Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Purple seven-ntxissacsc5 walcutt

324 views

Published on

NTXISSACSC5

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Purple seven-ntxissacsc5 walcutt

  1. 1. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Tabletop exercises ARE more fun than setting fires Christopher Walcutt, CISM, CISSP Director DirectDefense 11/11/2017
  2. 2. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Why Tabletop? 2 This Photo by Unknown Author is licensed under CC BY-NC-SA
  3. 3. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 How? 3
  4. 4. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Why Now? 4 This Photo by Unknown Author is licensed under CC BY-NC-SA Information Sharing
  5. 5. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 What to Expect? 5 Simulated exercise Designed to challenge Foster interaction and communication across organizations Coordinated physical and cyber attacks Practice, Practice, Practice!Check your readiness KNOW the phases
  6. 6. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Who’s involved? 6 Planning (Security/Business Continuity) Business HR Execs Physical Security Corp Comms IT
  7. 7. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 How it works? 7
  8. 8. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 You are not alone 8
  9. 9. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Expectations of you 9 Full two day commitment Need buy-in and support from management to participate No “day job” activities during the exercise Teamwork is key Be prepared to learn and teach Most scenarios will require multiple disciplines/skill sets Scenarios will change during the course of the day Effective communication is essential
  10. 10. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 What to Expect? 10 • Post meeting discussions • Establish Incident Command Structure positions • Determine future meeting schedule • Where, when, and how long to meet • Determine how communications will be handled • SharePoint or other appropriate site • Identify other groups needed to participate • Continue to mature the exercise • Metrics • Simulations • Advanced Attack Methods • Increased Information Protection
  11. 11. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 What to Expect? 11
  12. 12. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Incident Reporting 12 • Regulators • Industry ISACs (REN-ISAC, FS-ISAC, E-ISAC) • Timing Requirements • Interface with third parties • Contractual Requirements • Insurance Requirements • Outside Counsel
  13. 13. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 What the MSEL? 13 Injects are scenarios They appear quickly and overlap Designed to test and may induce stress Beware the modifiers Take notes Stay engaged Phone a friend Use the facilitator
  14. 14. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Resource Planning (Timing) 14 ` Phase 2 5 10 15 20 25 30 35 40 45 50 55 60 Technical Operations Physical Phase 3 5 10 15 20 25 30 35 40 45 50 55 60 Technical Operations Physical Phase 4 5 10 15 20 25 30 35 40 45 50 55 60 Technical Operations Physical
  15. 15. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Resource Planning (Effort) 15 Day Move Inject Technical Operations Physical Group Interaction Start Time (minutes) Day 1 Move 1 NERC 1.3 1 2 2 Technical contacts others T-0 Hold other inject sheets NERC 1.3.2 3 0 0 None T-5 NERC 1.5 0 0 3 None T-10 NERC 1.8 2 3 3 Coordination required T-20 Ties to NERC 1.5 NERC 1.4 2 0 0 None T-30 NERC 1.11 3 0 0 None T-0 Ties to NERC 1.8 NERC 1.7 2 3 0 Coordination required T-0 SOC Breach 1 0 0 5 None T-0 TBD NERC 1.5.1 NERC 1.5.2 2 3 4 Coordination required T-30 Move 2 NERC 2.1 1 2 0 Technical contacts Operations T-0 Hold Operations inject sheets NERC 2.19 0 0 3 None T-0 NERC 2.7 2 2 0 Technical contacts Operations T-15 Hold Operations inject sheets; ties to NERC 1.11 NERC 2.4 2 3 0 Operations contacts Technical T-30 Hold Technical inject sheets NERC 2.8 2 3 2 Coordination required T-40 SOC Breach 2 0 0 5 None T-0 NERC 2.1.1 4 2 0 Coordination required T-0 NERC 2.4.1 1 2 0 Coordination required T-10 NERC 2.12 3 2 3 Operations contacts others T-30 Hold other inject sheets NERC 2.17 3 0 0 None T-45 Day 2 Move 3 NERC 3.2.1 2 2 2 None T-0 Remind teams of personnel limitations incurred NERC 3.11 2 0 0 None T-10 Remind teams of resource limitations incurred NERC 3.12 2 3 3 Coordination required T-10 Damage ties to NERC 2.7 NERC 3.12.1 3 3 2 Coordination required T-15 NERC 3.5.1 4 4 3 Coordination required T-30 NERC 3.9 3 2 0 Coordination required T-0 NERC 3.14 2 2 3 Coordination required T-10 Dependent on documented processes NERC 3.10 1 0 0 None T-20 NERC 3.13 3 3 2 Coordination required T-30 Move 4 NERC 4.2.1 3 2 2 Coordination required T-0 NERC 4.3 2 4 0 Coordination required T-10 SOC Breach 3 0 0 5 None T-10 TBD NERC 4.5 2 2 0 Coordination required T-20 NERC 4.7 1 0 2 Coordination required T-30 NERC 4.6 2 2 0 Coordination required T-30 NERC 4.8 2 4 0 Coordination required T-40 Estimated Effort Level Phase 2 0 Inject does not apply to group Phase 3 1 Minimal effort; 5 minutes Phase 4 2 10 minutes Phase 5 3 Moderate effort; 15 minutes Phase 6 4 20 minutes Phase 7 5 Extreme effort; 30+ minutes Borders indicate breaks
  16. 16. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Resource Planning (Count) 16 Move 1 P2 Move 1 P3 Move 2 P4 Move 2 P5 Move 3 Move 4 Technical 4 3.5 4 4 9 6 Operations 2 2.5 4 3 7 5 Physical 3 2.5 2 2 6 3 0 1 2 3 4 5 6 7 8 9 10 Move 1 P2 Move 1 P3 Move 2 P4 Move 2 P5 Move 3 Move 4 Physical Operations Technical
  17. 17. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Roles •Interfaces directly with the AC •Coordinates incident response activities •Empowered to make departmental decisions Deputy Incident Commander (D-IC) •Fills the same role as the D-IC Backup Deputy Incident Commander •Collects, evaluates, and disseminates information •Maintains intelligence on the situation •Maintains and monitors status of resources assigned to the incident •Coordinates department on-call and schedule rotations, vendor services Planning Section Chief (P-SC) •Manages on-scene tactical operations goals •Goals relate to mitigation/remediation, protection and control •Collect and preserve data •Liaison between incident personnel and D-IC Operations Section Chief (O-SC) 17
  18. 18. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 ACTIVATING THE SIRT 18 SIRT must be contacted when the incident classification table is utilized! State Public Commission Committee must be notified if incidents meet CIP parameters!
  19. 19. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 DOCUMENT STRUCTURE 19 • UIRP: • This document addresses cyber and physical security events affecting corporate assets which may negatively impact the risk posture of the corporation • This document covers a corporate-level framework; individual departments are responsible for creating detailed procedures • Personnel involved in this framework are part of the IUSAN Incident Command System (ICS) • ICS: • A two-tiered command structure coordinated at a company level by the Area Command layer and specific division level activities carried out by the Incident Command layer • Enacted for physical and cyber incidents that are not related to storms • The UIRP document and ICS structure must meet requirements laid out by: • National Institute of Standards and Technology (SP 800-61 Rev 2, SP 800-122) • International Organization for Standardization ISO/IEC 27035:2011 • North American Electric Reliability Corporation CIP-008-5 • Sarbanes-Oxley Act of 2002
  20. 20. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 ICS 20
  21. 21. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 REPORTING WORKFLOW 21
  22. 22. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 BOOM 22
  23. 23. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 LESSONS LEARNED 23 Normal Operations & Contingency Planning Incident Response Training Information Sharing Security Clearances Off-hours Support from Spain Event Notification, Discussions, and Training OT Backbone Network Monitoring Electric Operations Resource Prioritization SDLC with Security Focus Resourcing During Events Corporate Mechanism for Lessons Learned Paper Copies of Procedures (Go Bags) Hot Line Phones Criteria for IT / OT Network Disconnect Reviewing Recent Alerts / Past Events Talking Points for PLO / PIO Execs Data Owner / Data Custodian First Responder Training / Forensics Notification Sharing & Repository Notification Triggers Central Inventory Repository Estimated Time to Recovery Asset Classification Data Retention Baseline Configuration People Process Technology
  24. 24. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 LESSONS LEARNED PLANNING 24 Post Exercise – 5-Year Development Plan
  25. 25. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 PRIORITIZATION 25
  26. 26. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 TRACKING 26
  27. 27. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 27 Thank you cwalcutt@directdefense.com 410-207-9117

×