Attacks on the digital infrastructure of various companies and industry sectors will be role-played nationally and internationally in the Cyber Storm II exercise, to be held from today through to Friday.
The active exercise will centre on the Tuesday to Thursday period, and locally will involve government departments, banks, at least one power distribution company (plus TransPower), telecoms and internet service providers, and networking companies (see list below).
Monday will be a preparation day and Friday a day for considering and summarising outcomes. This is the first time New Zealand has participated fully in the exercise.
Each organisation involved will be testing its own response to “a series of cyber incidents, culminating in a large-scale attack,” says Paul McKitrick of the Centre for Critical Infrastructure Protection (CCIP), which is co-ordinating the NZ leg of the exercise, but there will also be trials of the way organisations react and communicate with one another across an industry sector and internationally.
Organisations in Australia, the US, the UK and Canada will also take part in the exercise — a successor to Cyber Storm I, which was held in March 2006.
Each organisation involved will have at least one representative in its office and one at Exercise Control (Excon) in the CCIP office in Wellington. They will receive periodic information bulletins (called “injects”) on the fictional events constituting the crisis. They will decide how to react within their own organisation and between organisations, the latter signified by a representative at Excon getting up and walking to another organisation’s table for an exchange of information.
Most of the injects will take the form of messages on paper — “for example ‘your network logs have reported this’,” says McKitrick, but there may also be some “live” simulation of events on visual displays and emails will be exchanged nationally and internationally.
Messages will be headed “Exercise Exercise Exercise — Cyber Storm II” so they are not confused with messages indicating real situations.
Ten “key scenarios” will be played through in the New Zealand leg of the exercise, involving “two or three” industry sectors as well as the individual organisations, McKitrick says.
The participants have been given an opportunity to define scenarios of particular importance to them individually and to their industries, but naturally no-one will know exactly what to expect until the exercise takes place.
“We will be testing international communications,” McKitrick says; CCIP, as in real life, will be communicating particularly with the US-based Computer Emergency Response Team (Cert).
Hundreds of people will be involved in the New Zealand leg of the exercise and thousands worldwide. In addition to the direct participants, subject-matter experts will be on hand (for example banking or communications experts) to decide on feasible on-the-fly variations to the sequence of simulated events.
CCIP has already begun planning for Cyber Storm III, to take place in 2010. That exercise is planned to involve 15 countries.
Media organisations may be among the participants in Cyber Storm III, McKitrick says, as an essential factor in controlling (or contributing to) the spread of rumour and panic in an emergency.
Cyber Storm II participants
The organisations allowing their names to be used are:
ANZ National Bank
Government Communications Security Bureau
Ministry of Foreign Affairs and Trade
Ministry of Health
NZ Customs Service
NZ Defence Force
State Services Commission