NRECA's Rural Cooperative Cybersecurity Capabilities (RC3) Program worked with cybersecurity consultant Delta Risk, LLC, to develop the RC3 Cybersecurity Tabletop Exercise Toolkit (TTX Toolkit). A tabletop exercise (TTX) for cybersecurity provides a structured opportunity to test your cooperative's ability to assess and respond to a potentially damaging cyber incident. This effort was funded by the U.S. Department of Energy to create cybersecurity resources for distribution cooperatives.
The RC3 TTX Toolkit provides relevant cybersecurity incident scenarios with real world implications. There are three categories of scenarios designed to meet a broad range of cooperative skills.
-
Category 1: For cooperatives with no IT staff and limited IT capabilities.
-
Category 2: For cooperatives that have IT staff but limited cybersecurity skills and experience.
-
Category 3: For cooperatives with IT staff who have cybersecurity skills and experience.
You can choose a scenario from any of the categories based on your assessment of your cooperative's current cybersecurity incident response and preparedness capabilities.
All of the TTX Toolkit resources will be available through this NRECA website.
The RC3 TTX Toolkit will help staff members across your cooperative realize they have roles to play in protecting their cooperative. Cybersecurity is everyone's responsibility – not just IT's.
Please note: The RC3 Cybersecurity Tabletop Exercise Toolkit (TTX) scenarios can be conducted in a virtual environment through a coordinated web conference and do not require participants to assemble at the same location.
More Information:
This material is based upon work supported by the Department of Energy National Energy Technology Laboratory under Award Number(s) DE-OE0000807.
[toggles css-code="font-family%3A%20PT%20Serif%2Cserif%3B%0Aline-height%3A%202.1%20!important%3B%0A%0Aul%20li%20%7B%0Afont-size%3A%2018px%3B%0A%7D%0A%0A.shortpoint-toggle-p%20%7B%0Afont-family%3A%20PT%20Serif%2Cserif%3B%0A%7D%0A%0A.shortpoint-toggle-icon-container%2Bspan%20%7B%0Afont-family%3A%20PT%20Serif%2Cserif%20!important%3B%0A%7D%0A" css_code_compiled=".dynamic-unique-shortpoint-class-name%20%7B%20font-family%3A%20PT%20Serif%2Cserif%3B%0Aline-height%3A%202.1%20!important%3B%0A%20%7D%0A.dynamic-unique-shortpoint-class-name%20ul%20li%20%7B%20font-size%3A%2018px%3B%0A%7D%0A.dynamic-unique-shortpoint-class-name%20.shortpoint-toggle-p%20%7B%20font-family%3A%20PT%20Serif%2Cserif%3B%0A%7D%0A.dynamic-unique-shortpoint-class-name%20.shortpoint-toggle-icon-container%2Bspan%20%7B%20font-family%3A%20PT%20Serif%2Cserif%20!important%3B%0A%7D"]
[toggle title="Downloading%20the%20RC3%20Cybersecurity%20TTX%20Toolkit%20and%20RC3%20Cybersecurity%20TTX%20Toolkit%20Facilitator's%20Edition"]
[button title="Download%20the%20Toolkit" link="%2Fprograms-services%2Fbts%2Frc3%2FPages%2FSecure%2FRC3-Cybersecurity-TTX-Toolkit-Request.aspx" /]
There are two sets of documents for the RC3 TTX:
- RC3 TTX Toolkit - containing materials for planning and after the exercise. Anyone can download this Toolkit. It has helpful background information and materials to help your cooperative plan for a TTX and how to choose a Facilitator.
- Facilitator’s Edition - containing all the materials in the Toolkit PLUS a Facilitator’s Guide that includes the incident scenario, and the PowerPoint slides used to deliver the exercise. Only your designated Facilitator should have access to the TTX Toolkit Facilitator’s Edition and see the scenario prior to the exercise. The main point of a TTX is to explore how you would respond to an unanticipated cybersecurity incident. If any of the participants know the details of what is going to happen, especially key participants like the IT or cybersecurity staff, the exercise loses the element of surprise and the participant responses will not be spontaneous or realistic. This greatly defeats the purpose and value of the TTX for your cooperative.
[/toggle]
[toggle title="What%20is%20a%20TTX%20Faciliator%20and%20Why%20Do%20We%20Need%20One%3F"]
The TTX Facilitator: A Critical Role for a Successful Cybersecurity TTX
A Facilitator will be required to conduct the TTX exercise with your group of co-op staff participants.
One of the key takeaway lessons the RC3 Team learned from the co-ops that helped develop and test the RC3 TTX Toolkit was the importance of the TTX Facilitator. It is the Facilitator who:
- Organizes the logistics for the exercise;
- Presents the incident scenario to the participants;
- Guides the discussion to help the group determine how they will respond to the cybersecurity incident;
- Helps the group identify and document potential impacts; and,
- Is responsible for summarizing the lessons learned after the exercise concludes.
Who Can Be a Facilitator? What Makes a Good Facilitator?
- The Facilitator can be anyone you choose, a staff member or a trusted third-party.
- The Facilitator’s role is to guide the discussion, not participate in it.
- The Facilitator does not need to be a cybersecurity expert, or even someone familiar with information technology (IT). Sometimes, the staff who are responsible for IT and/or cybersecurity are not the ideal facilitators of a cybersecurity TTX. IT and/or cybersecurity staff are often key participants (also known as “players”) in the exercise, and it is strongly recommended that a participant not try to be a Facilitator at the same time.
A good Facilitator has certain skills to effectively present content, guide discussions, and identify discussion outcomes. The Facilitation Tips document in the TTX Toolkit contains guidance on the skills that help make a good Facilitator. Select someone who has these skills.[/toggle]
[toggle title="How%20Do%20I%20Know%20Which%20Category%20of%20Cybersecurity%20Incident%20Scenario%20is%20Right%20for%20My%20Co-op%3F"]The RC3 Program developed cybersecurity incident scenarios for co-ops that have a range of IT skills. Some co-ops have no IT staff. Others have Cybersecurity Programs with more than four staff who have cybersecurity expertise. Here is a description of the three categories and some suggested guidance on how to select the best scenario for your cooperative:
-
Category 1: For cooperatives with no IT staff and limited IT capabilities. Pick scenarios in this category if you are in the early stages of developing a cybersecurity program, if you rely entirely on third-party providers and partners for your IT and cybersecurity services, and/or if you do not have a formal Cybersecurity Incident Response Plan.
-
Category 2: For cooperatives that have IT staff but limited cybersecurity skills and experience. Scenarios in this category are most appropriate for cooperatives that have started building a Cybersecurity Program, provide some level of cybersecurity awareness training for staff, have started building a Cybersecurity Incident Response Plan, and/or are looking for a method to challenge their existing cybersecurity response capabilities.
-
Category 3: For cooperatives with IT staff who have cybersecurity skills and experience. Scenarios in this category are for cooperatives that have moderately to highly mature Cybersecurity Programs, have a Cybersecurity Incident Response Plan that they want to test and challenge, and have implemented a wide range of cybersecurity controls.
[/toggle]
[toggle title="What%20Scenarios%20Are%20Available%20In%20Each%20Category%3F"]In total, there will be four sets of TTX scenarios provided through the RC3 Program. The first set of 3 scenarios (one for each Category) was released in August 2019. The second set of scenarios was added in March 2020. The third set of scenarios was released in September 2020, and the final set of scenarios will be made available prior to the end of 2020. Each release will include options to download one scenario at a time from the currently released set. Previously released scenarios will remain available on this website and can be downloaded at any time after their release.
All scenarios are available to all NRECA co-op members. You can choose which you would like to use and how you progress through the available scenarios. For instance, your cooperative might decide to start with a Category 1 scenario and then, as your staff gain skills, progress through the more advanced scenarios in Categories 2 and 3. Or, you might choose to stay within one Category that seems most fitting to your co-op’s cybersecurity staffing and capabilities, and progress through the available scenarios within that Category. However you choose to use the RC3 TTX, we hope that you will find it challenging to your staff and helpful in improving your cooperative’s cybersecurity posture.
Scenario Topics
|
Scenario 1
(Aug 2019)
|
Scenario 2
(Mar 2020) |
Scenario 3
(Sept 2020) |
Scenario 4
(Dec 2020) |
Category 1
For cooperatives with no IT staff and limited IT capabilities |
Scenario 1.1
Disgruntled Member
|
Scenario 1.2 Worm Infection
|
Scenario 1.3 Payroll Compromise Complicated by Weather Disaster
| Scenario 1.4 Extreme Weather and Employee Compromise
|
Category 2
For cooperatives with IT staff but limited cybersecurity capabilities |
Scenario 2.1 Facility Access & Malware Leads to Data Breach
|
Scenario 2.2 Advanced SCADA Intelligence Gathering
| Scenario 2.3 Ransomware Attack Disconnects Meters
| Scenario 2.4 Payment Processor and Remote Worker Compromises
|
Category 3
For cooperatives with IT staff with cybersecurity capabilities |
Scenario 3.1 Unauthorized Mass Disconnects
|
Scenario 3.2 SCADA Ransom
| Scenario 3.3 IT Ransomware
| Scenario 3.4 Remote Workers Unintentionally Install Malicious Software
|
[/toggle]
[toggle title="How%20Have%20Other%20Co-ops%20Used%20the%20TTX%20Toolkit%3F"]The RC3 Program developed additional materials to answer any general questions about the TTX Toolkit, and to help co-ops understand how other co-ops have used the TTX Toolkit and what lessons they learned.
Here are a few quotes from the cooperatives that worked in partnership with the RC3 Program to create the RC3 TTX Toolkit:
- “The people who prepared the exercise did it with the characteristics of a small co-op in mind. Thanks to the prepared slides and the talking points, you don’t have to be an IT expert to talk through technical topics in a productive way.”
- “It has definitely raised my comfort level about our ability to respond effectively.”
- “I feel we’ve now put cybersecurity on the front burner. Safety is number one, but cybersecurity is now seen as part of safety. That’s what we’ve gained through the work of our tabletop exercise team.”
- “NRECA’s work on the tabletop exercise was amazing.”
[/toggle]
[toggle title="What%20Documents%20are%20Included%20in%20the%20TTX%20Toolkit%20and%20the%20TTX%20Toolkit%20Facilitator%E2%80%99s%20Edition%3F"]The RC3 Cybersecurity TTX Toolkit and the TTX Toolkit Facilitator’s Edition include a series of documents to help you plan and conduct your tabletop exercise, including check-lists and templates for invitations, participant worksheets, after action reports, and more. With the TTX Toolkit, you will have the materials needed to run a ‘do-it-yourself’ team exercise that will engage staff from many different departments in your co-op. Below is a table showing what documents are included in the TTX Toolkit and what documents are included in the TTX Toolkit Facilitator’s Edition.
Document Name
| Description
| RC3 TTX Toolkit
| RC3 TTX Toolkit – Facilitator’s Edition |
---|
NRECA RC3 TTX Planning Checklist (PDF)
| Guidance on planning an RC3 Cybersecurity TTX. Use this at least one month in advance of a TTX.
|
|
|
NRECA RC3 TTX Delivery Day Checklist (PDF)
| Guidance for the day of the RC3 Cybersecurity TTX. Use this a few hours in advance of the TTX.
|
|
|
NRECA RC3 TTX After-Action Checklist (PDF)
| Guidance on activities required following a TTX.
|
|
|
NRECA RC3 TTX Sample Invitation (Word)
| Sample text that may be used to communicate the purpose of the TTX in the invitation to all participants.
|
|
|
NRECA RC3 TTX Facilitation Tips (PDF)
| Suggestions for facilitating group discussions. This document may be useful to Facilitators as well as to co-ops to help select who should be the Facilitator.
|
|
|
NRECA RC3 TTX Facilitator’s Guide (PDF)
| Essential information for the person who will serve as the TTX Facilitator. In depth details on the scenario, related discussion questions, timing suggestions, and tips on good facilitation are included. Facilitator’s Guides are for Facilitators ONLY.
| |
|
NRECA RC3 TTX Facilitator’s Delivery Deck (PPT)
| Slide decks used to deliver the TTX presentation. Each deck contains the same background information and agenda, with a unique section for the specific scenario to be used in each exercise. Facilitator’s Delivery Decks are for Facilitators ONLY.
| |
|
NRECA RC3 TTX Participant Worksheet (PDF)
| Worksheet for participants to use during the TTX to organize their ideas, concerns, and suggested actions. Information captured on these worksheets will be compiled into the After-Action Report after the TTX. Each participant should receive a printed copy of the Participant Worksheet for use during the TTX.
IMPORTANT NOTE: Once completed, this document will contain sensitive information about a co-op’s vulnerabilities. Both digital and hard copies should be secured and shared only with appropriate staff and leadership.
|
|
|
NRECA RC3 TTX After-Action Report Template (Word)
| Template used to produce a summary report after the TTX. Inputs from Participant Worksheets, actions assigned or to be assigned, and other follow-up items should be documented in this report. In addition, this document is used to capture strengths, areas for improvement, gaps, and future actions.
One copy of the After-Action report should be printed for the Scribe to fill out in the final section of TTX. The Facilitator finalizes and distributes the report to appropriate staff after the TTX.
IMPORTANT NOTE: Once completed, this document will contain sensitive information about a co-op’s vulnerabilities. Both digital and hard copies should be secured and shared only with appropriate staff and leadership. |
|
|
[/toggle]
[toggle title="Questions%3F"]If you have questions about the RC3 Cybersecurity TTX Toolkit, please contact our NRECA Cybersecurity Team at
membersecurity@nreca.coop.
[/toggle]
[/toggles]