Cyber Crisis Exercises in Critical Infrastructure and Operation Technology – in Practice

This post is also available in: עברית (Hebrew)

Written by Or Shalom

Cyber crisis exercises have many benefits for the organization. The exercise allows experiencing scenarios (sometimes under conditions of uncertainty) and affects improvement in performance, budgetary equipping, work plan, and leveraging the cyber aspects of the organization. When the risks are analyzed in organizational environments, it is clear that the attention of the organization’s management is directed to many different issues and risks such as operational risks, safety risks, financial risks, legal risks, supply chain risks, etc. What’s interesting is that on the one hand, it would be wrong to draw the managers’ attention only to the fields of cyber, but on the other hand, cyber meets all these risks anyway since the processes today are computerized, hence the significant weight and the need to prioritize cyber. Therefore, the design of a cyber exercise that meets and reflects on supply chain aspects or on operating aspects is appealing and in the organization’s interest, because it enables insights and organizational profit in a number of fields. We can learn about this connection from various events that have occurred in recent years.

One event that can be learned from comes from the automobile industry, where a cyberattack on a supplier shut down the production line and caused many losses, thereby yielding insight into inventory management considerations and potential implications of Just-in-Time components (which prevented equipping reserves and the ability to rely on existing inventory and possible controls to prevent depending on a main supplier).[1] The ability to intertwine cyber protection with additional disciplines and issues within the organization enables broad insights, work plans, synergy, and even higher productivity in terms of assessments and readiness for crisis situations in general.

Preparation for crisis exercises in operational arenas and critical infrastructures is also complex due to the existing fear of the consequences of a physical stoppage or harm (including the implications of safety and environmental risks), such as damage to vital physical infrastructures and machines as well as damage to possible information processing processes (in the IT arena). Exercise in operational arenas is more comprehensive due to the fact that there is a connection between IT and OT. For example, a scenario in which an attack begins with phishing in order to gain access to operational systems, and physical consequences or damage to ERP systems in order to affect the assembly line). Despite there being quite a few built-in templates and kits for the organizations, it would be appropriate to validate the scenarios in accordance with the organization’s goals, following the actions listed below.[2]

Establishing and extracting intelligence for the exercise:

The examination and use of intelligence in preparation for the exercise is important because the validation of the exercise and its scenarios, and therefore be prepared in accordance with real events. It would be correct to trace sectoral intelligence and understand the directions and trends in relation to attack patterns for the same sector.[3] The working assumption is that the motives as well as the methods of the attack, the attack groups and patterns are all different between sectors. In order to validate the exercise with the organization’s objectives, there needs to be an examination from the attacker’s point of view facing the organization’s assets. Thus, the execution of the OSINT process (including finding information in deep networks and the darknet) is directed in relation to domain organization assets, ERP systems, systems and software used by the organization, etc. In accordance with the SANS approach, intelligence efforts (and later designated scenarios for the exercise) can be concentrated against the organization’s 5 critical assets in the operational networks. Organizational gain is immediate as it already allows for an up-to-date intelligence snapshot within the process of preparing for the exercise, sometimes even in a way that would require immediate intervention or treatment in order to reduce exposure or another compensating surveillance against malicious elements.

How to Build Scenarios and Set Success Metrics:

The process of scenario construction should be adapted to the sector and the practicing organization. It can include various scenarios such as damage to the computer systems and the power supply to the organization, ransomware, data loss/leak, malware in the network, etc.[4] In order to improve and ensure reasonable scenarios, there needs among other things to be a process of intelligence validation. The process of scenario construction should enable the ability to map and locate gaps based on the following points:

1. Examining the implementation of controls and processes in the field– in accordance with the 5 families (Identify, Protect, Detect, Response, and Recover) and in accordance with the scenario.[5]
2. The manner of collaboration between elements in and out of the organization.
3. Examination based on Incident Response Framework – with an emphasis on the ability to respond, respond to the event, and ensure business continuity (and block the disaster), or the ability to recover from the disaster itself.[6] The goal is to examine the tools, capabilities, and knowledge available to the organization in dealing with the event, the transition between situations and the recovery itself.

The ransom event at the HYDRO steel company and its consequent insights can be an interesting case study. This includes the actions carried out in order to continue the activity, how its 35,000 employees functioned in deployed branches, the redundancy and the transition to manual labor later on, decisions related to human resources, and the need to recruit workers to the production line. Examining scenarios when an asset or a central service is damaged faced with how the organization returns to service will yield many insights for the future.[7]

To demonstrate, if we are dealing with an airport then we will carry out a process of validating potential threats. For example, an attack aimed at harming the service and creating an outage, delays in the flight schedule, and possible chaos by damaging the core airport systems, the baggage claim system, etc.[8] The investigation of intelligence and potential vulnerabilities will be in the attacker’s view and in relation to the type of systems, models, and software used by the organization.

When it comes to hospitals and the health sector, we will carry out a process of validating threats in dealing with a ransomware event, and the impact on the business-organizational activity in a manner aimed at disabling and preventing services and harming the way patients are received, as well as affecting the treatment of patients (as occurred in various hospitals around the world in recent years). Of course, the lessons that emerge from the real events are an excellent platform for studying in order to define success measures in the exercise.[9]

The field experience in training and exercises shows that in exercises there isn’t always a “by the book” solution, and sometimes the decisions and actions made during the action under varying conditions will be different, adapted, and sometimes just as good as the literary recommendations.

Executive exercise that combines decision-making processes alongside hands-on processes:

The crisis exercises are usually designed to examine the decision-making processes of managers, as well as the work interfaces between the managers themselves (the Cyber Defense manager in his work with the Operations Manager, the Finance Director, or the Legal Advisor). On the other hand, it should be noted that technical and forensic processes, technical team activities and other changes may impact managers’ decisions on the timeline. There is sometimes a timeframe that enables the process of containment and prevents the deterioration into crisis situations in cyberspace. In some cases, a developing hands-on scenario can be a trigger for engagement and management decisions. For example, damage to applications, cloud services, or products provided by the organization, and a functional impact on the customers. Thus, the technical and management teams will be acting in a way that will enable the examination of synergy and lateral activity. These derivative meanings will provide management with added value that fits reality and is consistent with actual developments.

The training and exercise will provide insights and lessons for preservation and improvement. Therefore, a mechanism should be designed to monitor the treatment of gaps that arise in relation to the involved units and interfaces. As part of Action Items, the process of presenting gaps to the management should be set cyclically, as well as a plan to present treatment and to gap elimination.

The author is a security, cyber and HLS technology expert and consultant to government ministries and defense industries. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in consultation and business development for security companies and groups in matters of planning and building defense, innovation and security technology, exercises, and training in security and cyber.

https://www.cisa.gov/resources-tools/resources/cyber-physical-convergence-scenarios

[1] https://i-hls.com/he/archives/115420 , https://www.bbc.com/news/business-66643936

[2] https://www.mitre.org/sites/default/files/2022-09/pr_14-3929-cyber-exercise-playbook%20.pdf https://www.sans.org/blog/top-5-ics-incident-response-tabletops-and-how-to-run-them/ , https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages

[3] https://i-hls.com/he/archives/101410

[4] https://www.mitre.org/sites/default/files/2022-09/pr_14-3929-cyber-exercise-playbook%20.pdf , https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages

[5] https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd , https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes

[6] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

[7] https://www.youtube.com/watch?v=S-ZlVuM0we0

[8] https://abcnews.go.com/US/united-airlines-issues-nationwide-ground-stop-due-computer/story?id=102935382

[9] https://www.youtube.com/watch?v=fmtrQPuxFjI&t=314s