Inside the CRIT-EX 16.2 Cyberattack Readiness Exercise

We are pleased to add the following talk to the agenda of SecurityWeek’s 2016 ICS Cyber Security Conference. (Conference registration is still available – with registrations up more than 100% for 2016, we encourage you to register now to reserve a spot)

Cyber Stone Soup: Complex Training for Cyber Exercises

This presentation will cover the importance of training cybersecurity for industrial control systems in a complex environment. While using lessons learned as examples, the presenter will provide a roadmap to plan and execute a complex cyber exercise.

The state of Indiana executed CRIT-EX 16.2 on the 18th and 19th of May, 2016, at the Muscatatuck Urban Training Center. This cyberattack readiness exercise aimed to improve the overall security and responsiveness of Indiana’s critical infrastructure in the face of an advanced cyber incident that disrupts essential water utility services and presents a public safety threat. Indiana, like the rest of the country, comprehends that it has a short window of opportunity to prepare for a major cybersecurity event that, if successful, could be as devastating as a major earthquake or tornado. In order to effectively prepare for such a scenario, Indiana’s cybersecurity stakeholders realize that they had to begin building high-functioning, collaborative networks that span the public and private sector. By working to collaborate on high-risk cyber issues, organizations throughout the state of Indiana are elevating their response postures and preparing to ratchet up their ability to confront the threats of tomorrow.

The Indiana Department of Homeland Security in conjunction with the Indiana National Guard, Indiana Office of Technology, Cyber Leadership Alliance, and over 16 other public and private partners developed this controlled functional cyberattack exercise to allow participants to deploy resources and communicate with response partners to mitigate adverse effects and expedite recovery. Additionally, CRIT-EX is the first joint public-private partnership simulating responses to cyberattacks on the Muscatatuck water treatment plant, with expert programming and cybersecurity teams acting as cyberterrorists who attack the facility’s Supervisory Control and Data Acquisition (SCADA) systems.

The exercise had three very important themes that differentiated Crit-Ex from other cyber exercises. First, in order for all of the entities to be able to communicate effectively, the participants had to agree on a common language. After months of struggling to understand the requirements of each sector, the planning team moved away from other planning methodologies and agreed that the US-DHS Homeland Security Exercise and Evaluation Program (HSEEP) would be the common language of the exercise. Ultimately, this proved invaluable to the success of the exercise.

Second, privacy was at the center of the exercise. Participants were concerned about the disclosure of any vulnerabilities or regulatory compliance issues. The exercise response to this was to ensure that observation of participating teams was strictly controlled, all evaluators were trained then vetted by the FBI, and all material collected during the exercise was turned over to the participating organizations. This level of diligence on information security was vital to creating a neutral and secure environment required by the participants.

The third unique theme and what is considered to be the hallmark of Crit-Ex 16.2 was the complexity of the event. The attack vectors were conducted in real-time on a fully functional water treatment plant while the effects of the attack were monitored from the control room displaying the systems controls and with closed circuit monitors on the treatment plant and a field site. Participating teams consisted of system operators, supervisors familiar with incident response plans, and executives thus giving a multi echelon perspective of the attack and its effects. Trained role players were used at a “field site” and at the water treatment plant to add to the complexity and realism of the scenario.

Adding to the complexity was the approach towards the exercise design itself. The evaluation criteria were closely scrutinized and ultimately the planning group selected three separate criteria to work with. In order to satisfy the requirements of the majority of the participating organizations, the evaluation team selected the Homeland Security 32 core capabilities, the National Institute of Standards and Technology (NIST) recommendations for the security of industrial control systems (ICS), and the American Water Works Association’s (AWWA) standards. By cross-walking these different criteria, the exercise was able to fulfill training requirements for all of the participating organizations.

Speaker: Douglas C. Rapp is the President and CEO of the Cyber Leadership Alliance, a nonprofit industry organization and an action arm for cyber efforts in Indiana. He also serves as the Advisor for Cyber and National Security for the State of Indiana. He holds an MS in Management from Indiana Wesleyan, and a Bachelors from Indiana University in Fort Wayne. His accomplishments include creating the strategic plan for the Indiana National Guard Cyber Enterprise, creating Indiana’s first state level cyber response plan, was the Project Manager/Exercise Planning Team Leader for Crit-Ex, and led the successful bid for the Region 5 Cyber Protection Team. He is a 32-year Army combat veteran and a decorated Infantry Officer.

References and Resources:

by Industry News

August 31, 2016

Conference