Why Major American Companies Held a Joint Cyber Drill, and You Should Too
Employees from large US enterprises, including Mastercard, Lumen Technologies, AT&T, and others recently joined with the government’s Cybersecurity and Infrastructure Security Agency (CISA) in Washington, D.C., to simulate a cyberattack on customer-facing operations.
Held at the end of March, this drill, known as the Tri-Sector Cyber Defense Exercise, saw private sector teams split into two: one group acted as hackers, the other as defenders. The government members acted as they normally would in a similar situation.
Why The Urgency?
The exercise was planned following increased declassification of information related to hacking threats against critical infrastructure, particularly public warnings related to China’s ongoing attempts to target the US and a recent successful breach on municipal water systems by Iranian hackers.
Hackers are increasingly targeting critical US infrastructure, including power generation and distribution. These systems are increasingly dependent on interconnected digital devices. If one element fails, it could spark a dangerous chain reaction, affecting the heating, water, and power supply across the US.
In February, those who attended the National Sheriff’s Association Conference in Washington, D.C, were warned by the FBI of imminent terrorist attacks on the U.S., according to reports. Those threats prompted Ohio’s Butler County Sheriff, Richard Jones, to hold a surprise press conference outlining the dangers to the public.
According to Jones, the Butler sheriff’s office is “getting five cyber hack attempts a day by the Chinese, three times a day by the Iranians, and we got hacked two years ago by the Russians.” And continued, “And that is not just us. I assume they are doing that all over the country.”
While it may seem like science fiction, critical infrastructure disruption has already happened in other countries. In 2015, three utility companies in Ukraine were disabled by BlackEnergy malware, leaving the country in the dark for six hours. A few months later, an attack was also carried out against the Israel National Electricity Authority. And, just two years prior, Iranian hacker groups managed to gain control of the floodgates of the Bowman Avenue Dam in New York state.
Why Is American Infrastructure Being Targeted?
Any industry or company is vulnerable when it comes to cyber-attacks, but energy, transport, telecommunications, manufacturing, and public-sector services are extremely lucrative targets for hacker groups. It stands to reason that any critical equipment or industry, including satellites, nuclear power plants and oil rigs, are vulnerable.
Unlike hacks against companies, hacker groups targeting critical infrastructure systems aren’t interested in stealing data. Instead, they seek to take control over systems in order to hold them ransom or shut them down completely in a hostile attack.
The biggest concern at present is the increased tension with China due to repeated cyber attack attempts on US infrastructure. On March 23, both the US and the UK announced special sanctions against individuals linked to a Chinese intelligence-backed hacker group.
How The Drill Worked
The Tri-Sector Cyber Defense Exercise was not the first of its kind. A similar event was held in 2022, which saw individual teams from each company competing. The 2024 event saw teams combine to learn from one another, assaulting and blocking attacks from “hacker groups” across the various sectors.
The teams were split into two: a red team and a blue team. A red team acts like malicious attackers. Their goal was to find vulnerabilities in the defenses that real attackers could exploit. The blue team acted as the defensive side, working to detect, respond to, and contain the attack from the red team.
The red team was led by CISA of the Department of Homeland Security, the blue team by the participating companies.
Similar to military wargames, the exercise was a means for the teams to learn from one another and test their defensive skills. The benefit of completing the exercise across multiple sectors is significant – real-world hacks often target multiple different critical infrastructure sectors at the same time. The exercise not only gave the participants a chance to work together, but set the stage for future coordination.
The drill also included a table exercise testing incident-response processes involving multiple federal agencies and company executives.
Next Steps
While the cyber drill was incredibly useful, the participants are among the best-resourced and most-skilled enterprises in the country. There are many utility companies (especially at the municipal level) that do not have the skills, funds, or employees to successfully ward off a cyber attack.
With this in mind, there are plans to host the event annually at a national level, broadening the reach and including some of the critical infrastructure companies not included in this drill.
Hosting Your Own Cyber Security Drill
Smaller companies may never have the opportunity to participate in drills similar to the one recently held in Washington, but there are ways of replicating the exercise with industry peers, or within different departments in your own company, no matter your size or the amount of resources available. The benefits of staying sharp and coordinated during a crisis cannot be overstated. A simulated cyber attack drill can help your organization stay prepared. Here are some high-level ideas about how to run one:
1. Plan and Prepare
Determine what you want to achieve from the drill. Is it testing specific defenses? Evaluating communication protocols? Once you have a clear idea of your objectives, form a team with representatives from IT security, operations, and other relevant departments. Next, pick a scenario. Pick a realistic cyberattack scenario that aligns with your goals and industry. Consider recent threats or vulnerabilities.
2. Set Up Teams
Just like the drill above, you’ll need to split into red and blue teams. The red team will simulate the attackers, while the blue team will defend the systems. You can consider partnering with a cybersecurity firm with ethical hacking experience to lead the red team for a more realistic simulation. Establish clear guidelines and rules of engagement for both teams. This includes the scope of the attack, acceptable actions, and communication protocols.
Make sure that you securely configure the systems involved in the drill to minimize risks and prevent data losses.
3. Conducting the Drill
Once you’re aligned, let the red team launch their simulated attack according to the scenario. The blue team should work to detect, respond to, and contain the attack. Have a designated team in place to monitor the exercise and document key events, successes, and failures.
4. Post-Drill Activities
After the drill concludes, hold a debriefing session with both teams. Discuss what went well, what went wrong, and lessons learned. Based on the debriefing, identify areas where your defenses or communication protocols need improvement. Develop a plan to address the identified weaknesses and improve your overall cybersecurity posture.
5. Repeating the Exercise
Conduct cyber drills regularly, at least annually. When you do repeat the drill, use different attack scenarios each time to keep the exercises challenging and relevant. If possible, share learnings and best practices internally and potentially with other organizations in your industry.
Along with cybersecurity drills, the best prevention against attacks is a good defense. Coro can help.
