Security Simulations: This Is Only A Test

Security simulations and tabletop exercises help CSOs practice and plan the best response for worst-case scenarios.

At the financial services tabletop in April, scenarios played out in two "situation rooms" with up to 15 participants in each. The people in each situation room acted as employees for two financial companies that share customers in a longstanding business relationship. Events in the situation rooms start out simplya cyberprotest, an increase in intrusion detection alarms, a burglary and unauthorized software discovered on a server. At first, these events seem unrelated, and contact between affected parties is minimal.

Outside the situation rooms, the other attendees watch events unfold over two big screens. Between sessions, moderators roam the audience with microphones taking feedback. And during the sessions, audience members use wireless handhelds to answer multiple-choice questions posted on a third screen. For example, when the exercises heated up and it became clear the authorities would be needed, the moderator posted the question: "Whom would you contact about this behavior/instance? 1. FBI; 2. Secret Service; 3. ISAC; 4. DHS; 5. No one; 6. Other companies in your sector." Most attendees didn't know whom to contact, according to Jared Graves, director of the tabletop business unit at Guidry.

"The answer is different for each sector. Financial firms contact the Secret Service because it's part of the Treasury Department. Oil and gas folks call the FBI because the pipeline's a target for terrorists. And so on," he says.

The scenarios change every hour or so, at which time new participants go into the situation rooms, old participants move to the audience, and situations continue to escalate until the two-day exercise culminates in a wide-scale attack on the infrastructure. Then the moderators capture final attendee input. The last two hours are dedicated to sharing the findings and conclusions.

Hicks, who is a former secret service agent, participated in a situation room about midway through the enactments at the oil and gas tabletop earlier this year.

"It was intense," he says. "Events change every 10 minutes while you're determining damage, injuries, threat to the larger public, containment and restoration. And it's not only how you handle incidents, it's how incidents roll over to companies and affect them."

The overarching findings, according to the organizers, are that communication is critical in making informed decisions, and that every company needs an action plan and contact list that are both rehearsed and up-to-date. But the devil is in the details. To make the exercises as valuable as possible, the Guidry Group contracted the development of the scenarios to a team of experts from the Center for Infrastructure and Security at the University of Texas at San Antonio that polled industry leaders about their chief security issues. Then they based most of the scenarios on real-world events the respondents had experienced.