Cyber Security Crisis Management Exercises
Federal Government Health Organisation
Akela staff have a proven non-technical and crisis management practice, responsible for the delivery of tailored cyber security outcomes in the Australian and global environments. In this case study, core Akela staff were engaged by a Federal Government health organisation to support the targeted uplift of their technical security capabilities through the delivery of a series of enterprise-wide cyber crisis simulation exercises.
Outline the problem or opportunity
The client requested a series of enterprise-wide evaluation exercises (locations of exercise participants included Canberra, Sydney, Brisbane, and several remote locations across Australia) to validate the applicability and performance of their Incident Response Framework (IMF) and improve the organisation’s preparedness to respond to a range of serious cyber incidents, without fear of failure. Through the design and delivery of tailored, real-time desktop cyber crisis simulations, key personnel were tested in their operational roles and responsibilities, strategic response coordination, decision-making structures, and cross-entity engagement aspects of the IMF. This understanding helped isolate operational risks to the client, identify key engagement gaps, refine client risk appetite, and drive targeted investment to address any capability or skill gaps across multiple countries.
The delivery of these streams of work provided an opportunity to shift client considerations from compliance with privacy legislation to pressure-test the assumptions embedded in operational policies, validate operational resilience and guide security maturity.
Akela staff initiated the series of exercise activities through a combination of artefact reviews (IMF, policies, risk registers and legislation) and targeted interviews with key leadership positions to understand the client operating environment and delivery requirements, vendor relationships, network and security controls, and profile key gaps in security coverage. Initial assessments on security responsibilities, dissonance in security authorities and system / Enterprise risk states were validated during workshops with core security and risk management client personnel. From these workshops, several potential threat perspectives and crisis scenarios were developed, tailored to the client's operating environment and risk appetites.
Scenarios were developed using a combination of industry-leading frameworks; the Carnegie-Mellon R-EACTR framework was used to inform the development of technical risk aspects, as did the NIST Computer Security Incident Handling Guide (SP.800). European Network and Information Security Agency (ENISA) publications informed the development of leadership responsibilities, cross-organisation collaboration, strategic response actions and external entity engagement. These scenarios were validated for plausibility and pertinence with key client security management personnel, before being socialised with select members of the client's Senior Executive, allowing a following agreement on the threat actor and crisis scenario, key personnel developed a series of exercise injections and stakeholder engagement matrices, ensuring events followed pre-scripted guidance and invoked core external entities. Injections were a combination of physical artefacts depicting external events (e.g. media reporting, physical events), roleplaying scripts (e.g. core stakeholders), media questions and technical artefacts (e.g. file dumps, connections data); these were also validated for plausibility and pertinence with security management personnel, and approved by the project sponsor prior to deployment.
In reporting for the exercises, Akela staff committed to aligning findings across a tailored framework developed in collaboration with the client and with reference to ISO 22301:2012 Societal Security – Business Continuity systems. This measure ensured the focus remained on Enterprise, and not individual performance and allowed effective definition of present security capabilities contrasted against desired future-state capabilities. This framework was developed by key personnel and approved by core security management and the project sponsor prior to the exercise.
Exercise findings were informed through participant debriefing, review of artefacts created during the exercise, and observation of core leadership and risk decision-making practices. Findings were socialised with key parties prior to publication of the report, with engagement to resolve inconsistencies or tensions in observations and findings.
What was the outcome?
Akela staff were able to deliver a combination of outcomes to the client, capturing compliance, technical security, and governance improvements.
The Australian Aviation Cyber Council
On behalf of the Australian Aviation Cyber Council (AACC), Akela conducted a cyber desktop crisis management exercise on 6 December 2022. The exercise was part of the aviation sector’s overarching strategy to successfully manage significant cyber security incidents across key aviation services and systems. The exercise was designed to allow the sector to refine the way in which it works collaboratively to solve real world cyber issues impacting national services to the aviation sector.
The scope of the exercise was a walkthrough tabletop exercise that focussed on assessing the ways of working regarding information sharing, collaboration, risks and impact assessments, and response to executives, media, and Government.
Through consultation with AACC members, the exercise was designed to achieve AACC’s strategic objectives by discussing, and to a minor degree stress testing, Sector-wide business processes, response capabilities, leadership, decision making (from junior levels to Senior Executives and Board members) and staff endurance under adverse and highly pressurised conditions.
In line with the AACC’s operational requirements and strategic intent, the objective of the exercise was to:
Akela designed the desktop exercise to incorporate different functional areas of crisis management, decision-making, and response processes across various aviation sectors such as Major Airlines, the Australian Cyber Security Centre (ACSC), Australia’s major airports, and AirServices Australia (ASA).
The exercise was designed to incorporate a range of business units across all participating organisations. The business units included:
Akela’s cyber crisis simulation exercise sought to recreate (in a compressed time frame) a series of realistic events, challenges, influences, relationships, and pressures that Australia’s aviation sector is likely to face during a protracted chain of real-world complex cyber events.
Participants were provided with scenario injections that presented information or events to form the basis of the simulation. Participants were then asked to discuss impacts, response options, processes, capabilities, and challenges faced as if they were real-world incidents. Participant responses were guided by existing individual organisational procedures, processes, technical capabilities, and internal business unit requirements (example, legal, HR, communication teams, and senior executives).
The exercise was designed to promote a safe and trusted discussion and learning environment, encouraging participant involvement and innovation. This aimed to foster active participation of AACC members and present a mechanism by which to evaluate the Sector’s familiarity with operational tempo, operational and strategic decision-making, close working relationships with other Sector organisations and capabilities, and ability to manage external pressures (example, shareholder, political, media, and legal).