Professional Documents
Culture Documents
Gemc Tech Irp TTX
Gemc Tech Irp TTX
Tabletop Exercise
Elaine Johns
EnerVision, Inc.
September 21, 2017
1
Your Facilitators Today
Tabletop
Exercise
3
Incident Response Planning
What? Why?
An incident response plan Ensures proper detection
(IRP) is a set of written of attack
instructions for detecting, Ensures proper protocol is
responding to and limiting followed to contain
the effects of an violation of confidentiality,
information security event integrity or availability of
information
Is a PCI DSS requirement
Is the same reason why you
have an ERP
4
Incident Response Phases
1 2 3 4
Preparation Detection and Containment, Post-Incident
Analysis Eradication, Activities
and Recovery
5
Incident Response Phases
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
6
From SEDCs ISPL
Information Security Incident Policy
oIncident Response Plan
oIncident Response Form
oIncident Response Contact List
7
1. Adopt Incident Management Policy
2. Adopt Incident Response Plan
A. Establish Response Team and define
roles
IRP B. Define communication guidelines
C. Define detection capabilities (in-
Implementation house or contractor)
Steps D. Define analysis capabilities (in-
house or contractor)
E. Define tools inventory (disk images,
etc.)
3. Conduct tabletop exercise
8
Source: SEDC ISPL
9
TABLETOP
EXERCISE
10
Goals:
Prepare you to conduct TTX at
home utilities
Tabletop
Simulate steps for each
Exercise (TTX) incident response phase
Identify takeaways and next
steps
11
Everyone speaks
Respect the speaker
TTX Ground
No idea is dumb Rules
Avoid Bar Discussions
Stay on Schedule
12
TTX Structure
Injects and Responses
oOne Scribe and one Speaker selected (volunteered) per table
o2 injects (describing incident events), introduced one at a time
oTable discussions on what actions should be taken
oShort description of responses written on flipchart & posted on
wall
oAfter each inject, 2 different tables present their responses
Hot Wash
oAfter exercise, group debrief using Hotwash format
13
Bison Valley Electric
Cooperative
Distribution
electric utility with
55,000 members
Has an AMI system
14
MDM showing Number of More anomalies
energy usage anomalies grows by BVEC receives a
anomalies with 3 8 accounts Ransomware email
residential accounts (4BTC ransom)
TTX : Inject 1
15
BVEC activates Incident BVEC received another
Response team request for 40BTC ransom
BVEC does not pay ransom Hackers said that they will
publish 20% of PII data of
AMI is restored from backup
BVEC members
Jan. 8 Jan. 9
TTX: Inject 2
16
Top 3 Top 3 Next
Feedback
Takeaways Steps
HOTWASH
17
For your free copy of
SEDCs Information
Security Program Library
(ISPL)
https://www.sedata.com/
cyber/
18