Security Simulations: This Is Only A Test

Security simulations and tabletop exercises help CSOs practice and plan the best response for worst-case scenarios.

"The goal was to represent the incidents as things that really happened, or were highly possible, to make them realistic. For the most part, the tabletops pulled that off," says Eric Guerrino, senior vice president of information security at The Bank of New York, who participated in the April FS-ISAC exercise. "For example, we're more aware these days that worms and viruses can take down certain segments of the infrastructure. So malware was used in some of the scenarios."

The April tabletop is Guerrino's second tabletop exercise. He attended a similar exercise held in New York a year earlier. And, while he felt there was some confusion and inconsistency in the changing of players and escalating scenarios, he also believes both tabletops helped him look at his vulnerabilities and response plan in a different way.

"One of the things you learn quickly is you have to identify ahead of time your points of contact if something does happen," he explains. "And you learn you're not operating in a vacuumthat you need help from your physical security department, from various public agencies, your business partners and your industry at large in some cases."Communication BreakdownFailure to communicate can even jeopardize the business relationships. At the financial services tabletop in April, the two fictitious financial firmsdubbed Firms A and Bstarted out as partners. Firm B was hammered with cyberattacks coming from Firm A; however, following corporate legal advice, Firm A wouldn't admit it had a problem until it could confirm exactly what that problem was.

"There were a number of opportunities for the two fictitious firms to share information. As expected, they didn't. And by the time they figured out the two events were related, it was too late," says Byron Yancey, executive director of the FS-ISAC. "It got hard to tell if the actors were role-playing or serious. They got angry. At the end, they were moving toward terminating the business relationship. The lesson here is that if you have a trust relationship and an open channel, you can minimize your risk by sharing pertinent information."

Another point the exercises drove home: Anything can be related to anything, and customers, suppliers and infrastructure companies are inextricably linked. At the oil and gas tabletop games, cyber and physical attacks nearly took down the entire supply chain.

"During my time in the situation room, we had an unauthorized vehicle located inside the premises, which followed the initial suspicion that we were already under cyberattack and cyberdistortion," says Everett Teglas, regional manager for ChevronTexaco's Global Security team. "As it normally does in a crisis, information came in sporadic spurts from all sourcesa port, the endpoint customer, the transportation company and the storage facility. Because they were able to coordinate this information, participants realized the attack was designed to cripple the supply chain of the oil and gas infrastructure."