In a training exercise last week, members of New England area National Guard cyber units and federal agencies simulated a cyberattack scenario in which hacks took down power, water and gas companies starting on the west coast of the United States and continuing east across the country before threatening the East Coast and New England’s critical infrastructure.
Over the course of the two-week-long scenario, known as the annual Cyber Yankee exercise, National Guard units worked with interagency partners from the FBI, the DHS Cybersecurity and Infrastructure Security Agency (CISA), theFederal Energy Regulatory Commission and U.S. Cyber Command (CYBERCOM), to simulate the complex cyber attack. This latest Cyber Yankee exercise, the seventh of its kind, taught participants to watch for anomalous activity on networks that could indicate cyber intruders and to then counteract those potential cyberattacks targeting civilian infrastructure.
The simulated cyber attack comes in the weeks and months after major cyberattacks targeting U.S. companies, such as the May Colonial Pipeline ransomware attack that forced the largest east coast fuel pipeline, responsible for about 45 percent of all U.S. southern and east coast fuel, to temporarily shut down.
Maj. Michael Frank, the cyber warfare officer for Defensive Cyber Operations-Internal Defense Measures (DCO-IDM) Company Bravo, 6th Communications Battalion, told C4ISRNET, “In order to be effective defenders of a network, you need to know what the adversary TTPs [tactics, techniques and procedures] are.”
Frank said, “Doing cyber threat emulation here and actually going through the steps of OCO [offensive cyber operations] and going through what we would expect an adversary to be doing to us, we have a better idea of how to defend our networks. . . for them to get a chance to do it from this side is hugely valuable.”
This year’s Cyber Yankee exercise saw the first use of a new cybersecurity template dubbed the “Cyber 9-Line” to assess and communicate the nature and severity of a cyber attack. CYBERCOM said the template allows users to “further diagnose a foreign attack and provide timely, unclassified feedback back to the unit, who shares with state and county governments to address the cyber incident.”
Lt. Col. Cameron Sprague, the chief information officer for the Connecticut Air National Guard and the deputy exercise director for Cyber Yankee said the cyberattack scenario was constructed to be as realistic as possible.
“It’s really hard to do an exercise like this effectively,” Sprague told C4ISRNET. “Operating effectively in incident response environment is really hard. That’s what a lot of teams first take away when they’re walking through this is how we’re actually going to do an incident response plan. That’s the big point of this. That’s why a lot of them come back year after year.”