Resilient and Ready: Setting the Stage for ČEZ's Cybersecurity Exercise (Part I)
A Puzzle for You: Inspired by INDUSTROYER2 and CADDYWIPER incidents, utilizing OT devices, storytelling, gamification, and, of course, ChatGPT! What could it be?
Resilient and Ready: ČEZ Employees Defend Against Cyber Attacks in KYPO Cyber Range Platform (Part II)
Welcome to the second part of our case study, where we delve deep into cybersecurity exercise for ČEZ, witnessing their employees defend against cyber-attacks in the KYPO Cyber Range Platform. Building on the exercise preparation details covered in the first part, our focus now shifts to the exercise experience and the lessons learned. Stay tuned for an insider's look at the exercise execution!
From Theory to Reality
At the core of our approach is the belief that the best hands-on experience is formed by the state-of-the-art theory. As the exercise begins, participants embark on two days of theoretical briefings, exploring the perspectives of red and blue teams.
Now, you might think, "Sounds pretty boring, huh?" But fear not; we make this part of the exercise engaging and interactive. During the briefing, participants can discuss with our experts, making the learning experience dynamic. And if that's not enough to keep everyone on their toes, we have a secret weapon – quality coffee to fuel their minds and energize their curiosity.
As a result, participants are fully equipped with all the necessary knowledge and crucial documents, including documentation, SOC and IT/OT infrastructure processes, information guidelines, and relevant websites.
The real excitement unfolds during the hands-on phase. This year, we've introduced a new exercise structure that utilizes a hierarchy. Organized into four distinct groups, participants assemble into three Blue Teams, each simulating an individual power plant. Meanwhile, one SOC team assumes the vital supervisory role. This approach introduces heightened coordination and communication demands throughout the exercise. We've also incorporated essential processes to follow, such as emergency shutdown protocols, incident response procedures, warning publication, and data request processes.
Navigating their respective topologies, the teams delve into the incident investigation. The hardening of infrastructures follows. They fortify their systems by employing diverse techniques, such as AD GPO, PowerShell scripts, DNS configuration, Exchange servers, and Firewalls. Moreover, they skillfully implement filters in Kibana, ensuring swift identification of ongoing attacks.
While the exercise centers around collaborative incident response within a dynamic scenario, it also presents a constant stream of challenges that add layers of complexity to the evolving situation. And, of course, the importance of communication with users inside the organization cannot be overlooked. By the way, AI is vital in simulating employees' daily operations within the prepared infrastructures.
Post-Exercise Reflections
Each exercise is a wellspring of insights for future improvements, and we're dedicated to making the most of these opportunities. Throughout the exercise, we diligently took notes, gathered feedback from participants afterward, and distributed a feedback form to gather comprehensive insights.
We received positive feedback highlighting the exercise's design, encompassing the scenario, technical infrastructure, and non-technical elements. We would like to particularly emphasize three key lessons that we have gleaned from this exercise:
- Enhancing the Physical Dimension: The exercise's overall experience was significantly elevated by incorporating physical elements. Beyond the pleasant venue, the spotlight was on Operational Technologies (OTs) emulating a power plant. This added realism brought the entire cybersecurity scenario to life.
- Embracing Unpredictability: Even with meticulous scenario control and comprehensive information, the potent blend of high motivation and outside-of-the-box thinking can deliver unexpected outcomes that challenge our team during the event. Without delving into the specifics, the takeaway is the importance of having a plan B for certain facets of the scenario.
- Ongoing Lecturer Support: Our lecturers remained consistently present on-site, extending support whenever required. This approach garnered appreciation from both participants and organizers alike.
We firmly believe that our collaboration with ČEZ is far from over. Drawing from this experience, we are committed to further pushing the boundaries of our cybersecurity exercises. We are refining scenario infrastructure and honing other critical (non)technical elements. When aiming for training excellence, the quality of services must inevitably mirror the same standards.