TTX Simulation Exercises (II)

Introduction

In the first part we discussed the basics of desktop simulation exercises for incident response practice, and detailed the main issues that need to be decided in order to carry out an exercise. In addition, we discussed some of the details to be taken into account when designing this type of activity, and certain variables that need to be determined. In this second part we will detail the two modalities in which these exercises are carried out, and we will analyze some advantages in each of them.

Traditional modality

The practice of this type of exercise in the context of cybersecurity has traditionally been based on the expertise of a professional who acts as facilitator and coordinates the activity, directing and guiding the flow of conversations through the scenarios presented. The situations are developed through a series of pieces of information that the participants receive sequentially, revealing more and more of the status and evolution of the process. With each new piece of information, typically presented in the form of sentences that denote the occurrence of specific events, the coordinator encourages dialogue, and people advance on each problematic situation according to their role and level of knowledge. The scenario proceeds in a linear fashion and with static information, independent of responses, since the primary objective is the practice itself, not altering the flow of events.

This mechanics creates a risk-free environment that allows participants to interact without the added pressures of the situational stress of a real incident or crisis. While it is desired that participants take the process seriously, it should be viewed as a collaborative learning experience, not a test or competition with winners and losers.

The length of the process depends on the group, topic, scope and objectives. Most focus on a few hours (between 3 and 4) where the simulated time can be several days.

The fundamental benefits of the traditional modality are the possibility of discussing each action in real time without a strict duration, and of having the facilitator's knowledge to help enhance team dynamics, as well as being able to highlight personal and group attitudes and subtleties in the conversations that might otherwise go unnoticed. On the other hand, it should be considered that in this modality all teams receive the same information at the same time, which produces the progression of a single flow, although it is also possible to use an alternative sub-modality in which there are different group environments that hold different conversations, requiring more than one coordinator for these cases.

Despite their limitations, due to the relative simplicity of their execution, traditional exercises continue to be carried out in the same way they were originally conceived, with the only addition in recent years of the possibility of interaction through videoconferencing systems (Zoom, Google Meet, Microsoft Teams, etc.), which allows them to be carried out in hybrid form, with the simultaneous participation of teams meeting in person and others connected virtually.

Platform-based modality

With the Internet and communication technologies, mainly from the 2000s onwards, these exercises began to spread to be developed simultaneously by several parties in a decentralized manner, a situation usually used for testing systemic risks of a given industry or sector. This implied the inclusion of real-time communication mechanisms, such as the classic telephone, conference calls and e-mail.

During the second half of the 2010s, specialized software platforms and tools for interaction between participants began to be developed, which provided greater dynamism to the exercises, although in some cases to the detriment of realism due to the difference between the proposed mode of interaction and the one used on a daily basis. The evolution of software for the specific functions of an exercise of these characteristics outside the military field, arose in the United States from the needs posed by the financial industry, and the first move was made by the Norwich University Applied Research Institute (NUARI) in 2009, with the creation of a software prototype designed to perform simulation exercises based on the problems of that sector, which was named DECIDE (Distributed Environment for Critical Infrastructure Exercises). Due to the satisfactory results of the tests in the financial market, the Department of Homeland Security granted funds for 9.9 million dollars to NUARI in 2013 for the continuity and growth of the platform. In 2019, the Science and Technology Directorate of the same agency extended additional funding of $5.9 million for the expansion of software capabilities, aimed at creating scenarios for the energy sector. In 2021, funding was reinforced with $2.9 million in a 3-year contract for expansion to the transportation sector. This made NUARI the research center with the most experience in simulations of this type in the world, with more than 100 exercises executed [1].

As for the European Union, as far as can be officially determined, they recorded 141 exercises up to 2014, of which 50% had exclusive participation of the public sector, 5% only of the private sector, and 45% were with joint actors from both sectors. Although the modalities were varied (seminar, functional test, workshop, simulation, game, and real scale) the tabletop simulation modality was the most adopted, with 35% of the total number of cases [2].

For the Latin American case, although there have been government incident response centers since the late 1990s, no exercises of these characteristics were reported in the public sector, unlike the private sector, which began to implement specific tabletop exercises for cybersecurity incident response simulation as of 2014, and only provided as professional services by the four main consulting firms in the market. However, it was not until 2018 that an exercise of this type aimed at simulating a systemic risk in the financial industry was carried out for the first time in the region, which occurred in Argentina with the support and participation of the Central Bank of the Republic of Argentina (BCRA) that fulfilled a dual role, as a financial institution and as a regulatory body. The exercise involved 6 participating banks (public and private) that held organizational meetings for 5 months, with a total participation of 125 people. The proposal and coordination was made by the US bank JP Morgan Chase, based on the experiences of previous years with similar exercises in the United States. Likewise, said financial entity provided access to the DECIDE platform for the execution. In 2019, the BCRA continued to make progress in terms of security incident simulations, and made efforts to coordinate and manage a new exercise, this time with 7 participants, only public financial institutions [3].