Enquire Today

Case Studies

Business Continuity

Cyber Security Crisis Management Exercises

Federal Government Health Organisation
Akela staff have a proven non-technical and crisis management practice, responsible for the delivery of tailored cyber security outcomes in the Australian and global environments. In this case study, core Akela staff were engaged by a Federal Government health organisation to support the targeted uplift of their technical security capabilities through the delivery of a series of enterprise-wide cyber crisis simulation exercises.

Outline the problem or opportunity
The client requested a series of enterprise-wide evaluation exercises (locations of exercise participants included Canberra, Sydney, Brisbane, and several remote locations across Australia) to validate the applicability and performance of their Incident Response Framework (IMF) and improve the organisation’s preparedness to respond to a range of serious cyber incidents, without fear of failure. Through the design and delivery of tailored, real-time desktop cyber crisis simulations, key personnel were tested in their operational roles and responsibilities, strategic response coordination, decision-making structures, and cross-entity engagement aspects of the IMF. This understanding helped isolate operational risks to the client, identify key engagement gaps, refine client risk appetite, and drive targeted investment to address any capability or skill gaps across multiple countries.

The delivery of these streams of work provided an opportunity to shift client considerations from compliance with privacy legislation to pressure-test the assumptions embedded in operational policies, validate operational resilience and guide security maturity.

Our approach
Akela staff initiated the series of exercise activities through a combination of artefact reviews (IMF, policies, risk registers and legislation) and targeted interviews with key leadership positions to understand the client operating environment and delivery requirements, vendor relationships, network and security controls, and profile key gaps in security coverage. Initial assessments on security responsibilities, dissonance in security authorities and system / Enterprise risk states were validated during workshops with core security and risk management client personnel. From these workshops, several potential threat perspectives and crisis scenarios were developed, tailored to the client's operating environment and risk appetites.

Scenarios were developed using a combination of industry-leading frameworks; the Carnegie-Mellon R-EACTR framework was used to inform the development of technical risk aspects, as did the NIST Computer Security Incident Handling Guide (SP.800). European Network and Information Security Agency (ENISA) publications informed the development of leadership responsibilities, cross-organisation collaboration, strategic response actions and external entity engagement. These scenarios were validated for plausibility and pertinence with key client security management personnel, before being socialised with select members of the client's Senior Executive, allowing a following agreement on the threat actor and crisis scenario, key personnel developed a series of exercise injections and stakeholder engagement matrices, ensuring events followed pre-scripted guidance and invoked core external entities. Injections were a combination of physical artefacts depicting external events (e.g. media reporting, physical events), roleplaying scripts (e.g. core stakeholders), media questions and technical artefacts (e.g. file dumps, connections data); these were also validated for plausibility and pertinence with security management personnel, and approved by the project sponsor prior to deployment.

In reporting for the exercises, Akela staff committed to aligning findings across a tailored framework developed in collaboration with the client and with reference to ISO 22301:2012 Societal Security – Business Continuity systems. This measure ensured the focus remained on Enterprise, and not individual performance and allowed effective definition of present security capabilities contrasted against desired future-state capabilities. This framework was developed by key personnel and approved by core security management and the project sponsor prior to the exercise.

Exercise findings were informed through participant debriefing, review of artefacts created during the exercise, and observation of core leadership and risk decision-making practices. Findings were socialised with key parties prior to publication of the report, with engagement to resolve inconsistencies or tensions in observations and findings.

What was the outcome?
Akela staff were able to deliver a combination of outcomes to the client, capturing compliance, technical security, and governance improvements.

  • Research and development to better detect, deter and respond to emerging cyber security issues: The exercises drove refinement of expectations of the vendors contracted to provide intrusion detection, intrusion hunt and open-source threat research services to the client, in addition to providing technical uplift guidance for advanced forensics. This greatly enhanced the client’s ability to receive and expand on information pertinent to the detection, deterrence, and response aspects of cyber incident response.
  • Recommended improvements to fix vulnerabilities in products, infrastructures, and processes: The exercises delivered several reports detailing required uplifts to the technical security, functional practice and strategic engagement practices employed by the client, to maximise operational efficiencies. The reports further provided a redesign of the client’s operational response structure, to correct procedural vulnerabilities regarding flexible scaling of resources, clarification of roles and authorities, and alignment of cross-agency mandates in the event of a cyber crisis.
  • Experience with Data Loss Prevention and Data Protection, security incident and emergency response: The exercises drove targeted redesign of cross-vendor and cross-organisational information sharing practices, and data access reporting mechanisms, to enhance the exchange of critical personal and system information in the case of a crisis.
  • Provision and monitoring of access to data, IT systems, facilities, and infrastructure: The exercises drove significant redesign of the client’s access and identity management processes and practices, to enhance audit reporting in the event of a data integrity crisis - including reconsideration of vendor access management permissions and practices. Additional guidance was provided regarding the sharing of indicators of compromise between entities.
  • Communicate with a wide range of disciplines, both internally and externally: During simulation development and incident debriefing, core personnel engaged with representatives at the junior, middle, and senior management levels within the client and their vendors. Incident debriefing involved engagement across administrative, technical, specialist practitioner and legal domains, to capture insights and lessons pertinent to exercise performance.
  • Present findings, insights, and recommendations to justify decisions: The engagement report presented findings in a readily digestible format, detailing observations, key impacts, and recommendations supported by tangible evidence. The report was designed for consumption by a mid-to-senior management audience, without the assumption of technical expertise or security operations experience.
  • Establish relationships to support the delivery of services: The engagement practices employed by core personnel ensured timely and open sharing of exercise assumptions, limitations, aspirations, and constraints. Regular briefings, updates and workshops ensured “no surprises” for participants and decision makers; structured design to focus on enterprise – and not individual or vendor – performance, ensured a “no-fault” environment welcomed by participants.
  • Work in a multi-disciplinary team in an agile delivery environment: Akela’s core personnel aligned the inputs of administrative/clerical, legal, technical and specialist practitioners to develop a seamless and realistic exercise scenario. Personnel applied an Agile methodology during development, representing change management, cyber security, and business process improvement disciplines.

The Australian Aviation Cyber Council
On behalf of the Australian Aviation Cyber Council (AACC), Akela conducted a cyber desktop crisis management exercise on 6 December 2022. The exercise was part of the aviation sector’s overarching strategy to successfully manage significant cyber security incidents across key aviation services and systems. The exercise was designed to allow the sector to refine the way in which it works collaboratively to solve real world cyber issues impacting national services to the aviation sector.

Scope
The scope of the exercise was a walkthrough tabletop exercise that focussed on assessing the ways of working regarding information sharing, collaboration, risks and impact assessments, and response to executives, media, and Government.

Objectives
Through consultation with AACC members, the exercise was designed to achieve AACC’s strategic objectives by discussing, and to a minor degree stress testing, Sector-wide business processes, response capabilities, leadership, decision making (from junior levels to Senior Executives and Board members) and staff endurance under adverse and highly pressurised conditions.

In line with the AACC’s operational requirements and strategic intent, the objective of the exercise was to:

  • Practise the Sector in responding as one to a series of major incidents and discussing their responsibilities within individual organisational, sector, and national-level crisis management processes.
  • Enable the aviation sector to explore various response options in line with the exercise scenario.
  • Identify potential improvement opportunities to the aviation sector’s cyber security crisis management processes, procedures, plans, and policies from a Sector and National perspective.
  • Seek to understand roles, responsibilities, and ways of working for all parties in the management of a Sector and National level critical incident.
  • Identify capability gaps (e.g.: leadership, authorities, and other non-technical and technical capabilities and abilities) within the Sector and National level crisis management response framework.
  • Conduct the exercise as a round table paper-based desktop exercise.
  • Plan and conduct the exercise with the endorsement from the senior cyber management of each participating organisation prior to exercise commencement.
  • The severity of the incidents should have a classification of ‘critical’ or above and be based on current real-world scenarios.
  • Provide a report outlining the findings of the exercise, with information shared only with participating organisations.

Akela designed the desktop exercise to incorporate different functional areas of crisis management, decision-making, and response processes across various aviation sectors such as Major Airlines, the Australian Cyber Security Centre (ACSC), Australia’s major airports, and AirServices Australia (ASA).

The exercise was designed to incorporate a range of business units across all participating organisations. The business units included:

Cyber Operations Team
  • Technical Operations Teams
  • Legal
  • Human Resources
  • Communications Teams
  • Organisational Security Authoritie
  • Senior Executives and Board members

Our Approach
Akela’s cyber crisis simulation exercise sought to recreate (in a compressed time frame) a series of realistic events, challenges, influences, relationships, and pressures that Australia’s aviation sector is likely to face during a protracted chain of real-world complex cyber events.

Participants were provided with scenario injections that presented information or events to form the basis of the simulation. Participants were then asked to discuss impacts, response options, processes, capabilities, and challenges faced as if they were real-world incidents. Participant responses were guided by existing individual organisational procedures, processes, technical capabilities, and internal business unit requirements (example, legal, HR, communication teams, and senior executives).

The exercise was designed to promote a safe and trusted discussion and learning environment, encouraging participant involvement and innovation. This aimed to foster active participation of AACC members and present a mechanism by which to evaluate the Sector’s familiarity with operational tempo, operational and strategic decision-making, close working relationships with other Sector organisations and capabilities, and ability to manage external pressures (example, shareholder, political, media, and legal).

Case Studies

Latest News

Get a Free Consultation

Optimisation, Transformation, Supply Chain Management and Capability Development

Let's Talk

Connect with Us

Icon-linkedin

Stay Ahead of the Pack

Disruptive Innovation / Business Continuity

Menu

Services

Contact

Level 19, 10 Eagle Street,
Brisbane QLD 4000
+61 1800 111 222
enquiries@akelagroup.com.au

Linkedin-in Twitter

© Copyright Akela Group | ABN 12 646 311 364