It’s one thing to talk about cyber drills in the abstract. It’s another thing entirely to think up and put together what an actual cyber drill will look like in practice. But until you perform a cyber drill, it can be difficult to appreciate just how much goes into – and to recognize that cyber security simulations involve more than mere “playbooks” or rote responses to simple challenges.
Let’s highlight these differences by walking through what a real-world cyber drill might look like, from the initial process of alerting relevant parties, through to post-incident cleanup. This will give you an appreciation of everything that goes into effective cyber drill planning and execution.
The purpose of a cyber security simulation
Above all, cyber drills are designed to improve your company’s readiness to respond to an actual cyber crisis. Cyber drills help your team develop the “muscle memory” necessary to mitigate a threat quickly, while maintaining operational and business continuity throughout.
Put another way, cyber drills help to establish resilience, which is the key not only to a business’s survival following an attack, but will allow it to function to a certain extent during an attack. The drills are an opportunity to fine-tune organizational processes, find gaps in existing response plans and ensure that responsibilities are assigned appropriately to your management, IT team, maritime operations team and so on.
Let us help you enhance your current response plan
Preparation for cyber security simulations is key
Before you begin, it is important to determine the scope and objectives of the simulation:
- What are you planning to practice; the cyber and IT aspects, or business aspects as well?
- Who needs to be involved; C-level executives only or mid-level team members too?
- Which scenarios will you focus on?
- Which issues and dilemmas are you planning to focus on and practice ?
Having decided on these aspects, the next step is to develop the scenario, the attack vector and the input for the simulation, in order to make it as realistic as possible. It is important that each of the participants have challenges and tasks that keep them immersed in the simulation.
It is at this point that it is important to consider your choice of partner for planning and conducting the simulation. Companies that have industry experience, coupled with experience in managing actual cyber incidents will be able to develop the most realistic scenarios. They will also be able to engage participants to the highest degree.
Before beginning the simulation, it is very helpful to engage in individual, as well as group discussions. This involves preparing a list of key challenges, dilemmas and priorities for each element of the simulation, down to the participant level. One of the most important elements of these simulations is actually the preparation; this puts both the participants and the organization in the right frame of mind, before the simulation begins.
Cyber security simulation example
A cyber security simulation should include all the following steps (or focus on some of them to a greater degree):
1. Incident discovery
First, stakeholders need to be alerted to the incident. As part of your simulation, practice the process of reporting an attack or disruption to both your operations teams – including vessel crews, trucks, trains and yard operators – and the IT team. Make sure, too, that managers and executives are tuned in.
2. Investigate
When stakeholders are first alerted of the incident, they should not receive details of its cause or what it affects, since in a real-world crisis that information would not typically be readily available. Instead, the task would fall to various teams to investigate the incident and determine exactly which systems or processes it places at risk.
3. Initiate secondary response
While investigation is underway, your teams can also initiate what is known as secondary response. This means work such as recovering data from backups, resetting passwords and redirecting vessels to different ports or terminals that remain operational.
These processes don’t mitigate the underlying threat – that’s why they constitute secondary, rather than primary, response – but they can help to contain its impact.
4. Engage with cybercriminals
In some cases, cybercriminals may contact you during your incident response process to demand a substantial ransom. Factor this scenario into your cyber security simulation by practicing how to respond to a ransom request. In many instances, the response will depend on how much ransom is being demanded, which data or systems the attackers claim to have taken over and whether you can verify that they actually compromised those resources.
5. PR response
Disclosure of an incident is likely to trigger negative coverage in the media. Practice how your organization will respond. It is advisable to simulate drafting press releases, for example. An additional step is to decide which statements your executives will make to the media, and when, and by whom in order to protect the business’s reputation.
6. Getting back to business
Finally, determine which steps your teams will take to transition back to normal operations once the incident has been fully mitigated. This transition should include not just resuming regular activity, but also determining how to prevent a similar incident from recurring in the future, in order to build greater resilience.
Your transition back to normal may also include further negotiations with the attackers to ensure they abide by any terms you set when paying a ransom, if you choose that route. Plan, too, for extended PR coverage of the incident, as well as engagement with your business partners and customers, who are likely to ask questions about the event for some time after the incident has been resolved.
Simulations are about observing
Throughout the cyber simulation it is important to observe and document:
- Take note of key decisions and how they were reached
- The structure and effectiveness of the discussions
- Whether existing policies were followed or left aside
It is helpful to nominate observers from within the organization, not only external ones (that is if an external company is managing the simulation). Internal observers will be able to see what can be improved from within the business, making them a crucial element of the simulation.
Using these observations, following the simulation, debriefing is an important element. This gives you the opportunity to analyze what was learned by each participant during the simulation, while the experience is still fresh in everyone’s minds. It is equally important to conduct a second debriefing session later on, once the participants have had time to digest the experience.
Final thoughts
Every cyber attack is different so you can’t predict exactly what will happen. That’s why you should practice a variety of cyber security simulations to build maritime cyber resiliency. A properly conducted simulation will give you:
- A clearer understanding of internal processes
- Help discover necessary changes in procedures and critical business processes
- Show you more about your organization’s capacity for resilience than can be gained from audits and assessments
Cyberstar can help. We specialize in tailoring cyber drills to our maritime and logistics clients’ needs based on their specific risks and the incidents they are most likely to face. We also follow up cyber drills with surveys that help us determine what stakeholders learned and how to make future simulations even more effective. With this approach, we give management a much deeper understanding of the full scope of the risks they face – from an IT, operational and PR perspective – due to cyber security threats.
Contact Cyberstar to learn more about optimizing your business’s maritime cyber resiliency:
