Embed Size (px)
DESCRIPTION
The informative and entertaining discussion is presented by a 26 year military and law enforcement veteran and former federal counterterrorism operative (now working as a state law enforcement agent responsible for critical energy infrastructure protection), and details the emergence of Red Cell activities and Red Teaming as a valuable form of alternative assessment for use in securing the American energy grid. A widely accepted and established practice in military and intelligence circles, Red Teaming is slowly moving into law enforcement and the private sector, and is now being utilized as a key vulnerability and threat assessment tool by state law enforcement agencies, Fortune 500 companies, and national laboratories. The presentation features actual case studies and explains the key reasons energy producing organizations should utilize Red Teaming, including the avoidance of groupthink, complacency reduction, eliminating information silos, collective sense-making, addressing the correctly balanced approach to high impact/low frequency (5 sigma) events, and the integration of CIP compliance into a realistic physical security posture. The brief outline details the key questions answered by Red Cell exercises: What do our adversaries want, how will they try to meet their goals, and how do we most effectively stop them? Attendees will become familiar with the basic techniques utilized in Red Teaming, including interdisciplinary teams, structured analysis, and physical exercises/penetration testing. Finally, the presentation provides a brief after-action report detailing the Red Cell Exercise conducted by the SC Public Service Authority in November 2013. That exercise addressed dam/dike sabotage, criminal targeting, executive safety, terrorism (domestic and transnational), insider threats, physical attacks on energy grid infrastructure, and workplace violence.
Citation preview
Red Teaming andEnergy Grid Security
SC PUBLIC SERVICE AUTHORITY
LAW ENFORCEMENT DIVISION
10th Annual EnergySec Summit 21 AUG 2014
Austin, TX
Presented byMike Frederick
CIP HAPPENS.
STAY ALERT…
How does kidney theft relate to securing the
American energy grid?!
We Su©k at Processing Info
J FKFB INAT OUP SNA SAI
RS
We Su©k at Processing Info
JFK FBI NATO UPS NASA IRS
What Is Red Teaming...
...and What It IS NOT.
Overview
RED
CELL
Introduction to Red Cell concepts
Benefits & Capabilities
Limitations & Drawbacks
Red Teaming and the American Energy Grid
Case Studies & Examples
Methodology
The Concept
• Assessment of Threats, Plans, Operations, or Adversaries
• Viewed from the Adversarial Perspective (Alternative Assessment)
• Structured, Iterative Process
• Trained Team Members
• Independent
• Continuous
“The firmly inculcated doctrine that an admiral’s opinion was more likely to be right than a captain’s, and a captain’s more than a commander’s, did not hold good when questions entirely novel in character, requiring keen and bold minds unhampered by long routine, were under debate.”
-Winston Churchill
“To kill an error is as good a service as, and sometimes even better than, the establishing of a new truth or fact.”
-Charles Darwin
“We do not believe any group of men adequate enough or wise enough to operate without scrutiny or without criticism. We know that the only way to avoid error is to detect it, and that the only way to detect it is to be free to inquire. We know that in secrecy error undetected will flourish and subvert.”
-J. Robert Oppenheimer
Security Posture Extremes
GROUND TRUTH / REALITY
Red Cell History
Richard “Dick” Marcinko,
CDR, USN (ret)
Red Cell History
• Military OPFOR / Red Teams• “Tiger Teams” (1964)• Navy’s “Red Cell”• Cyber Pen-testing• DARPA / NSCT• Spread into many gov’t and corporate
organizations...
Related Concepts
• Threat Assessment
• Complicated vs. Complex
• Asking the right questions
• OODA Loops, Contextual Awareness, and Information Speed
OODA
OBSERVE
ORIENTACT
DECIDE
OODA Loops in the NFL
Red Teaming Expands
Red Cell Types
Full physical attack simulation on PREPARED target.
LEVEL 1RED CELL
LEVEL 2RED CELL
Social engineering, limited penetration testing, etc.
Tabletop (intellectual) exercise only.
LEVEL 3RED CELL
ACTIVE
PASSIVE
Why Red Cell?• Black Swans (hedge against “5σ” surprise)
• Complacency Killer
• Breaks Silos
• Teaches institutional recognition of suspicious behavior
• Teaches institutional recognition of flawed thinking and constructs
• “Sense Making” – Collective application of individual intuition to identify changes in patterns (or new patterns)
Why Not?
• Situational / Conditional Issues- Scenario Problems; Poor Exercise Design
• Organizational Issues- Team Relation; Political Restraints; Misunderstanding Results
What Red Cells Can’t Do• Detect every Black Swan (never enough
info to predict all possible scenarios)
• No “checklist” can replace logical thought
• Only one way to confirm enemy intentions (wait for the attack)
• Serve as fault-finding expedition
Red Cell Methodology
What do our adversaries want?
How will they try to achieve their goals?
How do we stop them?
ID/Train Participants
EXERCISE
Document/evaluate results
IMPROVEMENTS
Red Cell = Cycles, not Steps
Red Cell Guidelines
• Access to background information• Subject matter experts• Adhere to protocol / decision making
system• Think creatively (requires effort)• Don’t obsess on failure (past, present, or
anticipated)• Work the problems (don’t let them work
you)
Assessment Techniques
• Pre-mortem
• Red Cell / Physical Pen testing
• SWOT
• WRAP
• Dilbert?! Six Filters…
• A Team / B Team
• Argument Deconstruction
• Contrarian Analysis
• Devil’s Advocacy
• Occam’s Razor
“What would have to be true to allow or make this happen?”
Red Teamer Skill Levels
• APPRENTICE: Can think like the attacker.
• JOURNEYMAN: Can think like the attacker and defender.
• MASTER: Able to think like the attacker and defender thinking about each other.
Hire an apprentice to model an unsophisticated adversary; a journeyman to model a sophisticated one. Hire masters to model the entire system...
Mumbai, India 2008
• 26 NOV 2008
• 11 Coordinated assaults
• Low-tech (“guys with guns”)
• Porous border
Low-Tech Coordinated Assault
Low-Tech Coordinated AssaultsAgainst US?
• 30 Operatives (minimal training)
• Porous border? Docs?
• $75,000 for housing, rifles, ammo
• Pre-raid surveillance / planning
• Phase I – Malls
• Phase II – Grocery Stores / Wal-Marts
• Phase III – Elementary Schools
• Phase IV – Houses of Worship
• Results? Retail, food shopping, culture, and education systems?
Low-Tech Coordinated Assaults
Against US?
Beltway Snipers (3 weeks – OCT 2002)
John Allen Muhammad and Lee Boyd Malvo
Beslan School
1 – 3 SEP 2004
~1100 hostages (~775 kids)
~334 killed (including 186 children)
Dam Sabotage
Insider Threats (not new)
• WWII B-17 “Tondelayo” (as related in “The Fall of Fortresses” by Elmer Bendiner)
• Bomb run over Kassell, Germany• Piloted by Bohn Fawkes; story told by
Bendiner• Eleven 20mm explosive shells in aircraft...
Energy Grid Attacks
The general who attempts to protect everything, protects nothing.
Those generals who have had but little experience attempt to protect every point, while those who are better acquainted with their profession, having only the capital object in view, guard against a decisive blow, and acquiesce in small misfortunes to avoid greater.
Frederick the Great
Santee Cooper Red Cell
So, what?A newspaper is better than a magazine. A seashore is a better place than the street. At first it is better to run than to walk. You may have to try several times. It takes some skill, but it is easy to learn. Even young children can enjoy it. Once successful, complications are minimal. Birds seldom get too close. Rain, however, soaks in very fast. Too many people doing the same thing can cause problems. One needs lots of room. If there are no complications, it can be very peaceful. A rock will serve as an anchor. If things break loose from it, however, you will not get a second chance.
Red Teaming andEnergy Grid Security
SC PUBLIC SERVICE AUTHORITY
LAW ENFORCEMENT DIVISION
QUESTIONS?
Presented byMike Frederick
