Cybersecurity EXERCISE (CE) ATD Scenario questions
Exercise ground rules There are no right or wrong answers or ideas Maintain a no-fault, stress-free environment Use the scenario to provide context and spark creative ideas Do not limit discussion to positions or policies Tap community resources and assets to aid/enhance brainstorming Students should be able to understand: the difference between threat, risk, attack and vulnerability how threats materialize into attacks where to find information about threats, vulnerabilities and attacks typical threats, attacks and exploits and the motivations behind them high-level understanding of how example attacks work (e.g. DDOS, phishing and buffer overflow) how users are targeted in an attack and why this must be considered in defending against such attacks the concept of a threat landscape, its dynamic nature and how to create a landscape for an organization how to classify threats and example categories that there are different attacks, which have different patterns and different steps – for example be able to compare a DDOS to an attack designed to copy information how to classify threats and example categories that there are different types of malware – for example viruses, Trojans and spyware – their distribution mechanism and a detailed understanding of how they compromise information and systems that attacks can be combined for greater effect (e.g. phishing email, followed by social engineering phone call)
Our approach Instead of thinking about cyber attacks as events, it might be more useful to consider them as a process, or the end result of a planning and preparation process. That approach implies a need to assess and understand potential adversaries, maintain situational awareness, and consider how the operating environment and features of our own organization or system might affect an adversary’s actions and objectives Understand the Adversary Maintain Situational Awareness Consider the Operating Environment
Round 1 – Identify & Protect Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Protect – Develop and implement the appropriate safeguards to ensure delivery of critical services Round 1 – Identify & Protect Evaluation of GPS Threat for Our Navigation Systems
Starting information 1. During Identify Phase and Protect Phase, you realize that your current Navigation system: Interfaces with numerous other systems (at least 20 other systems on the ship) Has access to the ships’: steering; propulsion; and autopilot Is very dependent upon GPS information 2. You determine a critical risk – spoofing your ships’ Navigation system, which could lead to ship destruction and loss of life 3. With your knowledge of GPS spoofing, do you want to modify your existing Navigation system (harden the existing system), buy a different system, or some combination of both?
CE round 1 CONTRAINTS Funding limited to Operational & Maintenance (O&M), and Procurement (PROC) funds in Current Year (CY) dollars with limited Management Reserve (MR) Ship availability for installations are limited to 4-days per month per ship Technical solution(s) shall include the use of GPS Increases in shipboard manning must be justified
Exercise 1 As a team, discuss and develop: What is the main problem for ships from GPS spoofing? How might we detect the GPS is spoofed?
Exercise 2 As a team, discuss and develop: How could you explain this risk to leadership? What can we do about it?
Exercise 3 As a team, discuss and develop: The options of modifying your existing Navigation system (hardening the existing system), buying a different system, or some combination of both What criteria might we use to pick between these options? (consider cost, speed to execute or acquire, and maturity of the option) Can your need be met by a commercial item?
Exercise 4 As a team, discuss and develop: Use your decision criteria, as a team pick between the options of modifying your existing Navigation system (hardening the existing system), buying a different system, or some combination of both What is your action? (which alternative did you pick) What are the contracting strategies to support the chosen COA?
Template Issue(s) Alternatives Decision Criteria Assumption(s) Action
Round 2 – Detect Operations against an Identified Threat to Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event Round 2 – Detect Operations against an Identified Threat to Navigation Systems across our Fleet
Additional information 1. During Detect Phase, you realize your current Navigation COTS: The Maritime Community and National Intelligence Agencies have provided threat warning 2. You are warned of an identified attacker (the Void) by the Maritime Information Sharing Community and National Intelligence agencies – your ships’ navigation system could be spoofed with false GPS signals 3. IMO, Maritime National Coast Guards, and all major Port Authorities are on alert for oddly behaving ships
CE round 2 CONTRAINTS Funding limited to Operational & Maintenance (O&M), and Procurement (PROC) funds in Current Year (CY) dollars with limited Management Reserve (MR) Ship availability for installations are limited to 4-days per month per ship Technical solution(s) other than GPS must be justified Increase in current shipboard manning must be justified
Exercise 1 As a team, discuss and develop: How can we detect the threat’s operations? Assume the ship works with a shore Security Operations Center (SOC), what should we be asking the SOC to look for?
Exercise 2 As a team, discuss and develop: How could you explain this risk to leadership? What can we do about it?
Exercise 3 As a team, discuss and develop: With the increased possibility of attack, does your team need to change its option? (modifying your existing Navigation system, buying a different system, or some combination of both Does a higher chance of a threat change your decision criteria? (consider cost, speed to execute or acquire, and maturity of the option) Assuming in Round 1 that a contract was awarded to address the requirements in Round 1, would a modification to that contract to address to need identified in Round 2 still be within scope?
Exercise 4 As a team, discuss and develop: Use your decision criteria, as a team pick between the options of modifying your existing Navigation system, buying a different system, or some combination of both What is your action? (did you change your alternative) What are the contracting strategies to support the chosen COA?
Template Issue(s) Alternatives Decision Criteria Assumption(s) Action
Round 3 – Respond & Recover Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event Round 3 – Respond & Recover Crisis Mode
Additional information 1. During Respond Phase and Recover Phase, your company has experienced a disastrous attack that caused a massive economic loss and loss of life 2. You are in extreme crisis
CE round 3 CONTRAINTS Funding limited to Operational & Maintenance (O&M), and Procurement (PROC) funds in Current Year (CY) dollars with limited Management Reserve (MR) Ship availability for installations are limited to 4-days per month per ship Technical solution(s) other than GPS must be justified Increase in current shipboard manning must be justified
Exercise 1 As a team, discuss and develop: How can we respond and recover? Is there an alternative mode of operation for the navigation system?
Exercise 2 As a team, discuss and develop: What are possible effects on shipboard personnel with alternate modes of operation? Can you explain this problem to leadership?
Exercise 3 As a team, discuss and develop: With an attack incident, does your team need to change its option? (modifying your existing Navigation system, buying a different system, or some combination of both Does an incident change your decision criteria? (consider cost, speed to execute or acquire, and maturity of the option) Are there any emergency acquisition flexibilities available in the case of a cyber attack?
Exercise 4 As a team, discuss and develop: Use your decision criteria, as a team pick between the options of modifying your existing Navigation system, buying a different system, or some combination of both What is your action? (did you change your alternative) What are the contracting strategies to support the chosen COA?
Template Issue(s) Alternatives Decision Criteria Assumption(s) Action
DAU ALTERNATE RESPONSE All PORs should execute threat scenarios against their plans to establish baselines Use the CEO Cybersecurity Checklist as a guideline to ensure PORs are considering cybersecurity concerns and issues Consider all FAR/non-FAR options to address emergent cyber requirements
Questions