyber Security Tabletop Exercise Facilitator: Facilitator:

1

The University of Southern MississippiThe University of Southern MississippiNational Center for Spectator Sport National Center for Spectator Sport

Safety and SecuritySafety and SecurityCyber SecurityCyber Security

Tabletop Exercise Tabletop Exercise

Facilitator:Facilitator:James A. McGee – National Center for Spectator James A. McGee – National Center for Spectator

Sport Safety and SecuritySport Safety and SecuritySpring 2010Spring 2010

2

ContentContent

Exercise RulesExercise Rules Exercise ObjectivesExercise Objectives Exercise ScheduleExercise Schedule Scenario BriefingsScenario Briefings

3

Exercise RulesExercise Rules Scenario depicts a plausible cyber Scenario depicts a plausible cyber

security eventsecurity event No trick questions or “hidden” agendasNo trick questions or “hidden” agendas Players have no previous knowledge of Players have no previous knowledge of

the scenario, and will receive information the scenario, and will receive information at the same time at the same time

Players will respond using existing plans, Players will respond using existing plans, procedures and other response resourcesprocedures and other response resources

Decisions are not precedent-setting and Decisions are not precedent-setting and may not reflect your organization’s final may not reflect your organization’s final position on a given issueposition on a given issue

4

Exercise ObjectivesExercise Objectives Examine the capabilities of USM to prepare for, protect Examine the capabilities of USM to prepare for, protect

from, and respond to the effects of cyber attacks.from, and respond to the effects of cyber attacks. Exercise senior leadership decision making and Exercise senior leadership decision making and

interagency coordination of incident responses in interagency coordination of incident responses in accordance with the USM Cyber Response Plan. accordance with the USM Cyber Response Plan.

Validate information sharing relationships and Validate information sharing relationships and communications paths for the collection and communications paths for the collection and dissemination of cyber incident situational awareness, dissemination of cyber incident situational awareness, response, and recovery information. response, and recovery information.

Exercise intra-governmental (Federal-State) Exercise intra-governmental (Federal-State) coordination and incident response. coordination and incident response.

Identify policies/issues that hinder or support cyber Identify policies/issues that hinder or support cyber security requirements. security requirements.

DRAFT

5

Exercise Objectives Exercise Objectives (Continued)(Continued)

Identify public/private interface communications and Identify public/private interface communications and thresholds of coordination to improve cyber incident thresholds of coordination to improve cyber incident response and recovery, as well as identify critical response and recovery, as well as identify critical information sharing paths and mechanisms. information sharing paths and mechanisms.

Identify, improve, and promote public and private Identify, improve, and promote public and private sector interaction in processes and procedures for sector interaction in processes and procedures for communicating appropriate information to key communicating appropriate information to key stakeholders and the public. stakeholders and the public.

Identify cyber physical interdependence of Identify cyber physical interdependence of infrastructure of real world economic and political infrastructure of real world economic and political impact.impact.

Raise awareness of the economic and national security Raise awareness of the economic and national security impacts associated with a significant cyber incident. impacts associated with a significant cyber incident.

Highlight available tools and technology with analytical Highlight available tools and technology with analytical cyber incident response and recovery capability. cyber incident response and recovery capability.

6

Exercise ScheduleExercise Schedule 8:30 A.M.8:30 A.M. Participant Sign-In/CoffeeParticipant Sign-In/Coffee 9:00 A.M.9:00 A.M. IntroductionIntroduction

Discuss general instructions and ground rules of the Discuss general instructions and ground rules of the exerciseexercise

9:15 A.M.9:15 A.M. Exercise OverviewExercise Overview

Discuss exercise objectives, and schedule of exerciseDiscuss exercise objectives, and schedule of exercise 9:30 A.M.9:30 A.M. Read Module 1Read Module 1

A loose coalition of well financed “hacktivists” with a A loose coalition of well financed “hacktivists” with a political agenda, who directed anti-globalization and political agenda, who directed anti-globalization and anarchist activism, introduced a massive computer anarchist activism, introduced a massive computer virus attack into the USM cyber system.virus attack into the USM cyber system.

9:45 A.M9:45 A.M Module 1 DiscussionModule 1 Discussion

DRAFT

7

Exercise Schedule Exercise Schedule (Continued)(Continued)

10:00 A.M.10:00 A.M. Read Module 2Read Module 2

A cadre of “hacktivists” continued to leverage A cadre of “hacktivists” continued to leverage their collective capabilities to mount a their collective capabilities to mount a coordinated cyber attack and by generating coordinated cyber attack and by generating counterfeit digital certificates, the “hacktivists” counterfeit digital certificates, the “hacktivists” directed unknowing web users to “spoofed” directed unknowing web users to “spoofed” websites where funds were extorted and websites where funds were extorted and personal information was mined.personal information was mined.

10:15 A.M.10:15 A.M. Module 2 DiscussionModule 2 Discussion

8

Exercise Schedule Exercise Schedule (Continued)(Continued)

10:30 A.M.10:30 A.M. Read Module 3Read Module 3

While the nation continued to experience While the nation continued to experience widespread impacts of attacks on the IT and widespread impacts of attacks on the IT and Communications sectors, the adversary targeted Communications sectors, the adversary targeted individual universities. The adversary’s intent individual universities. The adversary’s intent was to cause cascading disruptions stemming was to cause cascading disruptions stemming

from specific, focused attacks.from specific, focused attacks. 10:45 A.M. 10:45 A.M. Module 3 DiscussionModule 3 Discussion 11:00 A.M.11:00 A.M. Debriefing about Lessons Debriefing about Lessons

LearnedLearned 11:30 A.M.11:30 A.M. End of Exercise/LunchEnd of Exercise/Lunch

9

Cyber Security ScenarioCyber Security Scenario

The exercise simulates a sophisticated cyber The exercise simulates a sophisticated cyber attackattack

campaign through a series of modules directedcampaign through a series of modules directed

against critical infrastructures. The intent of against critical infrastructures. The intent of thesethese

modules is to highlight the interconnectedness modules is to highlight the interconnectedness ofof

cyber systems with the physical infrastructure cyber systems with the physical infrastructure and and

to exercise coordination and communication to exercise coordination and communication

between the public and private sectors. between the public and private sectors. DRAFT

10

Cyber Security Scenario Cyber Security Scenario (Continued)(Continued)

The exercise is a simulated event with no real world effects The exercise is a simulated event with no real world effects on, tampering with, or damage to any critical infrastructure. on, tampering with, or damage to any critical infrastructure. While the scenario is based on hypothetical but possible While the scenario is based on hypothetical but possible situations, they are not intended as a forecast of future situations, they are not intended as a forecast of future terrorist-related events. The collective modules have three terrorist-related events. The collective modules have three major adversarial objectives: major adversarial objectives:

To disrupt specifically targeted critical infrastructures To disrupt specifically targeted critical infrastructures through cyber attacks through cyber attacks

To hinder the Universities ability to respond to the cyber To hinder the Universities ability to respond to the cyber attacks attacks

To undermine public confidence in the Universities ability to To undermine public confidence in the Universities ability to provide/protect servicesprovide/protect services

DRAFT

11

Scenario Briefing – Module Scenario Briefing – Module 11

March 01, 2010March 01, 2010 The following incidents involving disruptions to The following incidents involving disruptions to

cyber cyber

security at USM have been reported:security at USM have been reported: Hackers recently broke into the USM computer Hackers recently broke into the USM computer

database, which could potentially compromise student, database, which could potentially compromise student, faculty and staff records. faculty and staff records.

Upon consulting with the MS-ISAC, it was revealed that Upon consulting with the MS-ISAC, it was revealed that six other universities were having similar problems. six other universities were having similar problems.

Reports that certain USM on-line service support Reports that certain USM on-line service support systems (everything from SOAR to financial aid) are systems (everything from SOAR to financial aid) are down or behaving erratically due to what appears to be down or behaving erratically due to what appears to be a massive computer virus attack. a massive computer virus attack.

DRAFT

12

Module 1 Module 1 Key Discussion QuestionsKey Discussion Questions

What kind of information is available to faculty, What kind of information is available to faculty, staff, students, and parents about an attack to the staff, students, and parents about an attack to the cyber system? cyber system?

Have faculty, staff, community and emergency Have faculty, staff, community and emergency response partners been involved in providing input response partners been involved in providing input and feedback for crisis planning for schools?and feedback for crisis planning for schools?

Will faculty and staff play a role in the incident Will faculty and staff play a role in the incident command structure once the Incident Command command structure once the Incident Command System (ICS) is activated during an emergency? If System (ICS) is activated during an emergency? If so, what is the role?so, what is the role?

Is the USM current emergency response plan suited Is the USM current emergency response plan suited for a cyber attack? for a cyber attack?

Is there a communication plan for keeping faculty, Is there a communication plan for keeping faculty, staff and students informed of decisions regarding staff and students informed of decisions regarding attacks to the cyber system?attacks to the cyber system?

DRAFT

13

Module 1 QuestionsModule 1 Questions

DRAFT

14

Scenario Briefing – Module 2Scenario Briefing – Module 2

March 05, 2010March 05, 2010 The “hacktivists” specifically targeted several The “hacktivists” specifically targeted several

critical infrastructure sectors, along with state critical infrastructure sectors, along with state and federal agencies, the media, and and federal agencies, the media, and universities. universities.

By generating counterfeit digital certificates, the By generating counterfeit digital certificates, the “hacktivists” directed unknowing USM web users “hacktivists” directed unknowing USM web users to “spoofed” websites where funds were extorted to “spoofed” websites where funds were extorted and personal information was mined. and personal information was mined.

DRAFT

15

Scenario Briefing – Module 2Scenario Briefing – Module 2March 05, 2010March 05, 2010

Coordinated attacks on domain name servers and Coordinated attacks on domain name servers and telecommunications router infrastructure resulted in a telecommunications router infrastructure resulted in a distributed denial of service and unreliable telephony. Users distributed denial of service and unreliable telephony. Users were intermittently unable to access websites, send email, and were intermittently unable to access websites, send email, and make phone calls. Victims of the attack were forced to explore make phone calls. Victims of the attack were forced to explore alternative methods of communication during the disruptions. alternative methods of communication during the disruptions.

The USM Chief Security Officer (CSO) has received e-mail The USM Chief Security Officer (CSO) has received e-mail threats and false Amber Alerts have been broadcast. The threats and false Amber Alerts have been broadcast. The series of suspicious events compelled the USM CSO to request series of suspicious events compelled the USM CSO to request activation of the State’s Emergency Operations Center. activation of the State’s Emergency Operations Center.

DRAFT

16


DRAFT

Does the university have firewalls and Does the university have firewalls and countermeasures in place to protect the cyber system? countermeasures in place to protect the cyber system?

Does the university plan to maintain educational Does the university plan to maintain educational operations in the case of a large scale cyber attack? If operations in the case of a large scale cyber attack? If so, what plan is in place for maintaining continuity of so, what plan is in place for maintaining continuity of instruction/business?instruction/business?

Does the university have established communication Does the university have established communication protocols with community and emergency response protocols with community and emergency response partners during a massive cyber attack? partners during a massive cyber attack?

What is the universities plan to communicate with What is the universities plan to communicate with media for latest information dissemination?media for latest information dissemination?

What is the universities plan to communicate with What is the universities plan to communicate with emergency response partners during a cyber attack of emergency response partners during a cyber attack of this nature?this nature?

17


DRAFT

18


March 09, 2010March 09, 2010 After evaluating the alleged incidents, the Governor After evaluating the alleged incidents, the Governor

determined that the threats were coordinated and determined that the threats were coordinated and serious enough to stand up the State Emergency serious enough to stand up the State Emergency Operations Center and reported the situation to the MS-Operations Center and reported the situation to the MS-ISAC. Several Federal law enforcement, intelligence, ISAC. Several Federal law enforcement, intelligence, homeland security, defense, and sector-specific homeland security, defense, and sector-specific departments/agencies were notified.departments/agencies were notified.

The State obtained one of the counterfeit Malware CDs The State obtained one of the counterfeit Malware CDs and successfully installed countermeasures to and successfully installed countermeasures to successfully halt the attacks, the USM CSO received successfully halt the attacks, the USM CSO received indication from the attackers that this type of situation indication from the attackers that this type of situation would reoccur if their extortion demands were not met. would reoccur if their extortion demands were not met. The State took the threat seriously, coordinating efforts The State took the threat seriously, coordinating efforts with the Federal Bureau of Investigation (FBI) to with the Federal Bureau of Investigation (FBI) to apprehend the adversary and continued their cyber apprehend the adversary and continued their cyber response procedures. response procedures.

DRAFT

19


March 09, 2010 March 09, 2010 While the nation continued to experience widespread While the nation continued to experience widespread impacts of attacks on the IT and Communications impacts of attacks on the IT and Communications sectors, the “hacktivists” targeted individual universities. sectors, the “hacktivists” targeted individual universities. The “hacktivists” intent was to cause cascading The “hacktivists” intent was to cause cascading disruptions stemming from specific, focused attacks. disruptions stemming from specific, focused attacks.

As the events unfolded, law enforcement and intelligence As the events unfolded, law enforcement and intelligence agencies gathered information and responded as agencies gathered information and responded as necessary. In coordination with the impacted private necessary. In coordination with the impacted private sector entities and other government agencies, law sector entities and other government agencies, law enforcement and the Intelligence Community worked to enforcement and the Intelligence Community worked to halt attacks and restore confidence in the Internet. All halt attacks and restore confidence in the Internet. All participating organizations relied on trusted participating organizations relied on trusted relationships and forged new communications paths to relationships and forged new communications paths to share information and build and pass along situational share information and build and pass along situational awareness. awareness.

20


What key procedures are in place to support the What key procedures are in place to support the continuity of essential university operations, during a continuity of essential university operations, during a school closure? The following items should be school closure? The following items should be considered during discussion considered during discussion

Air quality/HVAC system functionsAir quality/HVAC system functions Communication/Eagle Alert SystemsCommunication/Eagle Alert Systems PayrollPayroll Student AccountsStudent Accounts

How much time/school days does the university need How much time/school days does the university need to repair the cyber system? to repair the cyber system?

21

Module 3 Module 3 Key Discussion Questions Key Discussion Questions

(Continued)(Continued) What is the universities plan to maintain What is the universities plan to maintain

monitoring for possible resurgence of the monitoring for possible resurgence of the computer virus/attack?computer virus/attack?

Does the university have agreements in place Does the university have agreements in place with local and/or State emergency response with local and/or State emergency response entities regarding cyber security measures? entities regarding cyber security measures?

What are USM procedures to maintain What are USM procedures to maintain communication with community and communication with community and emergency response partners?emergency response partners?

What are USM procedures to communicate What are USM procedures to communicate with parents, students, and staff?with parents, students, and staff?

22


DRAFT

23

Does the USM emergency management plan Does the USM emergency management plan adequately address key issues, such as faculty adequately address key issues, such as faculty and staff training in the event of a cyber attack? and staff training in the event of a cyber attack?

What problems did you identify in the What problems did you identify in the emergency management procedures that could emergency management procedures that could hinder emergency management efforts hinder emergency management efforts associated with a cyber attack?associated with a cyber attack?

Does the USM emergency management plan Does the USM emergency management plan adequately address key issues faced during a adequately address key issues faced during a cyber attack, including continuity of business cyber attack, including continuity of business operations (e.g., payroll) and student accounts?operations (e.g., payroll) and student accounts?

Exercise Debriefing QuestionsExercise Debriefing Questions

DRAFT

24


(Continued)(Continued) Does the USM emergency management procedures Does the USM emergency management procedures

properly coordinate communication as an properly coordinate communication as an emergency response activity among colleges, emergency response activity among colleges, students, faculty, staff and community and students, faculty, staff and community and emergency response partners during a cyber emergency response partners during a cyber attack? In your opinion, what can be done to attack? In your opinion, what can be done to improve communication during an emergency improve communication during an emergency situation such as the cyber attack scenario situation such as the cyber attack scenario presented in the exercise?presented in the exercise?

Does the emergency management plan include Does the emergency management plan include partnerships with local and regional partners partnerships with local and regional partners ensuring service and support during a cyber attack? ensuring service and support during a cyber attack?

In what ways were/will parents be engaged as In what ways were/will parents be engaged as stakeholders during the response to cyber attack?stakeholders during the response to cyber attack?

25


(Continued)(Continued) Is there adequate support for students, faculty, and Is there adequate support for students, faculty, and

staff before, during, and after a mass cyber attack? staff before, during, and after a mass cyber attack? If not, what activities and partnerships did the If not, what activities and partnerships did the team identify to enhance assistance to faculty, team identify to enhance assistance to faculty, staff, and students?staff, and students?

Overall, what activities hastened recovery of the Overall, what activities hastened recovery of the USM cyber system? What strategies prevented a USM cyber system? What strategies prevented a greater prevalence of disruption? What are lessons greater prevalence of disruption? What are lessons learned for responding to future cyber attacks? learned for responding to future cyber attacks? What activities were the most helpful for What activities were the most helpful for recovering from the cyber attack? recovering from the cyber attack?

What activities or processes were identified as What activities or processes were identified as gaps or weaknesses and will be addressed in future gaps or weaknesses and will be addressed in future efforts? efforts?

26

END OF EXERCISEEND OF EXERCISE

The input, feedback, and questions you The input, feedback, and questions you generate during participation in this exercise generate during participation in this exercise will help improve university emergency will help improve university emergency management efforts. Currently, there is no management efforts. Currently, there is no known cyber attack in the United States and all known cyber attack in the United States and all events depicted in this exercise are fictional. events depicted in this exercise are fictional. The goal of this exercise is to provide The goal of this exercise is to provide universities as well as their respective universities as well as their respective community and emergency response partners community and emergency response partners an opportunity, through discussion of possible an opportunity, through discussion of possible events, to better prepare for a cyber attack.events, to better prepare for a cyber attack.

DRAFT

Documents

1 The University of Southern Mississippi National Center for Spectator Sport Safety and Security Cyber Security Tabletop Exercise Facilitator: Facilitator: