PAXsims

Conflict simulation, peacebuilding, and development

Tag Archives: cybersecurity

MORS: Gaming cyber and information operations

The Military Operations Research Society will offer a short online course on gaming cyber and information operations from 30 August to 1 September 2023, taught by Ed McGrady. Further details and registration information are available at the link.

Games are tools that professionals can use to understand complex problems. Problems where there really is no good solution. Problems where there are two opposing sides. Problems of deterrence and belief. 

Cyber security and information operations incorporate all of these challenges and more. But cyber games are often seen solely through the focus of computer-based games. Information operations games are thought to be too hard to execute and adjudicate. And while computer mediated exercises and games have a role in cyber preparedness, so do manual games that focus on organization, conceptualization, and experimentation. In this game design course, we will focus on building manual, professional, games designed to explore, train, or educate on issues surrounding cyber security and information operations. 

MORS currently offers a one week certificate course in Cyber Game Design in collaboration with Virginia Tech. In this shortened version of the week long course we will focus on how to build the best cyber game for the sponsor’s objectives. We will also add information operations to the mix. Information operations are important to understand because they broaden the conflict landscape to include all types of information, not just information that flows on digital networks and their components. 

Our framework for the class will be understanding the types of games that are available to us, and how they relate to gaming at the strategic, operational, and tactical levels of cyber. What is the role of matrix games in cyber? How do we build realistic tactical games without becoming overwhelmed with detail? How do we build analytical tools for tactical adjudication of cyber games? How do we handle adjudication of social engineering or deception? 

Gaming information operations will focus on practical tips and techniques for either building games that focus on information operations, or incorporating information operations into large game systems. 

The class will consist of three primary sections: game design, gaming cyber security at the tactical operational, and strategic levels, and gaming information operations. As much as possible we will incorporate class exercises and engagements as part of the learning process.  

NARUC Cybersecurity Tabletop Exercise Guide

In September 2020, the National Association of Regulatory Utility Commissioners, with the support of the US Department of Energy, published a Cybersecurity Tabletop Exercise Guide.

Public utility commissions (PUCs) are responsible for ensuring adequate, safe, and reliable utility services at reasonable rates. As such, they need to know that jurisdictional utilities’ cybersecurity risk management plans and practices—put in place to mitigate cybersecurity vulnerabilities, counter malicious cyber threats, and rapidly respond and recover from successful attacks—are comprehensive and effective. Exercises are useful for this purpose.

Exercises provide opportunities for participants to demonstrate and assess capabilities in specific areas of interest, including cybersecurity risk management. They also facilitate coordination and help clarify organizational roles and responsibilities.

This Tabletop Exercise (TTX) Guide steps PUCs through the process of creating and executing an exercise specifically designed to examine capacities and capabilities to plan for, respond to, and recover from a cybersecurity incident involving critical energy infrastructure. It complements other resources in NARUC’s Cybersecurity Manual, particularly Understanding Cybersecurity Preparedness: Questions for Utilities, and the Cybersecurity Preparedness Evaluation Tool.1 Coupled with the TTX Guide, these tools comprise a structured, process-driven approach to identifying, assessing, and testing the efficacy of utilities’ cyber risk management plans and practices. This knowledge helps commissions identify cybersecurity gaps, spur utilities’ adoption of additional mitigation and response strategies, and encourage improvements.

Part I details the steps to plan and execute a TTX. Part II reviews the steps required to conduct a seminar-based exercise.2 TTXs are discussion based, typically led by a facilitator who guides participants through one or more scenarios for the purpose of testing the thoroughness and efficacy of relevant plans, processes, and procedures. This format is well suited for commissions’ objective assessment of utilities’ cybersecurity preparedness as well as their own cyber incident response capabilities. Seminars, which are also discussion-based exercises, typically examine a single procedure within a larger plan or a single step in a multistep process.

The exercise guide can be found at the link above. The fuller cybersecurity manual can be found here.

%d bloggers like this: