Seeking to Develop Exercises That Test Response Capabilities to Any Threat & Add Value

Conducting an exercise can be a very useful tool for testing policies, procedures and actions of institutions for dealing with a perceived threat scenario. It offers the advantage of providing an idea of what would really happen if the worst was to happen without doing any real damage. It can provide answers to questions without learning the hard way after a real incident such as: are our policies adequate to the tasks required for dealing with an incident, do our procedures work smoothly and as expected, and are all the relevant players available to participate? Keeping the scenario as close to real life as possible will provide the best opportunity for lessons learned after the exercise to make for a better incident response capability for when that“bad day” actually arrives. They can also be applied to dealing with the same scenarios that have a different event causing the incident.

An exercise that took place in Prague in 2014 published on the website of the NATO Energy Security Center of Excellence seems a good example of such a successful exercise. The test was very specific in its goal: to see how public, private and military institutions would respond to a power blackout of the Czech Republic capital of Prague lasting up to 3 days. The scenario that was developed was based on a real event that took place the year before. In June of 2013 a partial city blackout was caused by a malfunctioning transformer. The Czech Republic’s energy grid has also been affected by unstable power levels from one of its neighbors, Germany.Another event that was added to drive the scenario forward was severe weather which caused damage to power pylons leading to the city. All this resulted in a total blackout of Prague. It was estimated by the scenario participants that it would take 3 days to repair the damage and restore power to the city.

The exercise proved to be a good learning experience as many unexpected challenges surfaced. In the exercise one of the first important tasks was to deal with the problem of failed traffic lights in the city which was seriously interfering with the work of the emergency services and movement of supplies in the city. Water distribution was also affected as freezing pipes became a problem in a scenario which also included cold temperatures.The problem with freezing pipes also affected the centralized heating system used to heat residences. As the cascading difficulties of a city without power came to be realized the special capabilities of the military in transport and mobile power generation were called upon.

The exercise however failed to test one sector that in the event of a real emergency could play a very critical factor in dealing with an incident. The telecom companies did not actively participate in the exercise so few lessons were learned about the effects of a blackout on telecommunications. Unfortunately getting all relevant players on board can be difficult and if key players choose to opt out or only formally play their role the benefits of the exercise can be significantly reduced. Similar uncooperative behavior by certain sector operators also occurred in exercises I have participated in.

For more information about how the exercises ended and on all the lessons learned and local issues that were raised I refer to the article mentioned above. However there is one general lesson that can be learned from this exercise.Cities can become traps for their inhabitants when the critical infrastructure that acts as the cities “life support” is disrupted. Traveling around town is not the only activity that becomes difficult for the inhabitants. Insuring a supply of food, drinking water and heat to homes all become issues to deal with when there is a major blackout. More important is that the blackout can result from other things besides storms and unstable power grids. They can be intentionally caused by malicious actors penetrating and manipulating control systems from cyberspace.

A recent real world example of this is found in the cyber-attack that succeeded in disrupting part of Ukraine’s electric grid last December.The effects of a blackout in a major city caused by a severe storm or cyber-attack can be same. Exercises are good ways to test the available response capability to deal with a failure in critical infrastructure. It is important to get the relevant institutions and sector operators on board in order to make the exercises real enough for constructive lessons learned to appear. However consideration should also be given to including a wider range of causes (use a cyber-attack in addition to a thunderstorm) in the exercise scenarios where the capacity to deal with a wider range of real-world threats can be more fully tested and more value added to the exercise.

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.