1 [Insert Organization Represented] [Insert Exercise Date]U.S. Department of Homeland Security Cyber Tabletop Exercise for the Critical Manufacturing Sector Damaged Goods Edition Facilitator Notes: Welcome everyone to the exercise. Introduce the players to one-another, if it is a large group you may need to restrict your introductions to participating organizations. Introduce any VIPs or guest speakers. Brief everyone on important administrative information such as the location of fire exits, restrooms, and where they can find refreshments. Inform participants where they can find the Acronym List in the SitMan for reference. Situation Manual Reference: Page 7 – Appendix A is the Acronym List for the SitMan. [Insert Organization Represented] [Insert Exercise Date] 1

2 Exercise – Business Sensitive – ExerciseOperational Security (OPSEC) This briefing contains exercise, operational, and potentially business sensitive material which, while not classified, should be safeguarded as you deem appropriate The Department of Homeland Security (DHS) Cyber Tabletop Exercise for the Critical Manufacturing Sector is for the Sector’s members and is intended ONLY for those members’ internal use. There is no requirement of the users of this exercise to report back to DHS or any other agency, local, state or federal, regarding any part of the exercise. Any sharing of the results of this exercise is strictly up to the user Facilitator Notes: Explain the importance of protecting all exercise documents and discussions which take place during the exercise. Situation Manual Reference: Page ii – Handling Instructions Exercise – Business Sensitive – Exercise

3 Exercise – Business Sensitive – ExerciseAgenda 0830 – Welcome and Overview 0845 – Module 1 0925 – Module 2 1005 – Break (at facilitator discretion) 1020 – Module 3 1120 – Module 4 1145 – Hotwash and Conclusion 1200 – Facilitator, Data Collector/Evaluator Debrief Facilitator Notes: Times can be adjusted as needed in order to meet the objectives. Situation Manual Reference: Page iv– Agenda Exercise – Business Sensitive – Exercise

4 Exercise Purpose and ScopeThis exercise focuses on public and private stakeholders’ cybersecurity incident response and coordination with other internal and external entities regarding a potential cyber attack Facilitator Notes: The exercise purpose helps everyone who participates to stay focused on the desired outcome. Situation Manual Reference: Page v - Introduction Exercise – Business Sensitive – Exercise

5 Exercise – Business Sensitive – ExerciseExercise Objectives Explore and address cybersecurity challenges Foster an understanding of the dependencies among information technology (IT), business continuity planning (BCP), crisis management, and physical security functions within an organization Test and evaluate cyber incident response protocols and procedures, and identify and address any gaps Expand on the understanding of low-cost and high-benefit human element actions which protect personally identifiable information (PII) and intellectual property [INSERT ADDITIONAL FACILITY SPECIFIC OBJECTIVES HERE] Facilitator Notes: These possible objectives are focused on improving concerns affecting the Critical Manufacturing Sector If your facility creates more objectives, be sure to add them to this section of the slide presentation Situation Manual Reference: Page v - Introduction Exercise – Business Sensitive – Exercise

6 Exercise – Business Sensitive – ExerciseExercise Personnel Players respond to the scenario as presented Observers watch the exercise and preparedness process Facilitators lead, focus and moderate group discussions Data collectors observe and record the discussion during the exercise, and also participate in the data analysis Facilitator Notes: Players respond to the situation presented based on expert knowledge of current plans and procedures, and insights derived from training and experience. Observers observe the exercise; they are not participants in the moderated discussion. Facilitators provide situation updates and moderate discussions. They also provide additional information or resolve questions as required. Data Collectors are responsible for gathering and collating relevant data arising from facilitated discussions during the workshop. They will then use this information to collectively build an after-action report and improvement plan. Situation Manual Reference: Page v, Introduction Exercise – Business Sensitive – Exercise

7 Exercise – Business Sensitive – ExerciseExercise Structure This exercise is a moderated, scenario-driven discussion that allows participants to interact in accordance with their respective responsibilities and expertise to coordinate the response to a significant incident Players will participate in several exercise modules: Module 1 – Incident Module 2 – Investigation Module 3 – Persistent Threat Module 4 – Aftermath Each module begins with a scenario update that summarizes the key events occurring within that time period. A series of questions following the scenario summary will guide the facilitated discussion of critical issues in each of the modules Facilitator Notes: Be sure to identify why the groups are organized the way they are. Each group will need an evaluator and a data collector to capture the group discussion. Please remind the players that the questions are not meant to constitute a definitive list of items or concerns to be addressed, nor is there a requirement to discuss every question. Participants may identify additional critical questions, issues and decisions as they pertain to the specific module. Situation Manual Reference: Page vi - Introduction Exercise – Business Sensitive – Exercise

8 Exercise – Business Sensitive – ExerciseExercise Guidelines This is an open, low-stress, no-fault environment. Varying viewpoints, even disagreements, are expected Respond based on your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from training Decisions are not precedent-setting and may not reflect your organization’s final position on a given issue. This is an opportunity to discuss and present multiple options and possible solutions Facilitator Notes: This is an open, low-stress, no-fault environment. Varying viewpoints, even disagreements, are expected. Respond based on your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from training. Decisions are not precedent setting and may not reflect your organization’s final position on a given issue. This is an opportunity to discuss and present multiple options and possible solutions. Situation Manual Reference: Page vi - Introduction Exercise – Business Sensitive – Exercise

9 Exercise – Business Sensitive – ExerciseExercise Guidelines (Continued) Assume cooperation and support from other responders and agencies Problem-solving efforts should be the focus. Issue identification is not as valuable as suggestions and recommended actions The situation updates, written material, and resources provided are the basis for discussion; there are no situational or surprise injects Facilitator Notes: Assume cooperation and support from other responders and agencies. Problem-solving efforts should be the focus. Issue identification is not as valuable as suggestions and recommended actions. The situation updates, written material, and resources provided are the basis for discussion; there are no situational or surprise injects Situation Manual Reference: Page vi - Introduction Exercise – Business Sensitive – Exercise

10 Exercise – Business Sensitive – ExerciseAssumptions and Artificialities The scenario is plausible and events occur as they are presented There is no “hidden agenda,” nor any trick questions All players receive information at the same time The scenario is not derived from current intelligence Timeline is presented to facilitate actual events Facilitator Notes: In any exercise, a number of assumptions and artificialities may be necessary to complete play in the time allotted. During this exercise, the following apply: The scenario is plausible and events occur as they are presented. There is no “hidden agenda,” nor are there any trick questions. All players receive information at the same time. The scenario is not derived from current intelligence. Timeline is presented to facilitate actual events. Situation Manual Reference: Page vi - Introduction Exercise – Business Sensitive – Exercise

11 Exercise – Business Sensitive – ExerciseModule 1 Incident Facilitator Notes: Players will participate in several exercise modules: This begins the first. Module 1 – Incident Module 2 – Investigation Module 3 – Persistent Threat Module 4 – Aftermath Situation Manual Reference: Page 1 – Module 1: Incident Exercise – Business Sensitive – Exercise

12 Exercise – Business Sensitive – ExerciseDay 1: Next FY Forecast Company executives review their domestic and international expansion plans Vital to your company : Widget X, a proprietary product ready in 1 year entry into the new foreign market of Brictopia Also briefed: risk management, security, and information technology capital investments tied to annual operating plans Situation Manual Reference: Page 1 – Module 1: Incident Company viability rests on the success of Widget X. It is a make or break product for the company. Brictopia is a fictional foreign country. Exercise – Business Sensitive – Exercise

13 Exercise – Business Sensitive – ExerciseDay 180: Incident Equipment malfunctions at a Widget X production facility: severely injures 4 employees destroys critical Widget X manufacturing equipment Your company reacts the incident Situation Manual Reference: Page 1 – Module 1: Incident Exercise – Business Sensitive – Exercise

14 Exercise – Business Sensitive – ExerciseModule 1 Questions: What are the applicable policies, plans, and procedures? Do you have a business continuity plan? How does it tie in with: Physical incident response plan Cyber incident response plan Is cybersecurity included in your company’s crisis response? If so, how, why, and when? If not, what would trigger its inclusion? How is cybersecurity integrated into both corporate and project risk assessments and management? Who is in charge of the Incident Management process/teams? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Questions are recommended but not required. Not all questions may be answered. Situation Manual Reference: Page 1– Key Questions Question 3 is focused on project managers and company management and may not be applicable if they are not participating in the exercise. Exercise – Business Sensitive – Exercise

15 Exercise – Business Sensitive – ExerciseModule 2 Investigation Facilitator Notes: Players will participate in four exercise modules: This begins the second. Module 1 – Incident Module 2 – Investigation Module 3 – Persistent Threat Module 4 – Aftermath Situation Manual Reference: Page 2 – Module 2: Investigation Exercise – Business Sensitive – Exercise

16 Exercise – Business Sensitive – ExerciseDay 181: Investigation Initial findings indicate that human error likely did not cause yesterday’s equipment malfunction Your management team discusses the incident with your control system vendor, ConSys A full investigation of the incident continues, which includes ConSys who is remotely accessing the system logs for any signs of an error Situation Manual Reference: Page 2 – Module 2: Investigation Exercise – Business Sensitive – Exercise

17 Day 182: Investigation ContinuesAdditionally, ConSys normally supports via remote access, but has sent a response team to your facility Your company’s control system operator and ConSys support discuss a Human-Machine Interface (HMI) anomaly found in the logs Situation Manual Reference: Page 2 – Module 2: Investigation Exercise – Business Sensitive – Exercise

18 Exercise – Business Sensitive – ExerciseDay 194: Findings Investigation confirms control system error caused equipment malfunction Analysis determines that malware on the control system entered via the corporate network The operator’s workstation lacked key software patches and an anti- virus tool with current threat signatures Your company acts on recommendations to resolve these vulnerability Situation Manual Reference: Page 2 – Module 2: Investigation Exercise – Business Sensitive – Exercise

19 Exercise – Business Sensitive – ExerciseModule 2 Questions: How is cyber threat information collected and analyzed? What are your external sources? How is it reported and collected internally? What vulnerabilities are you concerned about? How have cyber vulnerabilities changed with increased connectivity? What Wi-Fi and mobile device vulnerabilities concern to you? Are they included in your cyber risk assessment? If applicable, are there vulnerabilities related to your internet connected corporate network and your non-internet connected industrial control system? How does your organization integrate cybersecurity into the life cycle system (i.e., design, procurement, installation, operation and disposal)? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 2 – Key Questions Exercise – Business Sensitive – Exercise

20 Module 2 Questions: (Continued)Describe applicable human element programs and how they are developed and maintained. Does your company have a patch management program? How often are security logs reviewed? Discuss the role of cybersecurity in contracts with third-party support vendors. Discuss your supply chain concerns related to risk assessment and cybersecurity. Describe your company’s cybersecurity response planning. Does it account for both cyber and physical consequences of a cyber attack? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 3 – Key Questions Exercise – Business Sensitive – Exercise

21 Module 2 Questions: (Continued)Who leads your response to a cyber attack? Who is part of the response team? What are the escalation thresholds for their activation? How are they notified? When did they last exercise their role? What are your essential elements of information and key information questions necessary for operational and executive-level responses to cyber incidents? Who leads public information in the cybersecurity response, and why? What internal and external messages should be developed? How are they being distributed? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 3 – Key Questions Exercise – Business Sensitive – Exercise

22 Module 2 Questions: (Continued)Do your business continuity plans address these types of scenarios? Have you discussed these types of concerns and risks with crucial suppliers? Corporate social media policies: Are there corporate policies pertaining to the use of social media (e.g., LinkedIn, Facebook, Twitter)? Are there corporate policies pertaining to the use of removable media (e.g., USB thumb drives, CDs) How would these policies apply to your system maintenance personnel and/or service contractor(s)? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 3 – Key Questions Exercise – Business Sensitive – Exercise

23 Exercise – Business Sensitive – ExerciseBreak Exercise – Business Sensitive – Exercise

24 Exercise – Business Sensitive – ExerciseModule 3 Persistent Threat Facilitator Notes: Players will participate in four exercise modules: This begins the third. Module 1 – Incident Module 2 – Investigation Module 3 – Persistent Threat Module 4 – Aftermath Situation Manual Reference: Page 4 – Module 3: Persistent Threat Exercise – Business Sensitive – Exercise

25 Exercise – Business Sensitive – ExerciseDay 198: Wiping Machines The Widget X project manager reports some team computers have stopped working Company IT confirms some Widget X team hard drives and key Widget X backup files have been deleted in a manner that renders them unrecoverable Situation Manual Reference: Page 4 – Module 3: Persistent Threat Exercise – Business Sensitive – Exercise

26 Day 199: Cyber Incident ResponseFollowing reports from the Widget X project manager, your company’s chief information security officer (CISO) notifies company executives and leads a company response to a suspected cyber attack against the company Your company hires a third-party cybersecurity vendor to assist with the investigation and mitigation of the attack Situation Manual Reference: Page 4 – Module 3: Persistent Threat Exercise – Business Sensitive – Exercise

27 Exercise – Business Sensitive – ExerciseDay 201: Quality Control Quality control testing of Widget X prototypes discovers that they were not manufactured to specification An investigation begins to determine the cause Situation Manual Reference: Page 4 – Module 3: Persistent Threat Exercise – Business Sensitive – Exercise

28 Exercise – Business Sensitive – ExerciseDay 204: Cyber Report The investigation notes that the Day 198 data deletion and Day 180 equipment failure resulted from malware associated with known Brictopian cyber crime gangs Remediation estimated at 72 hours There may be additional exploits not yet detected and additional cybersecurity protective measures to be addressed This attack is not widely discussed with employees and not disclosed to the government or the media Situation Manual Reference: Page 4 – Module 3: Persistent Threat Exercise – Business Sensitive – Exercise

29 Exercise – Business Sensitive – ExerciseDay 210: Anon Claim A claim of responsibility for the attack is posted on a popular hacker internet forum Computer security researchers notify your company and the ICS Cyber Emergency Response Team (ICS-CERT) about the claim ICS-CERT contacts your company regarding the claim Your company has chosen to engage government and law enforcement in your response Situation Manual Reference: Page 4 – Module 3: Persistent Threat “Shodan, which stands for Sentient Hyper-Optimized Data Access Network, is the "Google for hackers."…Hackers are using the Shodan computer search engine to find Internet-facing SCADA systems using potentially insecure mechanisms for authentication and authorization, according to a warning from ICS-CERT.” Exercise – Business Sensitive – Exercise

30 Day 225: Attacker IdentifiedFollowing a coordinated effort, government and law enforcement confirm your company is a victim of known criminal organization, Organized Crime 1 (OC1), which operates with impunity in Brictopia OC1 is experienced, highly skilled, well-resourced, and financially motivated Situation Manual Reference: Page 5 – Module 3: Persistent Threat Exercise – Business Sensitive – Exercise

31 Day 225: Attacker Identified Cont.OC1 infiltrated ConSys’ and your networks to gain access, take control of essential processes, and create backdoors for the introduction of malware These parallel lines of attack allowed OC1 to maintain its attack despite initial efforts to fix your company’s vulnerabilities Attack Path 2 Attack Path 1 OC1 Attack Paths Situation Manual Reference: Page 5 – Module 3: Persistent Threat OC1 infiltrated ConSys’s and your networks to gain access, take control of essential processes, and create backdoors for the introduction of malware. These parallel lines of attack allowed OC1 to maintain its attack despite initial efforts to fix your company’s vulnerabilities. Company Business Network Company Production Network ConSys Support Exercise – Business Sensitive – Exercise

32 Exercise – Business Sensitive – ExerciseModule 3 Questions: Are internal and external communication strategies aligned? What are your regulatory requirements or other thresholds for contacting government entities? Others? At what point would you contact law enforcement? What are the key documents that support cyber preparedness for your organization? (e.g., internal plans, National Institute of Standards and Technology (NIST) guidelines, etc.) Discuss the current network security architecture for crucial suppliers with remote access. How do you address data back up and restoration? Where is it stored? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 5 – Key Questions Below are a few examples to help guide the Facilitator in the discussion of network security architecture: Boundary protection (management of access points, what devices if any, are in place to monitor or control outbound/inbound network traffic/communications; connection to external networks, the protection of devices such as routers, firewalls, etc., ) Communications protection, such as encryption, encrypted tunnels, remote access control and management Border router policy, firewall policy, VPN policy, network/host- based intrusion detection system policy, etc. Control measures in place to protect the network against denial of service attacks Exercise – Business Sensitive – Exercise

33 Module 3 Questions: (Continued)What types of cybersecurity policies, plans, and/or protocols does your company have in place to detect, respond to, and/or recover from a cyber attack? Do you have detection, triage, and response capabilities? Do employees know what constitutes suspicious cybersecurity activities or incidents? Do they know what actions to take to avoid them or when one arises? Are there procedures for collecting and correlating results from physical, cyber, and other suspicious activities to achieve integrated situational awareness? Are there designated security personnel or authorities within your company that are responsible for the coordination, correlation, and analysis of all suspicious events to achieve organization-wide situational awareness? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 5 – Key Questions Below are a few examples to help guide the Facilitator in the discussion of network security architecture: Boundary protection (management of access points, what devices if any, are in place to monitor or control outbound/inbound network traffic/communications; connection to external networks, the protection of devices such as routers, firewalls, etc., ) Communications protection, such as encryption, encrypted tunnels, remote access control and management Border router policy, firewall policy, VPN policy, network/host- based intrusion detection system policy, etc. Control measures in place to protect the network against denial of service attacks Exercise – Business Sensitive – Exercise

34 Exercise – Business Sensitive – ExerciseModule 4 Aftermath Facilitator Notes: Players will participate in four exercise modules: This begins the fourth. Module 1 – Incident Module 2 – Investigation Module 3 – Persistent Threat Module 4 – Aftermath Situation Manual Reference: Page 6 – Module 4: Aftermath Exercise – Business Sensitive – Exercise

35 Exercise – Business Sensitive – ExerciseDay 270: Delayed Delivery While numerous remediation actions have been applied to bolster cybersecurity, the damage significantly delays Widget X development Investors negatively react to revised Widget X delivery dates and lowered revenue projections and earnings estimates Situation Manual Reference: Page 6 – Module 4: Aftermath Exercise – Business Sensitive – Exercise

36 Exercise – Business Sensitive – ExerciseDay 300: First to Market Company FC1, a Brictopian based company, is your largest competitor in the Brictopian market FC1 delivers Widget Y, a direct Widget X competitor FC1 has entered the Brictopia market, you remain delayed Situation Manual Reference: Page 6 – Module 4: Aftermath Exercise – Business Sensitive – Exercise

37 Exercise – Business Sensitive – ExerciseDay 330: Damages After carefully reviewing Widget Y, your company believes FC1 has produced a Widget X clone Your company has suffered significant losses Your company begins the cost-benefit analysis of taking legal action against FC1 Your Board of Directors, investors, and the media continue to raise questions about the incidents Situation Manual Reference: Page 6 – Module 4: Aftermath Exercise – Business Sensitive – Exercise

38 Module 4 Questions: (Continued)Describe the processes and decision-making related to cybersecurity legal actions What are the business implications of the scenario? How would you determine them? Facilitator Notes: At this time, players have the opportunity for a facilitated discussion. Mention the below guidelines, then present questions for the players to discuss. Guidelines: Identify a table spokesman who will brief the group on key information. Complaining without offering solutions is unproductive. Notify participants to try to identify solutions for as many issues as possible. Notify participants that any answers obtained by leaving their table, should be shared upon their return. Situation Manual Reference: Page 6 – Key Questions Below are a few examples to help guide the Facilitator in the discussion of network security architecture: Boundary protection (management of access points, what devices if any, are in place to monitor or control outbound/inbound network traffic/communications; connection to external networks, the protection of devices such as routers, firewalls, etc., ) Communications protection, such as encryption, encrypted tunnels, remote access control and management Border router policy, firewall policy, VPN policy, network/host- based intrusion detection system policy, etc. Control measures in place to protect the network against denial of service attacks Exercise – Business Sensitive – Exercise

39 Exercise – Business Sensitive – ExerciseWrap Up & Hot Wash Participants describe overall strengths and weaknesses Determine recommendations Participants complete feedback forms Facilitator Notes: Conducting a Hot Wash Conduct a quick debriefing at each table. Debriefing is lead by each table’s facilitator. Participants should confirm the strengths, areas for improvement, solutions, and action items they identified during the exercise. Ensure participants complete Participant Feedback Forms and submit to facilitator before leaving the exercise. Situation Manual Reference: None Exercise – Business Sensitive – Exercise

40 Exercise – Business Sensitive – ExercisePoints of Contact For questions about the DHS Cyber Tabletop Exercise for the Critical Manufacturing Sector or recommendations for improvement contact the Critical Manufacturing Sector via at [Insert your own company/contact information] Exercise – Business Sensitive – Exercise

41