EXERCISE SENSITIVE

[Exercise Name]

Exercise Overview

Exercise Name / <Insert the formal name of exercise, which should match the name in the document header>
Exercise Date, Time, and Location / <Indicate the start and end dates of the exercise>
MonthDD, YYYY
0:00 a.m. – 00:00 p.m.
Facility, City,ST
Scope / This eventis a facilitated, discussion-based exercise, planned for <exercise duration>. The exercise will raise awareness of cyber risk management, cyber-related planning, and other issues related to cyber incident prevention, protection, and response.
Mission Area(s) / Prevention, Protection and Response
Core Capabilities / Planning, Public Information and Warning, Cybersecurity, Intelligence and Information Sharing, Operational Communications, Situational Assessment[1]
Objectives /
  1. Increase cybersecurity awareness.
  2. Assess the integration of cybersecurity into Organization’s> all-hazards preparedness.
  3. Examine cybersecurity management structures,incident information sharing, escalation criteria, and related courses of action.
  4. Identify cascading impacts of a cyber-attack to critical systems.
  5. Insert additional/other organization specific objectives

Threat or Hazard / Cyber attack with cyber and potential physical consequences.
Scenario / Cyber-attack againsthospital networks.
Sponsors / <Insert the name of the sponsor organization, as well as any grant programs being utilized, if applicable>
Participating Organizations / <Insert a brief summary of the total number of participants and participation level (e.g., federal, state, local, tribal, territorial, non-governmental organizations (NGOs), and/or international agencies). Consider including the full list of participating agencies in Appendix B.

Exercise Overview1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

Points of Contact / <Personnel Name>
<Title>
<Agency>
<Address>
<City, State ZIP>
<Phone>
<E-mail>
<Personnel Name>
<Title>
<Agency>
<Address>
<City, State ZIP>
<Phone>
<E-mail>

Exercise Overview1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

General Information

Participant Roles and Responsibilities

The term participant encompasses many groups of people, not just those playing in the exercise. Groups of participants involved in the exercise, and their respective roles and responsibilities, are as follows:

  • Players. Players are personnel who have an active role in discussing or performing their regular roles and responsibilities during the exercise. Players discuss or initiate actions in response to the simulated emergency.
  • Observers. Observers do not directly participate in the exercise. However, they may support the development of player responses to the situation during the discussion by asking relevant questions or providing subject matter expertise.
  • Facilitators. Facilitators provide situation updates and moderate discussions. They also provide additional information or resolve questions as required. Key Exercise Planning Team members may also assist with facilitation as subject matter experts (SMEs) during the exercise.
  • Evaluators. Evaluators are assigned to observe and document certain objectives during the exercise. Their primary role is to document player discussions, including how and if those discussions conform to plans, policies, and procedures.

Exercise Structure

This exercise will be a multimedia, facilitated exercise. A facilitator will provide multimedia updates that summarize key events occurring within that time period. After the updates, participants review the situation and engage in a moderated plenary discussion. Players will participate in the following modules:

  • <Module, Phase, or Other> <1>: Insert Name
  • <Module, Phase, or Other> <2>: Insert Name
  • <Module, Phase, or Other> <3>: Insert Name

Exercise Guidelines

  • This exercise will be held in an open, low-stress, no-fault environment. Varying viewpoints, even disagreements, are expected.
  • Respond to the scenario using your knowledge of current plans and capabilities (i.e., you may use only existing assets) and insights derived from your experience and training.
  • Decisions are not precedent setting and may not reflect your organization’s final position on a given issue. This exercise is an opportunity to discuss and present multiple options and possible solutions.
  • Assume cooperation and support from other responders and agencies.
  • Issue identification is not as valuable as suggestions and recommended actions that could improve prevention, protection, mitigation, response, and recovery efforts. Problem-solving efforts should be the focus.
  • Situation updates, written materials, and resources provided are the basis for discussion; there are no situational or surprise injects.

Exercise Assumptions and Artificialities

In any exercise, assumptions and artificialities may be necessary to complete play in the time allotted and/or account for logistical limitations. Exercise participants should accept that assumptions and artificialities are inherent in any exercise, and should not allow these considerations to negatively impact their participation. During this exercise, the following apply:

  • The exercise is conducted in a no-fault learning environment wherein capabilities, plans, systems, and processes will be evaluated.
  • There is no “hidden agenda” nor are there any trick questions.
  • The exercise scenario is plausible and events occur as they are presented.
  • The scenario is not derived from current intelligence targeting stakeholder equities.

Exercise Evaluation

Evaluation of the exercise is based on the exercise objectives and aligned capabilities. Players will be asked to complete participant feedback forms. These documents, coupled with facilitator observations and notes, will be used to evaluate the exercise and compile the After-Action Report (AAR).

General Information1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

Module 1: Information Sharing

T – 2 Years: Initiation

According to an autopsy report, the sudden death of a 15-year-old girl whowas treated at <HOSPITAL NAME> was ruled to be the result of a severe type of pneumonia. The patient’s family suspects improper care as the true cause of death and do not believe the <HOSPITAL NAME>did all itcould to prevent her death. Soon after the release of the autopsy report, the family of the girlbegins to demand the medical center be held accountable and files a wrongful death lawsuit against <HOSPITAL NAME>.

T – 6 Months: Motivation

Upon presentation and litigation of the wrongful death lawsuit, the court rules in favor of the <HOSPITAL NAME>. The family remains unconvinced, distraught, and angry over the verdict.

T – 5 Months: Advisory

The Multi-State Information Sharing and Analysis Center (MS-ISAC), in partnership with the National Health Information Sharing and Analysis Center (NH-ISAC), releases a joint advisory highlighting several recent attacks against state health information exchanges.

T – 10 Days: Indication

The <HOSPITAL NAME> begins to notice an increase in scans and phishing campaigns, similar to those that occurred at other medical providers throughout the country, including a 25% increase in attempted attacks against <HOSPITAL NAME networks.

T – 2 Days: Slow motion

Employees begin to report internal network latency, and members of the public report they cannot access <HOSPITAL NAME>’s website.

T – 1 Day: Degradation

<HOSPITAL NAME>networkperformance continues to degrade and is exacerbated by suspected data loss. Specifically, severalnurses begin to report records that were available only a short time earlier are now completely unavailable.

Module 1 Discussion

Related Objectives

  • Insert applicable objectives listed in Exercise Overview>

Expected Outcomes

  • Examine information sharing during steady-state and early stages of incident response:
  • Information sharing by various constituents, to include government sources of indicators and warnings.
  • Impediments to effective and efficient sharing of information.
  • Discussion of internal cyber threat information requirements and thresholds for reporting credible threats and incidents to organizational executive leadership.
  • Discussion of existing information sharing mechanisms and capabilities.
  • Discussion of information sharing mechanism limitations and challenges.

Questions

  • How isinformation shared among your internal and external stakeholders?
  • By means of formal or informal relationships, or both?
  • What information sharing mechanisms (portals, briefings, working groups) currently exist internally within <HOSPITAL NAME> and externallywith its partners?
  • What sources of information are used among private sector, city, state, and Federal partners?
  • What types of security-related industry alerts does the <HOSPITAL NAME>receive? Those from NH-ISAC? U.S.-Computer Emergency Readiness Team (US-CERT)? Others?
  • Are there any public-private working groups or established distribution lists where information such as indicators and warnings and abnormal network activity can be shared?
  • Who (entity, unit, etc.) is responsible for the big picture (i.e., collating information across multiple reports and sources)?

Scenario and Discussion1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

Module 2: Initial Response

T – Day: Investigation

In response to the extreme latency and unavailable electronic medical records (EMR), <HOSPITAL NAME begins to field an increase in help desk calls related to EMR problems. During this period, technicians confirm that records are actually missing and notice unusual patterns in access logs, including unauthorized access to the EMR system.

T –Day: Escalation

The <”News and Info”> section of the <HOSPITAL NAME>’s public web site, including one of itssocial media platforms,isdefaced with apparent threats and a warning to the public about the <HOSPITAL NAME>’s level of care. The headline that scrolls across the homepage states:

“This hospital will deceive you – they cannot be trusted with your information, or your life!!!”

T +1 Day: Communication

A local media affiliate of Global Network News and other local media outlets start reporting on the defacement of the <HOSPITAL NAME> homepage.

T + 1 Day: Elevated

MS-ISAC and NH-ISAC issue an update to their recent joint advisory. The updated joint advisory indicates an increase in attacks to both public and private medical facilities, with significant impacts to industrial control systems (ICS) that monitor and controlsupervisory control and data acquisition(SCADA) systems. Accordingly, both MS-ISAC and NH-ISAC raise their threat alert level to “ELEVATED”, which “indicates a significant risk due to increased hacking, virus or other malicious activity which compromises systems or diminishes service”.

Module 2 Discussion

Related Objectives

  • <Insert applicable objectives listed in Exercise Overview>

Expected Outcomes

  • Discussion of initial response measures and triggers for external incident response coordination.
  • Discussion of existing incident response coordination, investigation, and mitigation efforts, and identification of impediments to timely response.
  • Identification of cyber incident escalation criteria and planned notifications.

Questions

  • What critical patient services or essential business functions would be impacted by the incidents described in the scenario?
  • Does <HOSPITAL NAME> have defined cybersecurity incident escalation criteria, notifications, activations, and/or courses of action?
  • When and how would leadership be notified?
  • What are the notification criteria?
  • Discuss the thresholds for reporting suspicious cyber activity to others outside of your organization.
  • What protective actions would you take across non-impacted systems or divisions?
  • Who is responsible for protective action decision-making?
  • How are actions coordinated across other departments?
  • What is your planned cyber incident management structure?
  • Who (by department and position) leads incident management and why?
  • How would external resources be requested and integrated?
  • What pre-existing relationships can you leverage to augment your resources in the short term?
  • Would <HOSPITAL NAME> contact law enforcement officials?
  • What third party technical support might be considered or employed as part of the incident response?
  • Would legal department(s) be involved to address potential liability issues? How are they brought in appropriately?

Scenario and Discussion1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

Module 3: Response Exceeds Resources

T + 1 Day: Explanation

Further investigation indicatesthat malware infected <HOSPITAL NAME> via a spear phishing e-mail opened by a <HOSPITAL NAME> employee with privileged access / administrator rights several weeks ago. It is suspected that this malware was used to specifically alter supply inventory records and exfiltrate more than 50,000 personally identifiable information (PII) and electronic protected health information (ePHI) records.

T + 1 Day: Intensification

Patients and staff are reporting an extreme change in temperature in the hospital, complaining it is too hot. As a result of the complaints, <HOSPITAL NAME>suspects a potential malfunction to SCADA-enabled devices within their heating, ventilation, and air conditioning (HVAC) and building management systems (BMS).

T + 1 Day: Expansion

Building Operations reports that a facilities technician tasked to inspect the HVAC and BMS is unable to login to the server that controls the HVAC system. The technician entered his credentials as usual, but received an “access denied” message.

T + 1 Day: Exhaustion

<HOSPITAL NAME> has quickly exhausted all available resources to investigate the extent of the problem and restore affected systems, resulting in significant impacts to patient care and life safety concerns.

T + 2 Days: Attention

National media outlets begin reporting on the situation at <HOSPITAL NAME>. In particular, the media outlets are covering the messages posted on the <HOSPITAL NAME> website and social media platform.

T + 4 Days: Ramifications

During an in-depth review of their logs, the <HOSPITAL NAME> discovers that 65 days ago, “insert exercise malware name” was implanted on the medical facility’snetwork,resulting in the creation of a “super user”with administrator rights. Investigatorsstrongly suspect that the infection vector is linked to the spear phishing and network scanning, which eventually exploited a vulnerability in the <HOSPITAL NAME>’s network. Both the hospital and the investigation team continue the systematic process of malware remediation, removal, and patch updates.

Module 3 Discussion

Related Objectives

  • <Insert applicable objectives listed in Exercise Overview>

Expected Outcomes

  • Identification of available response, investigation, and mitigation resources and capabilities.
  • Identification of resource request coordination pathways.

Questions

  • What resources and capabilities are available to analyze the intrusions?
  • If <HOSPITAL NAME>is unable to manage the incident internally, what processes are in place to request and manage additional resources
  • How are cyber resources defined?
  • How will costs be documented and recovered?
  • How would cyber resources used for response, forensic investigation, and mitigation be requested through:
  • Private sector support (contractors)
  • Federal assets

-Law enforcement?

-DHS?

-State Government?

  • Discuss Public Relations aspects of the cyber incident:
  • What challenges exist when coordinating public communications?
  • What information do stakeholders need? What information do they request?
  • Is there a public affairs playbook or plan that would be enacted in this situation?
  • What processes or protocols are in place when contacting and/or working with law enforcement?
  • Are processes and resources in place for evidence preservation and collection?

Scenario and Discussion1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

Appendix A: Exercise Schedule(Example)

Time Allotted / Event
8:00 a.m. – 8:30 a.m. / Registration/Sign-In
8:30 a.m. – 8:45 a.m. / Introductions and Exercise Overview
8:45 a.m. – 9:20 a.m. / Module 1 – <Name>
9:20 a.m. – 9:30 a.m. / Break
9:30 a.m. – 10:30 a.m. / Module 2 – <Name>
10:30 a.m. – 11:30 a.m. / Module 3 – <Name>
11:30 a.m. – 12:00 p.m. / Hot Wash and Closing Remarks
12:00 p.m. / End / Closing Comments

Appendix A: Exercise ScheduleA-1

EXERCISE SENSITIVE

EXERCISE SENSITIVE

[Exercise Name]

Appendix B: Exercise Participants

Participating Organizations
<List Organizations or Departments or Offices>

Appendix B: Exercise ParticipantsB-1

EXERCISE SENSITIVE

[1] DHS Core Capabilities ( Grouped into five mission areas, the National Preparedness Goal identified 31 core capabilities which are distinct critical elements necessary to achieve the National Preparedness Goal.