Utility Tabletop Cybersecurity Exercises

Recently, a group of federal partners, comprised of the Federal Energy Regulatory Commission (FERC), North American Reliability Corporation (NERC) and it’s regional entities released their Cyber Planning for Response and Recovery Study (CYPRES). The report was based on a review and analysis of the incident response and recovery capabilities of a set of their member’s cyber security units, and is a great example of some of the information sharing that is increasing in the industry. The report included reviews of eight utility companies’ incident response plans for critical infrastructure environments, and the programs reviewed varied in their size, complexity and maturity, though all were public utilities.

Though the specific tactics suggested in the report’s findings have come under fire and criticism, a few items emerged that were of broad agreement. The first is that most successful programs are based on NIST 800-61, which is a fantastic framework for incident response plans. Secondly, the report discusses how useful tabletop exercises are for practicing responses to cybersecurity threats and re-enforcing the lessons learned feedback loop to improve capabilities. As a result, each public utility should strongly consider implementing periodic tabletop exercises as a part of their cyber security and risk management programs.

Tabletop Exercises from MSI

At MicroSolved, we have been running cyber security tabletop exercises for our clients for more than a decade. We have a proprietary methodology for building out the role playing scenarios and using real-world threat intelligence and results from the client’s vulnerability management tools in the simulation. Our scenarios are developed into simulation modules, pre-approved by the client, and also include a variety of randomized events and nuances to more precisely simulate real life. During the tabletop exercise, we also leverage a custom written gaming management system to handle all event details, track game time and handle the randomization nuances.

Our tabletop exercise process is performed by two MSI team members. The first acts as the simulation moderator and “game master”, presenting the scenarios and tracking the various open threads as the simulation progresses. The second team member is an “observer” and they are skilled risk management team members who pre-review your incident response policies, procedures and documentation so that they can then prepare a gap analysis after the simulation. The gap analysis compares your performance during the game to the process and procedure requirements described and notes any differences, weaknesses or suggestions for improvement.

Target scenarios can be created to test any division of the organization, wide scale attacks or deeply nuanced compromises of specific lines of business. Various utility systems can be impacted in the simulation, including business networks, payment processing, EDI/supply chain, metering/AMI/smart grid, ICS/SCADA or other mission critical systems.Combination and cascading failures, disaster recovery and business continuity can also be modeled. In short, just about any cyber risks can be a part of the exercise.

Tabletop Exercise Outcomes and Deliverables

Our tabletop exercises result in a variety of detailed reports and a knowledge transfer session, if desired. The reports include the results of the policy/procedure review and gap analysis, a description of the simulated incident and an action plan for future improvements. If desired, a board level executive summary can also be included, suitable for presentation to boards, management teams, direct oversight groups, Public Utility Commission and Homeland Security auditors as well.

These reports will discuss the security measures tested, and provide advice on proactive controls that can be implemented, enhanced, matured or practiced in order to display capabilities in future incidents that reflect the ability to perform more rapid and efficient recovery.

The knowledge transfer session is your team’s chance to ask questions about the process, learn more about the gaps observed in their performance and discuss the lessons learned, suggestions and controls that call for improvement. Of course the session can include discussions of related initiatives and provide for contact information exchange with our team members, in the event that they can assist your team in the future. The knowledge transfer session can also be performed after your team has a chance to perform a major review of the reports and findings.

How to Get Started on Tabletop Exercises from MSI

Tabletop exercises are available from our team for cyber security incidents, disaster preparedness and response or business continuity functions. Exercises are available on an ad-hoc, 1 year, 2 year or 3 year subscription packages with frequencies ranging from quarterly to twice per year or yearly. Our team’s experience is applicable to all utility cyber programs and can include any required government partners, government agencies or regulators as appropriate.

Our team can help develop the scope of threats, cyber attacks or emergency events to be simulated. Common current examples include ransomware, phishing-based account compromises, cyber attacks that coincide with catastrophic events or service disruptions, physical attacks against substations or natural gas pipelines, data breach and compromise of various parts of the ICS/SCADA infrastructure. Our team will work with you to ensure that the scenario meets all of your important points and concerns.

Once the scenario is approved, we will schedule the simulation (which can be easily performed via web-conference to reduce travel costs and facilitate easy team attendance) and build the nuances to create the effects of a real event. Once completed, the reporting and knowledge transfer sessions can follow each instance.

Tabletop exercises can go a long way to increasing cybersecurity preparedness and re-enforcing the cybersecurity mindset of your team. It can also be a great opportunity for increasing IT/OT cooperation and strengthening relationships between those team members.

To get started, simply contact us via this web form or give us a call at (614) 351-1237. We would love to discuss tabletop exercises with you and help you leverage them to increase your security posture.

 

Security Alert: RSA Breach and 7 Ways to Secure Your Tokens

Since the compromise of the RSA environment several months ago, much attention has been paid to the potential impact of the attack on RSA customers.

Given the popularity of the RSA products and the sensitivity of the processes that they protect, the situation should be taken very seriously by RSA token users.

Last night, RSA made a public announcement that their breach and information stolen in that breach has now been used in attacks against RSA customers. The primary focus, as far as is known, has been the defense sector, but it is very likely that additional threat-focus has been placed on other critically sensitive verticals such as financial and critical infrastructure.

There are a number of things that RSA customers should do, in the advice of MicroSolved, Inc. Below is a short list of identified strategies and tactics:

  1. Identify all surfaces exposed that include RSA components. Ensure your security team has a complete map of where and how the RSA authentication systems are in use in your organization.
  2. Establish a plan for how you will replace your tokens and how you will evaluate and handle the risks of exposure while you perform replacement.
  3. Increase your vigilance and monitoring of RSA exposed surfaces. This should include additional log, event and intrusion monitoring around the exposed surfaces. You might also consider the deployment of honeypots or other drop-in measures to detect illicit activity against or via compromised systems available with the RSA exposed surfaces.
  4. Develop an incident response plan to handle any incidents that arise around this issue.
  5. Increase the PIN length of your deployments as suggested by RSA, where appropriate, based on identified risk and threat metrics.
  6. Teach your IT team and users about the threats and the issue. Prepare your team to handle questions from users, customers and other folks as this issue gains media attention and grows in visibility. Prepare your technical management team to answer questions from executives and Board-level staff around this issue.
  7. Get in contact with RSA, either via your account executive or via the following phone number for EMC (RSA’s parent company): 1-800-782-4362

In the meantime, if MSI can assist you with any of these steps or work with you to review your plan, please let us know. Our engineers are aware of the issues and the processes customers are using to manage this problem in a variety of verticals. We can help you with planning or additional detection and monitoring techniques should you desire.

We wish our clients the highest amount of safety and security as we, as an industry, work through this challenge. We wish RSA the best of luck and the highest success in their remediation and mitigation efforts. As always, we hope for the best outcome for everyone involved.

Thanks for your time and attention to this issue. It is much appreciated, as is your relationship with MicroSolved, Inc.