Cybersecurity EXERCISE (CE) ATD Scenario intro
LEARNING objectives Recognizing importance to integrate cybersecurity early and throughout lifecycle Applying cybersecurity risk management Applying cybersecurity regulatory, statutory, and best practices Identifying security and resiliency trade-space Applying contract strategies to acquire secure and resilient systems Recognize system impacts to cybersecurity threats Students should be able to understand: the difference between threat, risk, attack and vulnerability how threats materialize into attacks where to find information about threats, vulnerabilities and attacks typical threats, attacks and exploits and the motivations behind them high-level understanding of how example attacks work (e.g. DDOS, phishing and buffer overflow) how users are targeted in an attack and why this must be considered in defending against such attacks the concept of a threat landscape, its dynamic nature and how to create a landscape for an organization how to classify threats and example categories that there are different attacks, which have different patterns and different steps – for example be able to compare a DDOS to an attack designed to copy information how to classify threats and example categories that there are different types of malware – for example viruses, Trojans and spyware – their distribution mechanism and a detailed understanding of how they compromise information and systems that attacks can be combined for greater effect (e.g. phishing email, followed by social engineering phone call)
Exercise objectives Apply 5-step cybersecurity framework throughout the system's lifecycle Analyze via representative system Apply cybersecurity risk management process Recognize role of team approach to cybersecurity success Analyze risk; consequences and likelihood via risk cube Develop alternatives to material/non-material solution(s) via tradeoff analyzes Students should be able to understand: the difference between threat, risk, attack and vulnerability how threats materialize into attacks where to find information about threats, vulnerabilities and attacks typical threats, attacks and exploits and the motivations behind them high-level understanding of how example attacks work (e.g. DDOS, phishing and buffer overflow) how users are targeted in an attack and why this must be considered in defending against such attacks the concept of a threat landscape, its dynamic nature and how to create a landscape for an organization how to classify threats and example categories that there are different attacks, which have different patterns and different steps – for example be able to compare a DDOS to an attack designed to copy information how to classify threats and example categories that there are different types of malware – for example viruses, Trojans and spyware – their distribution mechanism and a detailed understanding of how they compromise information and systems that attacks can be combined for greater effect (e.g. phishing email, followed by social engineering phone call)
Exercise ground rules There are no right or wrong answers or ideas Maintain a no-fault, stress-free environment Use the scenario to provide context and spark creative ideas Do not limit discussion to positions or policies Tap community resources and assets to aid/enhance brainstorming Students should be able to understand: the difference between threat, risk, attack and vulnerability how threats materialize into attacks where to find information about threats, vulnerabilities and attacks typical threats, attacks and exploits and the motivations behind them high-level understanding of how example attacks work (e.g. DDOS, phishing and buffer overflow) how users are targeted in an attack and why this must be considered in defending against such attacks the concept of a threat landscape, its dynamic nature and how to create a landscape for an organization how to classify threats and example categories that there are different attacks, which have different patterns and different steps – for example be able to compare a DDOS to an attack designed to copy information how to classify threats and example categories that there are different types of malware – for example viruses, Trojans and spyware – their distribution mechanism and a detailed understanding of how they compromise information and systems that attacks can be combined for greater effect (e.g. phishing email, followed by social engineering phone call)
Cyber Attack SURFACE (p. 4) CONSEQUENCES TO SEAPORT OPERATIONS FROM MALICIOUS CYBER ACTIVITY, 2016, Department of Homeland Security Available at https://info.publicintelligence.net/DHS-SeaportCyberAttacks.pdf
Threat to navigation systems
IMO and PMO RESPONSIBILITY International Maritime Organization (IMO) Incorporate framework that is fair, effective, universally adopted & implemented Ensure operators address financial issues without compromising security Ensure operators comply with regulatory, statutory, and cybersecurity best practices Ensure “Public” that ship operations are safe Program Management Office (PMO) Identify mission gaps and weaknesses in existing or new requirements for planned system Evaluate architecture for security gaps or weaknesses to influence design Evaluate architecture, systems, or solutions (material/non-material) to determine funding prioritization Ensure systems are secure, resilient, and operate in a cyber contested environment
IMO DUTIES Require ship’s compliance with security guidelines IAW NIST’s Cybersecurity Framework Ensure PMOs deploy a COTS Navigation System that operate secure and resilient, and defeat new/updated threat(s) IAW Interim Maritime Cyber Risk Management Guideline Notice Ensure PMO report system’s compliancy with NIST Cybersecurity Framework Within 36-months Identify material or non-material solution(s) If not in compliance, revoke each affected ship’s sea-worthiness and port of call certificate, which may deny the ability to obtain or maintain carrier insurance
Cyber exercise (CE) schedule morning session Time Tasking Actions/Outcomes 0800 – 0845 Engineering, Program Management, and Contracts Disclosures Discuss goals and objectives Discuss participant roles and expectations 0900 – 0915 Cyber Exercise (CE) Intro Discuss organizational structure Identify statutory, regulatory, best practices, & tools 0915 – 1120 Round 1: Team Work Focus on “Identify & Protect” cybersecurity aspects Understand the adversary Maintain situational awareness Consider the operating environment 1130 – 1200 Large Group Discussion Discuss Round 1 answers and recommended response 1200 – 1300 Lunch
Cyber exercise (CE) schedule afternoon session Time Tasking Actions/Outcomes 1300 – 1315 Afternoon intro Discussion Discuss cyber focus transition to detect, respond & recover of a Navigation System from GPS Spoofing 1315 – 1350 Round 2: Team Work Focus on “Detect” cybersecurity aspects Update scenario Update threat analysis Inject new threat vector 1400 – 1420 Large Group Discussion Discuss Round 2 answers and recommended response 1430 – 1520 Round 3: Intro and Team Work Focus on “Respond & Recover” cybersecurity aspects Define contingency plans 1530 – 1630 CE ends. Large Group Discussion Team brief out and closing remarks
Questions