Here is a tabletop exercise I drafted that we’ll be running at the Second Annual NJSBA Cybersecurity Conference.
Acme Corp. manufactures and sells industrial control systems (ICS). ICS devices integrate computer chips, hardware and software and can be programmed to monitor, regulate and control various components of commercial manufacturing, assembly and packaging plants. For example, the following video shows an Acme ICS serving as the controller for water bottling plant:
ACME’s ICS devices are network enabled and come bundled with a software suite that allows users to monitor and control the devices through a web interface.
Acme also provides installation and maintenance services for its ICS equipment. Each ICS device must be configured for the systems it will control, which involves the creation of custom computer code. The computer code, and sometimes the hardware, must periodically be updated if the underlying system configuration changes or if Acme develops performance enhancements, bug fixes, or security patches. In a larger installation, Acme’s fees for installation and maintenance can exceed the costs of the initial hardware purchase, and the total contract price can exceed ten million dollars.
Acme maintains detailed information about each of its installations, including specific configuration information, networking details, and backup copies of computer code. This information is stored in numerous documents in a variety of formats, including, for example, Word documents, Excel spreadsheets, Powerpoints, e-mails, and plain text files, on systems used by various Acme business units. Files may reside on individual computer hard drives, internal company file servers, portable media (such as thumb drives), company-owned and personal laptops, smartphones and tablets, and commercial cloud-based storage such as Google Drive and Dropbox.
ISSUE 1: A number of management-level Acme employees recently received emails purporting to have been sent by Sol Fish, Vice President for Client Relations at Acme. The emails instruct the recipients to log into a newly-established sales database through a hyperlink in the email using their existing Acme network log-in credentials. Fish did not send these emails, however, nor has Acme created any new sales database. Meanwhile, Fish has received an email from Carl Kent, a business reporter for the Broad Street Journal, inquiring about the fact that the full technical specifications for an ICS installation at the Port Newark were posted this morning on a number of business and government blogs. In fact, Acme won a contract to improve the automation of shipping cranes and other devices at the Port. The contract was controversial because of unsubstantiated allegations of bid rigging, cost overruns, and other political complaints. The full technical specifications are confidential for security concerns among other reasons. An obvious inference is that the spearphising attack may have allowed someone to obtain and post the confidential specifications.
ISSUE 2: In addition, Fish has received an angry call from Bill Brazos, the CEO of Consolidated Fulfillment Centers, Inc. Consolidated owns and operates large warehouse and fulfillment centers for major online retail companies. Brazos claims that an Acme ICS system installed at a Consolidated facility in Edison, NJ contained a vulnerability that allowed hackers to obtain information concerning consumers to whom products were being distributed through the Consolidated facility. Brazos says “millions” of customer accounts may have been compromised.