National Cyber Exercise: Cyber Storm

National Cyber Security Division

New York City Metro ISSA Meeting
June 21, 2006

This document is FOR OFFICIAL USE ONLY (FOUO). It contains

information that may be exempt from public release under the
Freedom of Information Act (5 U.S.C. 552). It is to be
controlled, stored, handled, transmitted, distributed, and
disposed of in accordance with DHS policy relating to FOUO
information and is not to be released to the public or other
personnel who do not have a FOR OFFICIAL
valid USE ONLY
“need-to-know” without
prior approval of an authorized DHS official.
Agenda

Cyber Storm Overview

 Exercise Objectives
 Exercise Construct
 Player Universe
 Scenario Context and Scope
 Scenario and Adversary
 Scope and Scale
Overarching Lessons Learned
Way Ahead Cyber Storm II

2
FOR OFFICIAL USE ONLY
Cyber Storm

3
FOR OFFICIAL USE ONLY
Cyber Storm Overview
What:
 Provided a controlled environment to exercise State, Federal, International, and
Private Sector response to a cyber related incident of national significance
 Large scale exercise through simulated incident reporting only – no actual impact
or attacks on live networks
 Specifically directed by Congress in FY05 appropriations language and
coordinated with DHS National Exercise Program
Who: 300+ participants from
 Federal D/As: Support and/or participation by 8 Departments and 3 Agencies

 States: Michigan, Montana, New York, Washington (Exercise Control)

 International: Australia, Canada, New Zealand, UK
 Private Sector
– IT: 9 major IT firms
– Energy: 6 electric utility firms (generation, transmission & grid operations)
– Airlines: 2 major air carriers
– ISACs: Multi-State, IT, Energy, Finance (off the record participant)
(Nebraska, North Carolina, South Carolina, Texas @ MS-ISAC)

When: February 6-10, 2006

Where: distributed participation from ~ 60 locations including US, Canada, and UK

4
FOR OFFICIAL USE ONLY
Exercise Objectives
Exercise the national cyber incident response community with a
focus on:
 Interagency coordination under the Cyber Annex to the National Response
Plan:
– Interagency Incident Management Group (IIMG)
– National Cyber Response Coordination Group (NCRCG)
 Intergovernmental coordination and incident response:
– Domestic: State – Federal
– International: Australia, Canada, NZ, UK & US
 Identification and improvement of public-private collaboration, procedures
and processes
 Identification of policies/issues that affect cyber response & recovery
 Identification of critical information sharing paths and mechanisms
Raise awareness of the economic and national security impacts
associated with a significant cyber incident

FOR OFFICIAL USE ONLY 5

Exercise Construct
Feb. 6 Feb. 7 Feb. 8 Feb. 9 Feb. 10
Build-Up Build- Crisis Phase Response & Response &
[D-300 - Up [D Day] Recovery [D+1] Recovery [D+5-
D-14] [D- 7]
7&D-1]
Mon. 4 hrs Tue. 8 hrs Wed.-Thurs. 36 hrs Fri. 4 hrs

Live Play TTX & Hotwash

State Prep

State Play & Hotwash

Aus & NZ TTXs

Thurs

Canada
Federal Players
Private Sector Players United Kingdom
State Government Players
International Players US
Exercise Control New
Australia
Zealand

FOR OFFICIAL USE ONLY 6

Cyber Storm Player Universe

The N Problem
2
7
FOR OFFICIAL USE ONLY
Player Universe LE/ Intell

NSA DNI CIA FBI DHS &

IT/Telecom Interagency
US-CERT NCC Comms ISAC DHS I&A USSS
IIMG HSOC NCRCG
IT-ISAC ISP/Telco Sim Cell HITRAC
NCSD NICC NCS
MSV 1 CA MSSP

MSV 2 MHV 1 OPA IP IMC

MSV 3 Main Exercise
Control (75 / 20)
Internat’l State/Local Fed D/As Energy
States ES-ISAC DOE
Energy Trans IT/Telcom
MS-ISAC Michigan Utility 1 Regional Pwr Admins
LE/Intell DHS

New York Montana PA/Media Utility 2 Utility 4 Utility 6

Utility 3 Utility 5
Transportation
Sector
Federal DOT TSA
FAA International
Department/Agencies TCIRC CSIRC TSOC

OMB HSC NSC DOC DOD Air Carrier 1 Air Carrier 2 Australia
New Zealand
Treasury Fed. Reserve Bank FDIC Canada United Kingdom
Ag 13 Players 3 Players
DOJ DOS
Red Cross
11 SimCell 8
FOR OFFICIAL USE ONLY
Scenario Context and Scope
A simulated large-scale cyber incident affecting Energy, Information
Technology (IT), Telecommunications and Transportation infrastructure
sectors.
Cyber Storm scenario included:
 Cyber attacks through control systems, networks, software, and social
engineering to disrupt transportation and energy infrastructure elements
 Cyber attacks targeted at the IT infrastructure of State, US Federal and
International Government agencies intended to:
– degrade government operations/delivery of public services
– diminish the ability to remediate impacts on other infrastructure sectors
– undermine public confidence

The exercise was NOT focused on the consequence management of the

physical infrastructures affected by the attacks
 Physical consequence management aspects largely provided to players via
robust Exercise Control cell

FOR OFFICIAL USE ONLY 9

 Scenario Timeline by Thread
Monday Tuesday Wednesday Thursday
1 Jan 05 – 30 Jan 06 1 Feb 06 – 7 Feb 06 8 Feb 06 9 Feb 06
SCADA System Probing Threats on Metro Websites Oil and Gas Pipeline Map
Minor DOS
Commuter Metros Stop Running
Transportation

Unauthorized FAA Rail Delay of FAA Real-time Systems

Network access Trouble Claims of
Responsibility EWA’s No
Fly List
Software Update Altered
crashes FAA False NOTAM Distribution
Control System DOS Attack on FAA
TWIC Problems Plague Ports

Spoofed MRG
WAGA Virtual Newspaper posts No
Red Cross Sites
Messages Sit-In Fly List
Defaced on
Intel/LE

Tricare
Ongoing Protests Surrounding WTO and DEUI Meetings Website BotNet
WAGA calls for DOS Attacks & Cooperation TRANSCOM Discovery
Log Info
NIPRNET Probing Tricare Site Manipulated
increases Defaced

State
Utility
OASIS DDOS Attack Estimators More Power
Energy

OPC Bomb
Vulnerabilitie Wireless RTU Problems Fail Outages
Threat
s Identified Confusing Network Data Threatened
Transmission line breakers tripped
More Extensive Power Outages

Attack using Malware distributed via Counterfeit CD

MSSP Malware Distribution via Malicious Code
DDOS Attacks on Power Admin and DOE Servers
Malware CD
IT

Distributed Rogue Certificate Authority

Internet Extortion
DNS Cache Poisoning
Trusted Insider System Infection

Rogue Wireless Cascading RTR Failure

Device Discovered Wireless Comm
States

False Email
Logs Amber Threat to Device SVR RTR Control from Offsite
Compromised HIPAA DB Alert CIOs Corrupted
Compromised Wide Area Electrical Failure
(FW, IDS, RTR)

Logic Bomb planted in Intel Reports on Heat

PWGSC Server Outage Sources
International

Heat goes out in Govt Buildings

SIN #
Claims of Postings
Responsibility for
Heat Outages Australia
FOR/ New Zealand
OFFICIAL USETable
ONLY Tops 10
Adversary
Worldwide Anti-Globalization Alliance
(WAGA)

Freedom Not •Target Multinationals •Maintain Cultural Diversity The Peoples

Bombs •Port and Rail Closures •Target Language Pact
Standardization
•International Network
attacks •Target Currency
Standardization (Euro-
•Anti-Capitalist
Dollar)
•Nation reliance on cyber
Black •Military Disruption •Target “U5” for pushing •Anti-Nuclear Group
services are a product of
English around the globe
Hood •Port and Rail Closures Globalization. (The irony of •Power Outages
Society its attacker) •Anti-Imperialism
•Pipeline Cyber Attacks •Threaten Meltdowns
Faction of •International Network •Target DC
Freedom attacks Infrastructure
Not Bombs
•Anti-NATO •Global Website
Defacement
•Non-Violent Disruption

Independent Actors

Internet Techno politic Auggie Jones, “Cyber IT Opportunistic Disgruntled Airport The Tricky Trio
Front (ITF) Saboteur” Hackers Employee

•Opportunistic Launch of
worms
•Direct Cyber attacks on
software/systems providers
•Purchase of Personal
•Computer virus attacks
Identity information
•SCADA system disruptions
•Malware Distribution
and attacks
•Internet Extortion
•“Watch List” Irregularities
•Cargo Threats
•Tower Disruptions
•Located in Berlin,
Germany
•Fighting Back
•Clogging the Bandwidth

FOR OFFICIAL USE ONLY 11

 WAGA Tricky Trio Disgruntled Employee

Scenario Timeline Thread/Villain

Black Hood Society BBB DOWN
People’s Pact MRG Independent Actor
ITF

Monday Tuesday Wednesday Thursday

1 Jan 05 – 30 Jan 06 1 Feb 06 & 7 Feb 06 8
8 Feb
Feb 06
06 99 Feb
Feb 06
06
SCADA System Probing Minor Threats on Metro Websites Oil and Gas Pipeline Map
DOS
Transportation

Commuter Metros Stop Running

Unauthorized FAA Rail
Network access Trouble Claims of EWA’s No
Responsibility Fly List Delay of FAA Realtime Systems
Software Update
Altered
crashes FAA
Control System False NOTAM Distribution
DOS Attack on FAA Wardial attack on AFSS

Spoofed MRG
WAGA Virtual Newspaper
Red Cross posts No
Sit-In Sites
Messages Fly List
Defaced Tricare
Intel/LE

Ongoing Protests Surrounding WTO and DEUI Meetings on BotNet

WAGA calls for DOS Attacks & Cooperation Website Discovery
NORTHCOM
Comm System
NIPRnet Probing Tricare Site Info
increases MyPay
Balances Defaced Manipulated
Zeroed

OASIS DDOS Attack State Utility

Energy

Estimators Bomb More Power

OPC Threat Outages
Vulnerabilities Wireless RTU Problems Fail
Threatened
Identified Transmission line breakers tripped
Confusing Network Data
More Extensive Power Outages

Attack using Malware distributed via Counterfeit CD

MSSP Malware Distribution via Malicious Code
Malware CD DDOS Attacks on Power Admin and DOE Servers
IT

Distributed Rogue Certificate Authority

Internet Extortion
DNS Cache Poisoning
New SSL Vulnerability Discovered
Trusted Insider System Infection

Rogue Wireless Cascading RTR Failure

Device Discovered False Email Wireless Comm
States

Logs Amber Threat to Device SVR RTR Control from Offsite

Compromised HIPAA DB Alert CIOs Corrupted Internet Connectivity Losses
(FW, IDS, RTR) Compromised

Logic Bomb planted in Intel Reports on Heat

PWGSC Server Outage Sources
International

Heat goes out in Govt Buildings

SIN #
Claims of Postings WAGA Associates
Responsibility for FOR OFFICIAL USE ONLY 12
Australia / New Zealand Table Tops WAGA Sympathizers
Heat Outages
Scope and Scale
Planning: 18 months
 5 major planning conferences
 100-150 participants @ each
 5 AAR conferences

ExCon: ~100
 Exercise network & workstations
 NXMSEL, web and email servers
 Simulate media website
 Hacker websites
 Physical build
 Observer group
 Observation database

Players: 300+
Scenario: 800+ injects
Player emails: 21,000+ captured
Cost: $$
Exercise Management Team: peaked @ ~20 FTEs

FOR OFFICIAL USE ONLY 13

Overarching Lessons Learned
Correlation of multiple incidents is challenging at all levels:
 Within enterprises / organizations
 Across critical infrastructure sectors
 Between states, federal agencies and countries
 Bridging public – private sector divide

Communication provides the foundation for response

 Processes and procedures must address communication protocols, means
and methods

Collaboration on vulnerabilities is rapidly becoming required

 Reliance on information systems for situational awareness, process
controls and communications means that infrastructures cannot operate in
a vacuum

Coordination of response is time critical

 Cross-sector touch points, key organizations, and SOPs must be worked
out in advance
 Coordination between public-private sectors must include well articulated
roles and responsibilities

FOR OFFICIAL USE ONLY 14

Overarching Lessons Learned
Strategic Communications / Public Messaging
 Critical part of government response that should be coordinated with partners at all
levels

Policy Coordination
 Senior leadership / interagency bodies should develop more structured
communication paths with international counterparts
 Strategic situational awareness picture cannot be built from a wholly federal or
domestic perspective in the cyber realm

Operational Cooperation
 True situational awareness will always include an external component
 Initial efforts at international cooperation during CS provided concrete insights into of
near term development of way ahead for ops/tech info sharing
 Communication paths, methods, means and protocols must be solidified in advance of
crisis/incident response
– Who do I call? When do I call? How do I call them?
– Secure and assured communications are critical in order to share sensitive
information
 Cooperation must include ability to link into or share info in all streams: e.g., Cyber,
Physical, LE, Intelligence

FOR OFFICIAL USE ONLY 15

Way Ahead– Cyber Storm II
Tentatively scheduled for March 2008
Fall 2006, DHS and key stakeholders will begin
development of CSII overall concept and scenario focus
Spring 2007, CSII CONOPS will be finalized
Based on the scenario focus areas, DHS will coordinate
with the sector specific agencies and the relevant
Information Sharing Analysis Centers and Private Sector
Coordinating Councils (NIPP) for individual private sector
participants.

FOR OFFICIAL USE ONLY 16

FOR OFFICIAL USE ONLY