- Email: [email protected]
Cyber Incident Exercise Admitting Inter-Organization for Critical Infrastructure Companies
Mario R. Eden, Marianthi Ierapetritou and Gavin P. Towler (Editors) Proceedings of the 13th International Symposium on Process Systems Engineering – PSE 2018 July 1-5, 2018, San Diego, California, USA © 2018 Elsevier B.V. All rights reserved. https://doi.org/10.1016/B978-0-444-64241-7.50269-X
Cyber Incident Exercise Admitting InterOrganization for Critical Infrastructure Companies Akihiro Tsuchiya*, Yuitaka Ota, Yuma Takayama, Tomomi Aoyama, Takashi Hamaguchi, Yoshihiro Hashimoto, and Ichiro Koshijima Nagoya Institute of Technology, Nagoya 466-8555, JAPAN [email protected]
Abstract To improve cyber security awareness for Critical Infrastructure (CI) companies, Kaspersky Interactive Protection Simulation (KIPS) is provided by Kaspersky Lab. Through the KIPS exercise, participants simulate countermeasures while experiencing the effect of a cyberattack on a virtual CI company. However, an organizational structure that makes decisions relative to incident responses via communication between multiple departments is not explicitly specified in the KIPS exercise. Therefore, to increase awareness of the complexity of decision-making processes, a non-technical exercise method that divides a virtual company into headquarters and production plant administrator groups is proposed. The proposed exercise method was implemented using KIPS, and a trial was conducted with participants involved in CI companies. Keywords: Industrial Control System, Cyber Security, Exercise, Risk Communication
1. Introduction Cyberattacks on Critical Infrastructure (CI) have been recognized as a significant problem since the discovery of the Stuxnet worm in July 2010 [1]. The Stuxnet worm was primarily designed and developed to target an Industrial Control System (ICS). ICSs are used in gas pipelines, power plants, and chemical and petrochemical plants. The attackers designed Stuxnet to inflict damage by reprogramming programmable logic controllers (PLC) to control ICSs. After the discovery of Stuxnet, similar malware that targets ICSs has been discovered. Cyber incidents that target ICSs are security, safety, and business problems. Such abnormal events affect physical devices, such as actuators and sensors. If a cyberattack results in manufacturing operations being shut down, a company will lose significant revenue. In addition, if a cyberattack targets systems that require safety operations, the operators will be endangered. For example, cyberattacks on an iron furnace have been reported [2]. In addition to safety risks, cyberattacks continue to pose serious financial risk for companies [3]. Therefore, cyberattacks should be prevented to ensure corporate resilience. In addition to awareness of potential cyberattacks, the need for cybersecurity training has increased. The National Institute of Standards and Technology (NIST) specifies that incident response teams should be assigned and trained to develop incident response capabilities against cyberattacks. NIST SP 800-61 [4] describes the ability required for
1646
A. Tsuchiya et al.
an incident response as follows: “Managers should be technically adept and have excellent communication skills.” A capability for an incident response requires technical skill and non-technical skill. Several authorities have developed tabletop cybersecurity exercises to improve technical security awareness. Tomomi et al. described a technical exercise from the perspective of non-technical skills [5]. However, most security exercises focus on the technical aspects of incident responses. In other words, they are not designed to evaluate a team’s non-technical skills even though it is obvious that a team’s non-technical skills will affect overall performance. In this paper, a tabletop exercise that involves participant communication skills and decision-making processes in a complex environment is proposed. The remainder of this paper is organized as follows. The basic exercise is explained in Section 2. The proposed exercise structure is described in Section 3. A prototype implementation and initial trial are discussed in Section 4, and conclusions are presented in Section 5.
2. Kaspersky Interactive Protection Simulation Exercise 2.1. Exercise Overview The Kaspersky Interactive Protection Simulation (KIPS) was developed by Kaspersky Lab [6]. KIPS is a hybrid game with action cards and a game simulator that is intended to deepen the common understanding of the timeline of cyber incidents. Through KIPS exercises, players practically simulate an incident response while experiencing the effects of a cyberattack on a virtual CI company. Players acting as a security administrator for a virtual company determine countermeasures against cyberattacks within time and cost constraints. The goal of the game is to maximize revenue when responding to cyber incidents. The KIPS exercise for multiple players comprises a game board, action cards, and a game console. The game board represents the plant and network configuration of the virtual company. Players use the game board to understand how the plant works and the devices related to the plant’s operations. The game board also includes space for enabled action cards. Once a player enables an action card, it is placed in an applicable space. Thus, players can observe which action cards have been used. An action card represents a set of cybersecurity countermeasures. There are thirty types of action cards, e.g., a network disconnection card. Each action card represents a countermeasure and shows the required time and costs. Some action cards are added in some cases. Player can combine action cards according to the situation, such as plant status, and the available budget and time. The game console is used to simulate the game, and it provides players with information about the virtual company. In addition, players send their selected action cards to a game moderator. 2.2. Scenario for CI Company The KIPS provides two CI-related scenarios, i.e., a water purification plant and a combined cycle power plant. The water purification plant has two production lines, each of which comprises a precipitation tank, sand filter, disinfection tank, and drinking water tank. The power plant has two turbines, i.e., a gas turbine powered by burning fuel and a steam turbine powered by boiling water. The water is heated by exhaust gases. Then, the exhaust gas is emitted through a gas filter. In addition, the steam is changed to liquid water by cooling water.
Cyber Incident Exercise for Critical Infrastructure
1647
Here, PLCs control both plant operations, and the PLCs are connected to a server in the control network. In the control network, there are various devices, such as a Human Machine Interface, a Data Historian, and an Engineering Workstation. Process data are sent to the headquarters over the Internet. The goal is to protect the devices using action cards. 2.3. Game Simulation The game consists of a message phase, an action phase, a revenue phase, and a report phase. These four phases are cycled five times to complete the game. Prior to starting the four phases, the moderator explains the rules of KIPS and shows the participants threats of the same industry as news. The moderator operates a dedicated game console to advance each phase. In the message phase, players receive various information, such as news from the same industry and the status of the plant. Next, in the action phase, players evaluate the current situation and use action cards as countermeasures using the game console. The action phase is finished after the moderator has received action cards from all teams. The administrator console calculates each team’s revenue according to their actions. The results of a team’s actions and their revenue are sent to the applicable team in the report phase. Then, a card assistant distributes additional action cards to some groups that chose an action card which leads new event. In the report phase, all players review their team’s result. Figure 1 shows game console of KIPS by four phases.
Figure 1 Game console of KIPS
At the end of the game, the moderator shows the total revenue and budget left after the five game cycles. In addition, bonuses are added to the revenue depending on the actions taken. The total revenue and remaining budget can be used to evaluate how security countermeasures contribute to the company’s performance. Figure 2 shows the relationships among the KIPS stakeholders.
A. Tsuchiya et al.
1648
Players : Security administrator of a virtual company (Game console user) Explains rules and moderate an exercise Reports action cards
Gives additional action cards
Moderator (Administrator console user) Advances each phase
Informs an end of card distribution
Card Assistant (Assistant console user)
Informs an end of a phase
Figure 2 Relationships among KIPS stakeholders
3. Structure of Proposed Cyber Incident Exercise 3.1. Inter-organization cooperation KIPS was designed to aware importance of inter-organizational incident response through game simulation. KIPS participants play the role of a security administrator. However, compared to real CI companies, an incident response is performed by several departments because both business and safety objectives should be considered simultaneously relative to a cyber incident. However, these objectives sometimes have a low affinity of a response due to differences among the policies of different departments. Therefore, we incorporate a cooperative inter-organization perspective into KIPS. Therefore, we consider following mechanisms to design KIPS from the perspective of inter-organization cooperation. z
Separate one team into several groups An information gap is created by dividing a team into several groups. This information gap results in more complex decision-making scenarios. A group may communicate with other groups to acquire a group’s unique information. Then, players should consider the nature of the current situation and what information is required for the given situation.
z
Observe player decision making A mechanism to evaluate non-technical skills is required, and the decision-making process should be observable.
3.2. Proposed Exercise To create the information gap within a team, players form two groups, i.e., a plant administrator group and a headquarters administrator group. The former is responsible for maintaining the safety and security of the plants. The objective of the plant administrator group is to maintain stable plant operations through five turns regardless of the nature of the cyber incident. On the other hand, the headquarters administrator
Cyber Incident Exercise for Critical Infrastructure
1649
group is responsible for the overall network security, the company’s budget, and its profit. The objective of the headquarters administrator group is to maximize revenue. Here action cards are distributed to the groups based on their role. One group does not initially know the information about the other group’s action cards. Then, both groups discuss their actions through a chat system. The chat system enables us to observe the decisionmaking process because it records the communication. In the proposed exercise, the chat system is used by both the players and facilitator. The facilitator provides information about the message phase with the plant and headquarter administrator groups at the start of the action phase. Each group receives only the information related to their responsibility; however, the players can obtain information from each other using the chat system. When players determine the action cards they will play, the headquarters administrator group notifies the facilitator of the cards’ IDs. After the facilitator enters the selected action cards into the game console, the moderator uses the administrator console to proceed to the revenue phase. The administrator console shows the temporary revenue and budget available after the revenue phase. Then, the facilitator checks the result of each team on the game console and sends the results to each group. The card assistant then gives an additional action card to an applicable group that chose an action card which leads new event in the report phase. The moderator then oversees the next message phase and cycles the above process five times. Figure 3 shows the relationships among the stakeholders in the proposed exercise. Discuss actions
Players : Plant administrator (Chat system user)
Discuss actions
Players : Headquarter administrator (Chat system user)
Gives action cards of headquarter
Explains rules and moderate an exercise
Gives messages Reports action cards or reports Gives action cards of plant
Moderator (Administrator console user)
Informs an end of card distribution
Card Assistant (Assistant console user)
Informs an end of a phase
Facilitator (Game console and chat system user) Advances each phase
Figure 3 Relationships among stakeholders in proposed exercise
4. Implementation and Trial 4.1. Prototype Implementation The water plant scenario was used for a prototype implementation. Here, 12 action cards were assigned as headquarters administrator cards and 18 action cards were assigned to the plant administrators. Slack [7] was used as the chat system for the proposed exercise. Slack records user messages and can create channels for individual communication. Here, channel 1 was
1650
A. Tsuchiya et al.
between the headquarters administrators and the facilitator, channel 2 was between the plant administrators and the facilitator, and channel 3 was between the headquarters administrators and the plant administrators. Note that the facilitator could observe channel 3 to understand the teams’ situations. 4.2. Trial In September 2017, the proposed exercise was performed with 42 participants involved in CI companies. Seven teams were organized in this trial. Facilitator provide information with head quarter group and site group. Participants try a prototype game and evaluate if the game is good to make aware an importance of communication skill of incident response by a survey. As a result, 97% of the participants desired implementation of the proposed exercise at their company, which shows that this exercise is an effective evaluation tool.
5. Concluding Remarks In this paper, we have proposed a new cyber incident exercise method that considers the complexity of decision making and communication skills. KIPS is an effective training tool for security awareness at CI companies; thus, we redesigned KIPS as an interorganization exercise by implementing a chat system. An initial trial of the proposed exercise satisfied many participants who work at CI companies. In future, we plan to analyze the chat log of players that earned high revenue to determine effective communication processes.
Acknowledgement Masato Matsuoka of Kaspersky Lab made significant contributions to our research. This research would not have been possible without his technical support and advice. We thank him for providing permission to use KIPS for the proposed exercise.
References [1] K. Zetter, 2011, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ [2] R. Lee, M. Assante, and T. Conway, 2014, Dec 30. German Steel Mill Cyber Attack, SANS ICS [3] S. Smith, 2015 May 12, Cybercrime will cost business over 2 Trillion, https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over2trillion [4] P. Cichonski, T. Millar, T. Grance and K. Scarfone, 2012, Computer Security Incident Handling Guide, NIST, p16 [5] T. Aoyama, H. Naruoka, I. Koshijima and K. Watanabe, 2015, How management goes wrong?–The human factor lessons learned from a cyber incident handling exercise, 6th International Conference on Applied Human Factors and Ergonomics and Affiliated Conferences [6] Kaspersky Lab. 2017, Kaspersky Security Awareness Building a safe corporate cyberenvironment with gamified training, https://www.kaspersky.com/enterprise-security/securityawareness [7] Slack, 2017, https://slack.com/
Cyber Incident Exercise Admitting InterOrganization for Critical Infrastructure Companies Akihiro Tsuchiya*, Yuitaka Ota, Yuma Takayama, Tomomi Aoyama, Takashi Hamaguchi, Yoshihiro Hashimoto, and Ichiro Koshijima Nagoya Institute of Technology, Nagoya 466-8555, JAPAN [email protected]
Abstract To improve cyber security awareness for Critical Infrastructure (CI) companies, Kaspersky Interactive Protection Simulation (KIPS) is provided by Kaspersky Lab. Through the KIPS exercise, participants simulate countermeasures while experiencing the effect of a cyberattack on a virtual CI company. However, an organizational structure that makes decisions relative to incident responses via communication between multiple departments is not explicitly specified in the KIPS exercise. Therefore, to increase awareness of the complexity of decision-making processes, a non-technical exercise method that divides a virtual company into headquarters and production plant administrator groups is proposed. The proposed exercise method was implemented using KIPS, and a trial was conducted with participants involved in CI companies. Keywords: Industrial Control System, Cyber Security, Exercise, Risk Communication
1. Introduction Cyberattacks on Critical Infrastructure (CI) have been recognized as a significant problem since the discovery of the Stuxnet worm in July 2010 [1]. The Stuxnet worm was primarily designed and developed to target an Industrial Control System (ICS). ICSs are used in gas pipelines, power plants, and chemical and petrochemical plants. The attackers designed Stuxnet to inflict damage by reprogramming programmable logic controllers (PLC) to control ICSs. After the discovery of Stuxnet, similar malware that targets ICSs has been discovered. Cyber incidents that target ICSs are security, safety, and business problems. Such abnormal events affect physical devices, such as actuators and sensors. If a cyberattack results in manufacturing operations being shut down, a company will lose significant revenue. In addition, if a cyberattack targets systems that require safety operations, the operators will be endangered. For example, cyberattacks on an iron furnace have been reported [2]. In addition to safety risks, cyberattacks continue to pose serious financial risk for companies [3]. Therefore, cyberattacks should be prevented to ensure corporate resilience. In addition to awareness of potential cyberattacks, the need for cybersecurity training has increased. The National Institute of Standards and Technology (NIST) specifies that incident response teams should be assigned and trained to develop incident response capabilities against cyberattacks. NIST SP 800-61 [4] describes the ability required for
1646
A. Tsuchiya et al.
an incident response as follows: “Managers should be technically adept and have excellent communication skills.” A capability for an incident response requires technical skill and non-technical skill. Several authorities have developed tabletop cybersecurity exercises to improve technical security awareness. Tomomi et al. described a technical exercise from the perspective of non-technical skills [5]. However, most security exercises focus on the technical aspects of incident responses. In other words, they are not designed to evaluate a team’s non-technical skills even though it is obvious that a team’s non-technical skills will affect overall performance. In this paper, a tabletop exercise that involves participant communication skills and decision-making processes in a complex environment is proposed. The remainder of this paper is organized as follows. The basic exercise is explained in Section 2. The proposed exercise structure is described in Section 3. A prototype implementation and initial trial are discussed in Section 4, and conclusions are presented in Section 5.
2. Kaspersky Interactive Protection Simulation Exercise 2.1. Exercise Overview The Kaspersky Interactive Protection Simulation (KIPS) was developed by Kaspersky Lab [6]. KIPS is a hybrid game with action cards and a game simulator that is intended to deepen the common understanding of the timeline of cyber incidents. Through KIPS exercises, players practically simulate an incident response while experiencing the effects of a cyberattack on a virtual CI company. Players acting as a security administrator for a virtual company determine countermeasures against cyberattacks within time and cost constraints. The goal of the game is to maximize revenue when responding to cyber incidents. The KIPS exercise for multiple players comprises a game board, action cards, and a game console. The game board represents the plant and network configuration of the virtual company. Players use the game board to understand how the plant works and the devices related to the plant’s operations. The game board also includes space for enabled action cards. Once a player enables an action card, it is placed in an applicable space. Thus, players can observe which action cards have been used. An action card represents a set of cybersecurity countermeasures. There are thirty types of action cards, e.g., a network disconnection card. Each action card represents a countermeasure and shows the required time and costs. Some action cards are added in some cases. Player can combine action cards according to the situation, such as plant status, and the available budget and time. The game console is used to simulate the game, and it provides players with information about the virtual company. In addition, players send their selected action cards to a game moderator. 2.2. Scenario for CI Company The KIPS provides two CI-related scenarios, i.e., a water purification plant and a combined cycle power plant. The water purification plant has two production lines, each of which comprises a precipitation tank, sand filter, disinfection tank, and drinking water tank. The power plant has two turbines, i.e., a gas turbine powered by burning fuel and a steam turbine powered by boiling water. The water is heated by exhaust gases. Then, the exhaust gas is emitted through a gas filter. In addition, the steam is changed to liquid water by cooling water.
Cyber Incident Exercise for Critical Infrastructure
1647
Here, PLCs control both plant operations, and the PLCs are connected to a server in the control network. In the control network, there are various devices, such as a Human Machine Interface, a Data Historian, and an Engineering Workstation. Process data are sent to the headquarters over the Internet. The goal is to protect the devices using action cards. 2.3. Game Simulation The game consists of a message phase, an action phase, a revenue phase, and a report phase. These four phases are cycled five times to complete the game. Prior to starting the four phases, the moderator explains the rules of KIPS and shows the participants threats of the same industry as news. The moderator operates a dedicated game console to advance each phase. In the message phase, players receive various information, such as news from the same industry and the status of the plant. Next, in the action phase, players evaluate the current situation and use action cards as countermeasures using the game console. The action phase is finished after the moderator has received action cards from all teams. The administrator console calculates each team’s revenue according to their actions. The results of a team’s actions and their revenue are sent to the applicable team in the report phase. Then, a card assistant distributes additional action cards to some groups that chose an action card which leads new event. In the report phase, all players review their team’s result. Figure 1 shows game console of KIPS by four phases.
Figure 1 Game console of KIPS
At the end of the game, the moderator shows the total revenue and budget left after the five game cycles. In addition, bonuses are added to the revenue depending on the actions taken. The total revenue and remaining budget can be used to evaluate how security countermeasures contribute to the company’s performance. Figure 2 shows the relationships among the KIPS stakeholders.
A. Tsuchiya et al.
1648
Players : Security administrator of a virtual company (Game console user) Explains rules and moderate an exercise Reports action cards
Gives additional action cards
Moderator (Administrator console user) Advances each phase
Informs an end of card distribution
Card Assistant (Assistant console user)
Informs an end of a phase
Figure 2 Relationships among KIPS stakeholders
3. Structure of Proposed Cyber Incident Exercise 3.1. Inter-organization cooperation KIPS was designed to aware importance of inter-organizational incident response through game simulation. KIPS participants play the role of a security administrator. However, compared to real CI companies, an incident response is performed by several departments because both business and safety objectives should be considered simultaneously relative to a cyber incident. However, these objectives sometimes have a low affinity of a response due to differences among the policies of different departments. Therefore, we incorporate a cooperative inter-organization perspective into KIPS. Therefore, we consider following mechanisms to design KIPS from the perspective of inter-organization cooperation. z
Separate one team into several groups An information gap is created by dividing a team into several groups. This information gap results in more complex decision-making scenarios. A group may communicate with other groups to acquire a group’s unique information. Then, players should consider the nature of the current situation and what information is required for the given situation.
z
Observe player decision making A mechanism to evaluate non-technical skills is required, and the decision-making process should be observable.
3.2. Proposed Exercise To create the information gap within a team, players form two groups, i.e., a plant administrator group and a headquarters administrator group. The former is responsible for maintaining the safety and security of the plants. The objective of the plant administrator group is to maintain stable plant operations through five turns regardless of the nature of the cyber incident. On the other hand, the headquarters administrator
Cyber Incident Exercise for Critical Infrastructure
1649
group is responsible for the overall network security, the company’s budget, and its profit. The objective of the headquarters administrator group is to maximize revenue. Here action cards are distributed to the groups based on their role. One group does not initially know the information about the other group’s action cards. Then, both groups discuss their actions through a chat system. The chat system enables us to observe the decisionmaking process because it records the communication. In the proposed exercise, the chat system is used by both the players and facilitator. The facilitator provides information about the message phase with the plant and headquarter administrator groups at the start of the action phase. Each group receives only the information related to their responsibility; however, the players can obtain information from each other using the chat system. When players determine the action cards they will play, the headquarters administrator group notifies the facilitator of the cards’ IDs. After the facilitator enters the selected action cards into the game console, the moderator uses the administrator console to proceed to the revenue phase. The administrator console shows the temporary revenue and budget available after the revenue phase. Then, the facilitator checks the result of each team on the game console and sends the results to each group. The card assistant then gives an additional action card to an applicable group that chose an action card which leads new event in the report phase. The moderator then oversees the next message phase and cycles the above process five times. Figure 3 shows the relationships among the stakeholders in the proposed exercise. Discuss actions
Players : Plant administrator (Chat system user)
Discuss actions
Players : Headquarter administrator (Chat system user)
Gives action cards of headquarter
Explains rules and moderate an exercise
Gives messages Reports action cards or reports Gives action cards of plant
Moderator (Administrator console user)
Informs an end of card distribution
Card Assistant (Assistant console user)
Informs an end of a phase
Facilitator (Game console and chat system user) Advances each phase
Figure 3 Relationships among stakeholders in proposed exercise
4. Implementation and Trial 4.1. Prototype Implementation The water plant scenario was used for a prototype implementation. Here, 12 action cards were assigned as headquarters administrator cards and 18 action cards were assigned to the plant administrators. Slack [7] was used as the chat system for the proposed exercise. Slack records user messages and can create channels for individual communication. Here, channel 1 was
1650
A. Tsuchiya et al.
between the headquarters administrators and the facilitator, channel 2 was between the plant administrators and the facilitator, and channel 3 was between the headquarters administrators and the plant administrators. Note that the facilitator could observe channel 3 to understand the teams’ situations. 4.2. Trial In September 2017, the proposed exercise was performed with 42 participants involved in CI companies. Seven teams were organized in this trial. Facilitator provide information with head quarter group and site group. Participants try a prototype game and evaluate if the game is good to make aware an importance of communication skill of incident response by a survey. As a result, 97% of the participants desired implementation of the proposed exercise at their company, which shows that this exercise is an effective evaluation tool.
5. Concluding Remarks In this paper, we have proposed a new cyber incident exercise method that considers the complexity of decision making and communication skills. KIPS is an effective training tool for security awareness at CI companies; thus, we redesigned KIPS as an interorganization exercise by implementing a chat system. An initial trial of the proposed exercise satisfied many participants who work at CI companies. In future, we plan to analyze the chat log of players that earned high revenue to determine effective communication processes.
Acknowledgement Masato Matsuoka of Kaspersky Lab made significant contributions to our research. This research would not have been possible without his technical support and advice. We thank him for providing permission to use KIPS for the proposed exercise.
References [1] K. Zetter, 2011, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ [2] R. Lee, M. Assante, and T. Conway, 2014, Dec 30. German Steel Mill Cyber Attack, SANS ICS [3] S. Smith, 2015 May 12, Cybercrime will cost business over 2 Trillion, https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over2trillion [4] P. Cichonski, T. Millar, T. Grance and K. Scarfone, 2012, Computer Security Incident Handling Guide, NIST, p16 [5] T. Aoyama, H. Naruoka, I. Koshijima and K. Watanabe, 2015, How management goes wrong?–The human factor lessons learned from a cyber incident handling exercise, 6th International Conference on Applied Human Factors and Ergonomics and Affiliated Conferences [6] Kaspersky Lab. 2017, Kaspersky Security Awareness Building a safe corporate cyberenvironment with gamified training, https://www.kaspersky.com/enterprise-security/securityawareness [7] Slack, 2017, https://slack.com/