Technologies for Critical Incident Preparedness
Conference 2008
October 29-31, 2008
Jim Marshall , Utah State University Research Foundation
Ernest Drew, Dennis McGrath , Norwich University Applied Research Institutes
Chris Fogle , Delta Risk
SDL/08-470  slide:

• The development team would like to thank the following individuals for their support of the project:
– Douglas Maughan, PhD/DHS Science & Technology Directorate
– Glenn Fiedelholtz, Annabelle Lee/DHS National Cyber Security Division
– John Foti, Tracy Carruth, Scott Keifer, Bridgette Spencer Walsh/Booz Allen
Hamilton
– Tim Guerriero and the Massachusetts “Mass Panic” Exercise Team
• Contract No. NBCHC060088
• The underlying concepts presented today are protected under patents or other means by the team members.
SDL/08-504  Slide: 2

Utah State
University Research
Foundation
• Program
Management
• Visualization
Development
Norwich University
Applied Research
Institutes
• Subject Matter
Expertise
• Cyber Exercise
Design & Execution
Dartmouth College
Institute of Security
Technology Studies
• Technical Team Lead
• System Design &
Database
Development
Delta Risk , LLC
• Operations SME
• Cyber Exercise
Design & Execution
SDL/08-504  Slide: 3

• Livewire/DHS
• TOPOFF/National Exercise Program
• Bulwark Defender/Air Force
• State, Regional, and Local Exercises
• International Exercises
SDL/08-504  Slide: 4

SDL/08-504  Slide: 5

CyberStorm II: National Level Exercise
• Conducted March 10-14, 2008 in Washington, DC by
DHS National Cyber Security Division (NCSD)
• $6.4M Budget
• Five Countries
• 18 Federal Departments and Agencies
• 40+ Private Sector Companies
• 1,800 Detailed Scenario Events (“injects”)
SDL/08-504  Slide: 6

All-Hazards Exercises Cyber Exercises
Well-established exercise culture and response plans, and authorities
Focused on what happens after the incident Focused on what happens before the incident; indicators and warnings may be the primary point of the exercise
Rehearsal of known coordination processes
Cyber exercise culture tends to be less mature.
Limited technical content
Discovery of complex interdependencies, constituencies, and decision processes
Highly technical audience requires more technical content in the scenario
Geographical scope is well understood Geographical scope may be unknown
SDL/08-504  Slide: 7

• Participation is voluntary; players may withdraw if their expectations aren’t being met.
• Player perception of risk:
– Security breaches
– Embarrassment
– Return on investment
• For the players to find the exercise credible, (1) the scenario must be true to life and (2) the events should not contradict each other.
• Events should proceed at a pace that engages each player without overwhelming him.
• The flow of events must not overwhelm the control team.
• The scenarios are complex, the events themselves may not be observable to some of the participants, the problem chains are often non-intuitive.
SDL/08-504  Slide: 8

• Discussion-Based Exercises
– Seminars
– Workshops
– Tabletop Exercises (TTX)
– Games
• Operations-Based Exercises
– Drills
– Functional Exercises
– Full-Scale Exercises
… involves mobilization and response
CyberSMART is suitable for both types of exercises.
SDL/08-504  Slide: 9

Initial
Decision
Exercise
Inputs
Example:
Needs
Assessment
Exercise
Objectives
CyberSMART
Scenario
Validation
MSEL
Scenario
Development
Ground
Truth
Gamespace
Definition
Game
Space
Scenario Planning
Exercise
Execution
After
Action
Analysis
SDL/08-504  Slide: 10

SDL/08-504  Slide: 11

The CyberSMART Methodology Aligns to HSEEP Milestones and is Organized according to Three Parallel and Iterative Planning Tracks
SDL/08-504  Slide: 12

• Developed tool around the scenario design concepts outlined above
• Web-based tool that can be used by a distributed team
• Users can query, edit, save their own scenarios
• Participant data is segregated within the system, access based on user roles and authentication
• Validation/visualization tools allow users to view scenarios and timelines as they develop, check for inconsistencies, etc.
SDL/08-504  Slide: 13

• The Planning View guides users through the planning process. The
Data View focuses on objectives, gamespace, and scenario.
Planning View:
Organized
Chronologically
Data View:
Organized
Functionally
SDL/08-504  Slide: 14

SDL/08-504  Slide: 15

• Vermont State-Level Exercise, December 2007
• NCSD Support Contractor Focus Group, December 2007
• Massachusetts “Mass Panic” State-Level Exercise, May
2008
SDL/08-504  Slide: 16

• CyberSMART is currently hosted on a server at Utah State
University
• Planned for hosting on FEMA’s Homeland Security
Exercise and Evaluation (HSEEP) Toolkit website
– At FEMA’s request, the team drafted an annex to the HSEEP guidance documents titled “Cyber Exercises”
– Currently at FEMA in draft status
SDL/08-504  Slide: 17

Jim Marshall
Space Dynamics Laboratory
Utah State University
(435) 797-4725 jim.marshall@sdl.usu.edu
SDL/08-504  Slide: 18