Critical Infrastructure Protection Scenarios Playbook

December 17, 20234 min read

  • In this Cyber Range exercise, we’ll be focusing on a hypothetical leading nuclear energy company, “AtomSecure Energy Corp.” AtomSecure is an industry giant, with a sprawling network of nuclear power plants across the country. Due to the critical nature of its infrastructure and the potential catastrophic consequences of a breach, AtomSecure must commit to the highest standards of cybersecurity.
  • AtomSecure’s Chief Information Security Officer (CISO), Dr. Ada Turing, has initiated a comprehensive Critical Infrastructure Protection scenario after learning of a series of coordinated cyber attacks targeting energy providers worldwide. Ada is concerned about a group called “Shadow Initiative,” known for sophisticated and politically motivated attacks against critical infrastructure sectors. The company believes that an exercise simulating an attack by this group will prepare the Incident Response Team for real-world threats.
  • AtomSecure’s network includes an array of systems, such as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, traditional IT environments, and cloud-based services. The complex interdependencies between these systems make the network a challenging environment to secure.
  • The exercise aims to evaluate the resilience of AtomSecure’s defenses, the effectiveness of their incident response plan, and the readiness of their teams to coordinate and communicate during a crisis. By running the lab exercise, AtomSecure intends to identify vulnerabilities within their systems, improve detection capabilities, and fine-tune their response strategies to ensure the continuous safe operation of their nuclear facilities.

Playbook Sections:

    • Playbook Objectives:
      • Test the effectiveness of current security measures in place.
      • Enhance the incident response team’s capability to detect and respond to cyber threats.
      • Identify network vulnerabilities and potential points of entry for cyber attackers.
      • Validate the effectiveness of communication and coordination between different departments within the company under a crisis scenario.
      • Incorporate lessons learned into the company’s ongoing security strategy and policies.
    • Difficulty Level:
      • Advanced. The scenario is intended for well-trained cybersecurity teams familiar with critical infrastructure systems and advanced persistent threats (APTs).
    • Scenario:
      • AtomSecure’s nuclear plant network infrastructure faces a multi-stage cyber intrusion by the Shadow Initiative designed to compromise operational integrity and steal sensitive data.
    • Category:
      • Critical Infrastructure Cybersecurity
      • Advanced Persistent Threats (APTs)
      • Incident Response and Crisis Management
      • Industrial Control Systems (ICS) / SCADA Security
    • Exercise Attack Steps:
      • Initial Reconnaissance:
        • Phishing campaign targets key operational engineers to compromise credentials.
        • Shadow Initiative scans exposed network services for known vulnerabilities.
      • Gaining Access:
        • Exploitation of a zero-day vulnerability found in the VPN appliance.
        • Use of compromised credentials to enter the network via remote access.
      • Lateral Movement:
        • Deployment of custom rootkits on critical servers.
        • Use of legitimate credentials and privilege escalation to gain access to SCADA systems.
      • Persistence Mechanisms:
        • Creation of backdoors within the network to ensure continued access.
        • Manipulation of network logs to conceal the attack’s tracks.
      • Actions on Objectives:
        • Extraction of sensitive data, including operational strategies and confidential employee information.
        • Attempt to manipulate control systems settings of a nuclear reactor to initiate unsafe operating conditions.
      • Incident Response:
        • Detection of anomalous network traffic by the Security Operations Center (SOC).
        • Invocation of the cybersecurity incident response plan by the incident commander.
        • Coordination with the nuclear facility’s safety team to ensure physical security measures are in place.
      • Recovery and Lessons Learned:
        • Remediation steps are taken to expel the attackers from the network.
        • Post-exercise review to update threat models and improve security posture.