Running head: TEAM SUMMARY 1

CSEC 670 – DTL Power Team – Team Summary

Okeoma Asoegwu

Tessa Blackmon

Rohit Kasukurti

Russell J. Shupert

Peter Stamper

August 13, 2017

University of Maryland University College

TEAM SUMMARY 2

Contents
Team Section – Analysis ................................................................................................................ 3

Goals, Strategies and Final Result............................................................................................... 3

Simulation Goals Versus Choices and Funding .......................................................................... 3
Cross Team Sector Impact .......................................................................................................... 4
Lessons Learned .......................................................................................................................... 6
Team Conclusion - Analysis of Cyber Defense Technologies ....................................................... 7

Team Member Individual Sections ................................................................................................. 8

Cyber Security Policy Analyst (Rohit Kasukurti) ....................................................................... 8

Cyber Security Auditor (Peter Stamper) ..................................................................................... 9
Chief Technology Officer (Russell Shupert) ............................................................................ 11
Information Systems Security Officer (Okeoma Asoegwu) ..................................................... 13
Network Administrator (Tessa Blackmon) ............................................................................... 14
Figures........................................................................................................................................... 16
TEAM SUMMARY 3

Team Section – Analysis

Goals, Strategies and Final Result

The DTL Power cybersecurity team established four goals in our sector brief:

1. Maximize power network uptime (keep downtime at a minimum)

2. Ensure DTL Power’s security is strong
3. Stay profitable as a company
4. Maximize national security

As a cybersecurity team, we successfully accomplished goals two and four, and failed at goals

one and three. DTL Power deployed a significant amount of technology, restrictive policies, net-

work segmentation and other decisions that ensured the strength and overall security of the sec-

tor. Every security indicator stayed above 100 and Disaster Damage stayed below 100. How-

ever, Profitability (34) and Downtime (200) indicators were both red by the end of the simula-

tion. Profitability started red at 84 and concluded at 34 and was impacted by decisions from the

other sectors and team decisions. Downtime was held in check for the first two rounds with

scores of 109 and 139, both below the 140-point threshold. In the last two rounds, Downtime

spiked with scores of 188 in round three and maxing out at 200 in round four.

Simulation Goals Versus Choices and Funding

DTL Power was able to execute our decisions within the scope of the allocated budget.

However, the simulator goals, events, and impact from the other sectors and team decisions fre-

quently conflicted with each other. Since DTL Power is a nuclear generation facility, we

adopted policies that were consistent with the Nuclear Regulatory Commission (NRC) standards.

This attempt to model the real-world NRC standards in the simulator failed, and as a result, many

of the decisions or decision groups were too restrictive, negatively impacting rounds two through

four.
TEAM SUMMARY 4

Cross Team Sector Impact

DTL Power did not negatively impact the other sectors in rounds one or two. However,

all four of the other sectors were negatively impacted by the Downtime indicator for DTL Power,

which spiked in rounds three and four. Adjustments made to decisions impacting both Produc-

tivity and Performance scores caused Downtime to reach 188 in round three and 200 for round

four. After reviewing the cross-team reports, all four sectors experienced the same point de-

crease for the impacted indicators in rounds three and four.

Round three saw a negative impact to both Network Load and Customer Satisfaction.

Network Load scores were decreased by three points for all sectors, and Customer Satisfaction

decreased by five points for all sectors. This was caused by DTL Power exceeding the round

three Downtime trigger of 139, increasing to 188 points, see Figure 1. Round three changes that

primarily impacted Productivity included: lowering the number of days to force a database pass-

word change from 60 to 30 and reducing the budget for SCADA Training on social engineering

attacks from $150,000 to $100,000.

Figure 1: DTL Power Key Indicators by Round

TEAM SUMMARY 5

Performance scores were reduced by increasing the degree of testing for Patch Manage-

ment from medium to high, and SCADA Vulnerability Analysis (SVA) had significant budget

increases for policy analysis, physical SVA testing and standards updates. Round two scores for

Productivity (85) and Performance (87) were already below the 100-point target. The changes

DTL Power made for round three had a negative impact on the team’s ability to keep Perfor-

mance (78) and Productivity (69) scores above 100, or equal to round two’s scores. These

changes along with the negative impact of the round three events caused the Downtime indicator

score to spike at 188. In total, DTL Power hurt the other sectors in round three by eight points

each.

Round four caused the same reduction in scores for the other sectors in Popular Senti-

ment, Network Load and Customer Satisfaction key indicators. The largest negative impact was

the Popular Sentiment score being reduced by ten points. Network Load was reduced by three

points and Customer Satisfaction by five points. The impact was the direct result of DTL

Power’s Downtime indicator exceeding the round four trigger of 188 and reaching the maximum

score of 200, see Figure 1.

As in the previous round, decisions made by DTL Power continued to hurt the Productiv-

ity (64) and Performance (72) scores in round four, causing the Downtime score to reach its

maximum threshold of 200. The primary changes that impacted the Productivity scores in-

cluded: changing the Authorized Software Policy decision on the frequency of software evalua-

tion scans from twelve to eighteen months and increasing the number of people overlooking the

Information Sharing Policy from two to three.

Performance changes that impacted the Downtime score included modifying the Patch

Management program from all updates to only critical and important updates. Controls were
TEAM SUMMARY 6

also relaxed on Database Security by enabling the management of operating system (OS) ser-

vices and associated ports. The changes made in round four were targeted to specifically im-

prove the overall Productivity and Performance scores, but were unsuccessful. Looking at the

debrief report, the strict security controls actually reduced our Downtime score, but the poor Per-

formance and Productivity settings offset and detracted from the gains made. As a result, all four

sectors experienced a total score reduction of eighteen points across the three key indicators.

Since DTL Power is a utility providing a critical service to all the other sectors, any relia-

bility issues with the power grid would impact the other sectors. Electricity plays a role in na-

tional defense, command and control, and cyber security.

Lessons Learned

DTL Power was focused on improving the various security index indicator scores which

negatively impacted Downtime and Profitability. This had a direct impact on the other sectors

and DTL Power's profits, Customer Satisfaction and Reputation. Round one scores were good,

with only Popular Sentiment and Profitability (surplus) showing any signs of needing adjust-

ment.

In preparation for the events for round two, DTL Power made significant increases in

spending on training, patch management, network isolation and changes to various components

of the Breach Notification Policy. While these changes helped the security index scores, the

worm intrusion event significantly increased the Downtime score. As the simulation continued,

tighter security controls were implemented decreasing our Productivity Index and increasing the

impact to Downtime. These factors directly reduced DTL Power’s Profitability and negatively

impacted the other sectors.

TEAM SUMMARY 7

In the final round of the simulation, DTL Power scaled back a number of the stricter se-

curity settings. Due to the distributed network and system redundancy decisions made in round

one, the DDoS attack did not impact DTL Power in round four. As a sector, we never found the

proper balance between the security decisions and those that impacted Performance and Produc-

tivity.

Team Conclusion - Analysis of Cyber Defense Technologies

DTL Power used all available cyber defense technologies to protect its network and

SCADA systems. However, it can be concluded that DTL Power was too restrictive in its secu-

rity settings when it came to defending the network. This resulted in decreased Productivity,

Profitability, Customer Satisfaction, and Reputation. Additionally, the restrictive settings re-

sulted in unnecessary difficulties in accessing data and increased Downtime. Also, DTL Power’s

cybersecurity team members should have used a better balance between cybersecurity and con-

ducting normal operations. While cybersecurity should be a priority, it should not detract from

DTL Power’s ability to provide its customers with electricity. DTL Power’s cybersecurity team

should have used less restrictive technologies and settings to allow data to flow freely when

needed while maintaining an effective security posture on its network and SCADA systems.

DTL Power prioritized its cyber defense technologies based on their effectiveness in pro-

tecting the network and SCADA systems and their operating and capital costs. If it was discov-

ered that a cyber defense technology was providing minimal protection at significant costs or im-

pact to indicators, that technology was either reduced in restrictiveness or completely turned off.

Additionally, priority was placed on those defense technologies that were most effective in pro-

tecting the SCADA system. The SCADA system had top priority because it provided the tools
TEAM SUMMARY 8

to keep the electricity flowing to customers. Overall, DTL Power needed to better balance oper-

ational needs and cybersecurity.

Team Member Individual Sections

Cyber Security Policy Analyst (Rohit Kasukurti)

To prepare for the team sector briefing, I consulted the student manual to review the key

points that would be discussed in our process for making a decision. To ensure I was contrib-

uting to the team, I made sure I knew what decisions would impact which indicators by focusing

more on the DTL Power sector decisions in the Application Model Reference guide. I used a va-

riety of external research to understand what type of attacks are most common in the electric util-

ity industry. The most common attacks are conducted by cyber criminals using traditional hack-

tivists methods, DDoS or social engineering. These groups attempt to gain access to critical

components such as SCADA, operation centers, sensors and traditional IT systems. To ensure

that this would not happen with our sector, I looked at ways to prevent these attacks from hap-

pening and how to reduce the threat if the attack were to occur.

I started my planning and analysis by watching the news reports about the events and the

advisories that should help me understand what my decisions should revolve around. If I did not

understand the type of attack, I conducted research to see how I could defend against it. Typi-

cally, I felt what I decided was adequate, but it seemed to be refuted once the round ended and

the results came in. At the end of each round, I would look at the outcome report, which broke

down each decision. This helped me understand what I could improve for the next round. Typi-

cally, my decisions focused on balancing what we already knew were good security with what

indicators were declining. The indicators that were going down were usually the main focus for
TEAM SUMMARY 9

the round, so I would research the indicators and see what other factors played into affecting

something such as productivity.

The most valuable round was round four when I realized the decisions I should have

made were too late as it visually showed me how important it was to balance security with

productivity and performance. If I had been able to keep employees and customers happy from

the beginning, I believe many of the other indicators wouldn’t have suffered as much. The poor

score in downtime and productivity led me to review the decisions in these particular categories,

and how I could reduce the declining scores. I realized that productivity was negatively im-

pacted because employees became bogged down with the same task too frequently. It is im-

portant to have employees swap tasks and exchange knowledge to further expand skillsets. I felt

these were more important than some of the other declining indicators because they seemed to

have a more direct impact on the productivity. Unfortunately, by the time we made the adjust-

ment, we could not get the scores to come back into the normal range.

Cyber Security Auditor (Peter Stamper)

In preparation for the team sector briefing I utilized UMUC’s library to find peer-re-

viewed articles on the power industry. During my research, I discovered articles that discussed

the threats to SCADA systems and how organizations could mitigate those threats. Additionally,

I used references provided by other team members that were specific to critical infrastructure in-

dustries. These references were regulations, standards, and recommendations issued by various

departments of the United States Federal Government. Both peer-reviewed articles and federal

government guidelines provided ample information about the power industry.

I believe that the critical infrastructure of the US, specifically the power industry, is a

popular topic with both researchers and government security specialists. This popularity results
TEAM SUMMARY 10

from its high value as a target and the critical infrastructure industry’s past reputation of being

known as one of our most vulnerable areas of national security. As a result, it was difficult to

sift through the enormous amount of data available and find the correct information to use for the

sector briefing. I believe that I erred in my use of some materials over others and should have

chosen more unique threats to the power industry instead of general threats to any network or

system. I began each round by viewing the expected threats that would occur during the upcom-

ing round. Once the threats were identified I would research the power industry to see if any of

my decision categories could impact or mitigate those threats. Unfortunately, most of my deci-

sions were administrative in nature and not capable of blocking attacks.

At the end of each round I would compare the indicators that were impacted by my deci-

sions to the previous round or the baseline. If I saw negative trends in those indicators, I made

adjustments to decisions that impacted those indicators that needed a significant boost. If the

drop in the indicator was less than five points, I normally maintained that decision category as it

was currently set. If there was a negative trend above five points, I considered what options

were available based on budget constraints. Some of the decisions I made at the end of a round

were changed by new events that were scheduled to occur in the next round. For example, I de-

cided to hire a privacy officer when the Patriot Act Requirements event occurred, because the

population was concerned about the Patriot Act’s impacts on their privacy. Before the Patriot

Act event I was unwilling to spend the funds to hire a dedicated privacy officer.

I believe that round two was the most valuable round in learning about cybersecurity. It

simulated an event, the Patriot Act Information Request, which was not specifically designed to

attack our system and was not technology-based. It showed us that technical aspects of cyberse-

curity are not the only things that can impact our cybersecurity posture. I believe this a valuable
TEAM SUMMARY 11

lesson for anyone in the cybersecurity field. I think that too often the focus is on the latest tech-

nology and gadget to protect systems and networks and the human aspect of cybersecurity is for-

gotten. Human interaction on the network can make or break a network just as much, if not

more, than the technological capabilities utilized.

Overall, a valuable lesson learned is that there needs to be a balance between cybersecu-

rity and operations. If we are too restrictive, we will negatively impact an organization’s opera-

tions and its ability to provide services to its customers. Going all out on security measures is

not going to provide an organization with the best capabilities to continue doing business.

Chief Technology Officer (Russell Shupert)

To prepare for the team project and the initial sector briefing, I used many references

from my current role working in cybersecurity for a fortune fifty power company. There are one

hundred and ten references as part of the initial sector briefing. Over eighty of them are directly

from my knowledge of the utility industry and the various regulatory requirements that power

companies must comply with under the Federal law. I used real-world standards and regulations

to form the basis of how I would process decisions for the various categories I was responsible

for. I also used my knowledge and industry experience to assist others on our team on what we

do in utility space from a configuration, segmentation, policy and protection design. In the end,

this detailed knowledge of the power industry made many of my recommendations too strict for

the various rounds inside the simulation, causing several key indicators to trend negatively

downward.

At the start of each round, I would analyze the sector reports and look for the negative or

positive impact from events, decisions or cross-team impact. Based on those numbers, I would

examine the student manual and look at each of the decisions I owned and what impact they had
TEAM SUMMARY 12

on Disaster Recovery, Downtime, and the various security index scores. In the first two rounds,

Productivity and Performance scores were less focused on. My intent was to secure the system,

isolate the critical systems and enforce strict role-based permissions to make sure that the power

grid operated reliably. However, after round two I realized that even though we isolated the

SCADA environment, the simulation tied the network and SCADA together in the score; in real

world, the corporate network and the SCADA network are completely isolated and separate.

This design is to prevent any disruption to the transmission and distribution of power on the elec-

trical grid. The simulation did not operate under that same principle, thus several of my deci-

sions were flawed for this exercise.

Round four was the most valuable in my simulator experience. I took all of the simulator

categories and decisions for DTL Power and charted them in a spreadsheet. I noticed that the

impact column for each category in the manual was not in alphabetical order, but in order of

precedent or impact to the decision. I was able to chart out all of the decisions, and their direct

impact on the various index scores. Had I noticed this earlier in the simulation, several decisions

we made early on might have been different resulting in a better score for Downtime, Profitabil-

ity and the decisions that directly contributed to those scores.

At the end of each round I studied the previous rounds results, the impact of the previous

rounds events and what changes could be made to handle the threats from the new round. In

round two and three I suggested continuing to strengthen the security controls, which resulted in

lost productivity hurting my team’s overall scores, and the scores of the other sectors. After plot-

ting out the impact to each decision, I am confident that had a round five been conducted that

scores in Profitability, Downtime, and Customer Satisfaction would have improved and our im-

pact on the other sectors would have been positive instead of negative.
TEAM SUMMARY 13

There are two general things I learned from the simulation. First was the opportunity to

strengthen my analytical skills since all we had to analyze were scores with little insight into how

they were correlated. Second was to consider the strength of the security measure versus poten-

tial roadblocks that would impact Productivity and Performance. The strictest security measures

and best technology can hinder your response to events when people cannot quickly respond to

active threats.

Information Systems Security Officer (Okeoma Asoegwu)

In preparation for the sector briefing, the team had several meetings to discuss our sector

and to understand it. Our group leader currently works in the electric utility industry and was a

very good resource for the team. The team used the guidelines in the student manual to research

the sector and every team member was assigned a range of topics to research based on the agreed

upon choice. A drop box folder was created by our team leader that included some very good

information. I researched trade articles, regulatory impacts from the NRC and NERC, and re-

viewed security framework from NIST, SANS and ISO. This information helped the team mem-

bers in each topic area.

The team met and agreed to research assignments and I was tasked with researching sec-

tion three for the sector report. I researched recent news stories on vulnerabilities in the sector,

the importance of the sector on society and the impact of a cyber-attack to the other sectors. The

information gained from these topics helped set the tone of the sector brief along with the re-

search by the other team members; the team had a historical understanding of the sector and what

laws and regulations where applicable.

During each round of the simulation, we were presented with different events. Our object

was to tailor our controls to prevent the events from affecting our sector. I performed the role of
TEAM SUMMARY 14

the Information System Security Officer (ISSO). The events DTL Power faced in each round

were evaluated and research was performed to understand which decisions should be adjusted to

mitigate the event. After that analysis was done, we had a team meeting to discuss and agree to

the choices and validate the impact to the budget.

Round two of the simulator was of most value to me. The specific decision was in the

breach notification category where I selected reporting incidents to FBI and NSA. The team de-

cided to change the agency to call in for major security breaches from FBI/NSA to private foren-

sic investigators. The decision in this category affected our Reputation, Employee Morale, Con-

tribution to National Security Index and Downtime indicators. This was a reminder that the con-

cept of cyber security needs to consider factors beyond just security. Other factors need to be

considered if the goal of any business is to stay profitable. If the reputation of the company is

hurt, fewer people will do business with the company, which reduces profitability. If the em-

ployee morale is down, staff will be reluctant to give their best effort for the company, impacting

overall productivity. The lesson learned from round two and the simulation as whole is not to

focus only on security but also the business impact. You must also keep the employees happy

while staying in compliance with applicable laws and regulations.

Network Administrator (Tessa Blackmon)

At the beginning of the simulator, our group held several meetings where we constructed

a sector briefing and an individual rational report. Both of these reports were to prepare the team

for executing our assigned roles in the simulator. I was responsible for introducing the team

members and providing an overview of each job description. I was also responsible for docu-

menting the legal and compliance priorities and their impact on cyber defense. Our team leader

was very helpful with all the preparation work by setting up a central location for each week with
TEAM SUMMARY 15

all the information that would be needed to make sound decisions. Our team leader also pro-

vided a lot of valuable insight and reference material that were used to make decisions through-

out the simulation.

Like our leader, I also had some insight on threats and regulations that apply to our sector

since I have previously worked for a utility company. I know that actual exercises are conducted

to help prepare for attacks. These exercises are known as GridEx and are conducted annually by

the North American Electric Reliability Corporation (NERC). They are designed to simulate

both cyber and physical attacks on electric utilities and other critical infrastructure, which would

include companies like DTL Power.

After each round of the simulator, our team had a meeting and discuss the scores that we

received as well as discuss how our decisions impacted the other sectors. Round one and two we

did not see any impact from our decisions on the other sectors. By round three and four, we

could see that our decisions were wrong and we were able to see how our decisions impacted the

other sectors as well as how their decisions had an impact on our scores. As our Downtime score

continued to get worse, it became unmistakable that our decisions were impacting Network

Load, Customer Satisfaction, and Popular Sentiment in the other sectors.

In Round one it was hard to see any actual value to decisions that were made since there

were no prior decisions to impact scores. Each round became more beneficial in seeing the ef-

fects of the decisions being made by our team as well as those made by the other sectors. I be-

lieve that I should have left my decisions the same for both round two and three as they were in

round one since our decision in the first two rounds had no impact on the other sectors.
TEAM SUMMARY 16

Figures

Figure 1: DTL Power Key Indicators by Round ............................................................................. 4