Operation Cyber Storm

Practice, practice, practice – it’s the motto that defenders against cyberattacks swear by. One of the biggest biennial training exercises run by the US government is the Cyber Storm games organized by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. At the seventh iteration, and for three years in a row, one of the key players in the 2020 exercises was Siemens. 

 

 

It has to be described as the most spectacular cyberattack of 2020, if not of the decade: In the spring of 2020, hackers are suspected of modifying SolarWinds software development process and were able to release malicious code with SolarWinds Orion software – software used by many major companies and government agencies in the United States and around the world to manage and monitor their IT infrastructure. It is believed that the hackers may have been able to siphon off a trove of valuable information. Once word had gotten out, the list of victims grew day by day: the U.S. Treasury Department, the Department of Homeland Security (DHS), parts of the Pentagon and even the National Nuclear Security Administration, the agency that watches over the United States’ nuclear arsenal. Just what information was stolen remains somewhat of a mystery even today. One thing is certain. The attacks were launched by wily professionals who brooded over their plans in secret for months and months. “This is a patient, well-resourced, and focused adversary,” a spokesperson from Cybersecurity and Infrastructure Security Agency (CISA) indicated. 

Simulated attack

Could the SolarWinds hack have been prevented? “Likely,” says Abhishek Ramchandran, who works as an Offensive Security Researcher for the Siemens Cybersecurity Service Innovation group. To fend off the attack, cybersecurity experts at SolarWinds and the affected customers should have erected stronger lines of defense. This is precisely the objective of Cyber Storm, a type of planning game organized by the CISA. During this “storm”, a huge number of companies and government agencies act out simulated cyberattacks, the non-cookie-cutter sort of raids that bear a strong resemblance to the one launched against SolarWinds. 

CISA conducted its first Cyber Storm exercise in 2006. They have been held every two to three years since then. The seventh and most recent event was conducted in August 2020. About 200 companies – including Siemens – that ranged from automakers, financial institutions and hospitals to government agencies such as the operators of transportation infrastructures went through three attack scenarios. The objective of the three-day exercise was to teach the participants to quickly spot threats and combine their expertise and, thus, their strengths in a proverbial showdown against criminals. “Such exercises help companies stay one step ahead of attackers,” says Benjamin Nelson, the head of the Threat Detection and Analysis Team at the Siemens Cyber Defense Center for the Americas. .

“Such exercises help companies stay one step ahead of attackers!”

Siemens is a key partner

The Cyber Storm games are now one of the go-to tools that are used to repel cyberattacks in the United States. A total of 500 people from five countries took part in the first games in 2006. By 2020, that number had grown to more than 2,000 participants from 13 countries and over 90 industrial partners. All were invited by the CISA. “You simply can’t turn down an invitation from the government,” Benjamin Nelson says with a smile. Siemens is an important partner for CISA because we are the leading provider of automation in the United States and many parts of the U.S critical infrastructure use control systems made by Siemens. Siemens is also a member of various research projects from government agencies and universities on cybersecurity and the affected technologies. “Cyber Storm gives us an opportunity to continue to strengthen our relationship with key  government agencies, partners and customers,” Nelson says. And, of course, it helps make Siemens products even more secure. “By gaining an understanding of worse-case scenarios, both developers and cybersecurity experts can work closer together and develop better products,” Nelson says.

A focus on the global Internet

CISA came up with three attack scenarios for Cyber Storm 2020. One of them involved the loss of an authentication certificate. This is a security feature that a device uses to clearly identify itself in a network, similar to watermarking that is used for tamper-proof ID cards. A third party known as the certificate authority vouches for the authenticity of the certificate. Every now and then, however, hackers are successful at copying these certificates. They then use those certificates to pass themselves off as legitimate on a network in which they have no business being. The two other scenarios were also aimed at the very foundation of the Internet. The second scenario assuming that relevant Domain Name System (DNS) – a system that assigns an IP address to every web address – was compromised. In the final scenario, the Border Gateway Protocol (BGP) that determines the most efficient routes for data on the Internet came under attack. 

The attacks were not real. But the SolarWinds incident clearly demonstrates that such worst-case scenarios are anything but the flights of someone’s paranoid fancy. During the planning games, the participants must analyze the scenarios and show that they have made the correct decisions and taken the right steps to either block or mitigate the threats. Four analysts from Siemens, all cybersecurity experts, took part. These “players” knew that the planning game was happening, but they did not know its exact sequence. This was developed by the CISA and each participating company’s “planner” who confronted the players with an imagined threat. The players had to react in a way that would prevent the incident from morphing into a major cyberattack. 

Communication is vital

“The threats used during Cyber Storm are very realistic,” Abhishek Ramchandran says. The three days in August were a complete success for him: “Our analysts successfully met each challenge.” As part of the games, the product CERT (Computer Emergency Response Team) drew up an advisory as they would have in a real incident that would have been sent to affected Siemens customers to inform them of the incident and to provide an update for the infected software, he says. In particular, Abhishek Ramchandran noted that the coordination among the affected departments worked exceedingly well. CISA says that smooth communications among affected actors is key to successfully repelling cyberattacks – a requirement that is needed not only during real threats but also during “quiet” times when cybersecurity experts from companies and government agencies talk with one another about the current threat situation.

The incident involving SolarWinds showed just how necessary regular training exercises are for defending ourselves. These events sharpen the tools and techniques experts need to thwart complex attacks launched by aggressors. For these reasons, Siemens plans to return for Cyber Storm 2022 with an even bigger team, Abhishek Ramchandran says. When will the games be held? Ramchandran’s lips are sealed. “If hackers knew the date, they would take advantage of it and step up their attacks,” he says. 

Locked Shields – this annual exercise, organized by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), provides a unique opportunity for military cyber-defenders to practice the skills they need to keep IT systems and critical infrastructure operational while under a massive cyber-attack. Involving more than 2,000 experts from nearly 30 nations, the exercise took place across 22 “cyber cities” in the fictional country of Berylia. Siemens was on board as well: The virtual cities were equipped with Siemens’ energy management Remote Terminal Units, protection devices as well as power control centers. The critical infrastructure set-up consisted of more than 5,000 virtualized systems and physical real-life substation devices. The emulation began with Berylia experiencing a rapidly deteriorating situation for operation and security in which several hostile events coincided with coordinated cyber-attacks against major military and civilian systems. The exercise’ goal was to maintain the operation of various systems under intense pressure.

 

The cyber-cities were defended by blue teams – the good guys – each team staffed with cybersecurity experts from NATO Member States. The opposing force consisted of military forces and cybersecurity experts from both national and private entities, including also Siemens experts. This event is a great opportunity for Siemens to demonstrate their cybersecurity capabilities that helps our engineers to develop secure solutions. The cyber-challenge showed that defending critical infrastructure against highly skilled cyber-attackers requires an elaborate effort. Such Blue/Red team exercises are essential ways to develop the skills needed to protect any infrastructure from sophisticated attackers and helps participants to understand the necessity of a robust security implementation.

2021-05-14

Bernd Müller

 

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.