UNIVERSITY CYBER ATTACK! TABLETOP EXERCISE WITH THE U.A.A. INCIDENT

UNIVERSITY CYBER ATTACK! TABLETOP EXERCISE WITH THE U.A.A. INCIDENT MANAGEMENT TEAM DECEMBER 6, 2017 READINESS AN H.S.E.E.P. ACTIVITY FOR

OVERVIEW- SCOPE This tabletop exercise will examine issues related to cybersecurity impacting physical infrastructure systems on the UAA campus. It will consist of scenario-driven, facilitated discussion and is designed to examine roles, responsibilities, authorities, and capabilities to enhance our resilience Mission areas: RESPONSE and RECOVERY

OVERVIEW- OBJECTIVES Identify commons strengths and areas for improvement when responding to a campus infrastructure breakdown or failure caused by a cyber attack Assess processes and capabilities to develop timely and appropriate communication during a critical infrastructure failure to maintain public and institutional confidence Examine coordinated residence life and academic continuity of operations planning

OVERVIEW- SCENARIO The scenario consists of a cyber attack that impacts UAA’s physical infrastructure systems

OVERVIEW- PARTICIPATING ORGANIZATIONS Participants are drawn from across the campus community, including: UAA Information Technology Services Administration Incident Management Team Dean of Students Office University Advancement University Police Department Facilities Maintenance and Operations

OVERVIEW- ASSUMPTIONS & ARTIFICIALITIES Assumptions The exercise scenario is plausible and events occur as they are presented Players are to respond to the scenario as if events were taking place at UAA Exercise players will use existing plans, policies, procedures, and resources to discuss response planning and recovery operations Artificialities -there is no hidden agenda nor are there any trick questions -players should first discuss the actions stipulated by the scenario, and are welcome to engage in ‘what if’ discussions of alternate scenario conditions

OVERVIEW- PLAYER GUIDELINES The “University Cyber Attack!” tabletop exercise will be held in an open, low stress, no-fault, and non-attribution environment. Varying viewpoints and disagreements are expected. Decisions are not precedent-setting and may not reflect UAA’s final position on an issue. The exercise is exploratory and serves to identify issues, as well as multiple options and possible solutions

SCENARIO- DEC. 7 UAA has invited a religious cleric who was recently exiled from his country, to come speak on campus. He is seeking asylum in the U.S. and his arrival is widely covered by the media. Political leadership from his country threatens retaliation in response to the event, and specifically blames UAA for providing a platform for this cleric to spread lies

SCENARIO- SEVERAL WEEKS LATER A supposed leaked document of UAA’s records that contains information proving UAA mishandled cases of misconduct is circulated on social media. Employees and students circulate the PDF file. The US Computer Emergency Readiness Team (US-CERT) releases an alert a few days later warning that a zero-day exploit has been discovered with the ability to compromise systems and exploit a known vulnerability that allows a malicious actor to escalate and maintain privileged access on infected systems

SCENARIO- MONDAY JAN. 8 I.T.S. gets calls about issues with Banner; users are experiencing computer issues when logging in and in some cases their access credentials grant them administrative privileges. Within several hours, data in Banner is either missing or corrupted

MONDAY JAN. 8 An unauthorized message is pushed out to most students and employees using UAA dynamic email lists. The message states “Emergency Alert: upcoming severe weather affecting university operations. Read more here”. Once individuals click on the hyperlinked message, smartphone browsers connect to a blank webpage which presumably contains malware. The malware causes phones to dial 911 on loop, denying users the ability to end the calls. These looping calls persist until users forcibly shut down their devices.

CYBER INCIDENT PLANNING Does UAA have a formal response plan for each of the types of cyber incidents described? Specific processes and procedures? Clearly outline what positions are involved and how to coordinate with each other? Define escalation and prioritization of efforts to manage and coordinate ITS, operational, and business recovery? *What are UAA’s top 3 priorities at the time of this series of attacks?

ASSESSMENT AND NOTIFICATION How does UAA determine what systems/data/services are affected by the malware? What entities within UAA would you coordinate with? What entities outside UAA should be coordinated with? Do you have secondary communications capabilities in case UAA’s primary method is compromised or unavailable?

LATER JAN. 8 UAA is notified by 911 call center supervisor that the number of dummy 911 calls from the University has reached an unsustainable amount, overwhelming them and shuts down their capability to respond to legitimate calls. They suspect this is a telephony denial of services (TDoS) attack ITS is confident that computers affected by the malware allow malicious actors to acquire credentials from users. By 3:30pm an unauthorized user gains access through a Facilities employee credentials to the Milenium and Apogee

GETTING COLD Hacker begins to manipulate UAA’s automation processes including electrical power breakers, HVAC, water, and key card access These systems begin to experience latency and then start to fail Some buildings retain electricity while others lose power immediately Buildings without power quickly lose water Temperatures fall in classrooms, residence halls, server rooms, and labs

CHAOS ON THE ROADS A mass alert is sent out to students and employees containing the following: “Emergency alert: Campus is unsafe. Evacuate immediately.” Many students leave campus on foot and seek shelter at Providence Alaska Medical Center, Lake Otis Elementary, APU, and Springhill Suites. More leave by car, causing traffic congestion on the roads surrounding UAA

RESPONSE COORDINATION What is UAA’s protocol for establishing incident command during a major disruption affecting campus operations? Ongoing incident response External stakeholders What are the University’s priorities at this stage?

RESPONSE COORDINATION CONT’D Can systems at UAA operate in manual mode as a backup option? Does UAA have backup power or UPS in case of an outage? What continuity plans are in place for: Alternative methods to conduct classes Student affairs and residential mission Research mission

RESPONSE COORDINATION- COMMS Crisis communication How are students and employees notified about classes being canceled? How are parents notified? What methods will be used to communicate with the media? What methods will be used to communicate with the public?

RECOVERY- JAN 9 ITS has gathered enough evidence to conclude that UAA was the target of a malicious and complex cyber attack using multiple vectors Emergency services have been working around the clock to help those affected by the power outages and evacuations

THE NEXT FEW DAYS- RECOVERY ITS is confident they have blocked the hijacked account used to access control systems Researchers increasingly concerned over impact this event will have on their projects Students and parents are concerned about how this event will impact the remainder of their semester and whether their records have been compromised Rumors spread on Twitter claiming that the attack was a result of a malicious insider at UAA

RESTORING CAMPUS SYSTEMS How long can UAA be offline before the school year becomes compromised? Do recovery activities include cyber forensics? Does UAA have recovery procedures in place for I.T. systems? Process for cleaning systems? Process for bringing systems back online?

RESTORING CAMPUS OPERATIONS What is the process for establishing UAA’s restoration priorities? Described in existing plans? Coordination efforts with external stakeholders to restore campus infrastructure? For student housing, what plans are in place to accommodate affected individuals? Special considerations for international students? Special considerations for students with access and functional needs?

POST-INCIDENT COMMUNICATIONS How will UAA provide and unify all external media messaging? How will UAA handle incoming inquiries and requests for assistance from students, families, and employees? Displaced resident students (lodging, feeding, accountability) Stress management services How will UAA respond to media rumors and inquiries regarding how this incident was managed?

LEGAL AND FINANCIAL CONSIDERATIONS How does UAA determine the financial impact of the attack? Insurance? What are the primary areas of legal liability? Grant-funded projects delayed or destroyed Claims of PII disclosure and liability for impacts How do we handle academic issues? Grade appeals Refund requests

END UNIVERSITY CYBER ATTACK! 2017 DECEMBER