Cyber Storm: Securing Cyber Space
Cyber Storm, Cybersecurity and Infrastructure Security Agency’s (CISA) biennial exercise series, provides the framework for the most extensive government-sponsored cybersecurity exercise of its kind. The exercise series brings together the public and private sectors to simulate discovery of and response to a significant cyber incident impacting the Nation’s critical infrastructure. Cyber Storm exercises are part of CISA’s ongoing efforts to assess and strengthen cyber preparedness and examine incident response processes.
Cyber Storm participants perform the following activities:
- Examine organizations’ capability to prepare for, protect from, and respond to cyberattacks' potential effects;
- Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures;
- Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information; and
- Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.
Each Cyber Storm builds on lessons learned from previous real-world incidents, ensuring that participants face more sophisticated and challenging exercises every two years. CISA is currently planning for Cyber Storm IX.
Cyber Storm I: February 2006
- First government-led full-scale cyber exercise;
- Included over 115 organizations, including federal, state, and local governments and the private sector;
- Featured four sectors: information technology, communications, energy, and transportation (air); and
- Allowed participants to respond to a variety of cyber and communications degradations and simulated attacks against critical infrastructure and to collaborate at the operational, policy, and public affairs levels.
- More on Cyber Storm I
Cyber Storm II: March 2008
- Involved 5 countries (Australia, Canada, New Zealand, United Kingdom, and the United States); 18 federal cabinet-level agencies (Departments of Defense, State, Justice, etc.); 9 states (Pennsylvania, Colorado, California, Delaware, Texas, Illinois, Michigan, North Carolina, and Virginia); and over 40 private sector companies (Juniper Networks, Microsoft, McAfee, Cisco, NeuStar, The Dow Chemical Company, Inc., PPG Industries, ABB Group, Air Products & Chemical Inc., Nova Chemical, Wachovia, etc.);
- Affected 4 critical infrastructure sectors including chemical, information technology, communications, and transportation (rail/pipe) and used 10 Information Sharing and Analysis Centers;
- Exercised the processes, procedures, tools, and organizational response to a multi-sector coordinated attack through and on the global cyber infrastructure;
- Allowed players to exercise and evaluate their cyber response capabilities to a multi-day coordinated attack and to gauge the cascading effects of cyber disasters on other critical infrastructure, shaping response priorities; and
- Exercised government and private sector concepts and processes developed since Cyber Storm I, requiring great interaction and coordination at the strategic, operational, and tactical levels.
- More on Cyber Storm II
Cyber Storm III: September 2010
Cyber Storm III built upon the success of previous exercises; however, enhancements in the nation's cybersecurity capabilities, an ever-evolving cyber threat landscape and the increased emphasis and extent of public-private collaboration and cooperation, made Cyber Storm III unique.
- National Cyber Incident Response Plan
Cyber Storm III served as the primary vehicle to exercise the newly-developed National Cyber Incident Response Plan (NCIRP), a blueprint for cybersecurity incident response, to examine the roles, responsibilities, authorities, and other key elements of the nation's cyber incident response and management capabilities and use those findings to refine the plan.
- Increased Federal, State, International and Private Sector Participation
- Administration-Wide - Eight Cabinet-level departments including Departments of Commerce, Defense, Energy, Homeland Security, Justice, Transportation, and Treasury in addition to the White House and representatives from the intelligence and law enforcement communities.
- Eleven States - California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, and Washington, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC) compared to nine states in Cyber Storm II.
- 12 International Partners - Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom compared to four international partners in Cyber Storm II.
- 50 Percent More Private Sector Partners - 60 private sector companies participated in Cyber Storm III, up from 40 in Cyber Storm II, several of which participated on-site with DHS for the first time. DHS worked with representatives from the Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water sectors as well as the corresponding Sector Coordinating Councils and Information Sharing and Analysis Centers to identify private sector participants.
- CISA Central
Cyber Storm III represented the first opportunity to test CISA Central, which serves as the hub of national cybersecurity coordination and was inaugurated in October 2009.
Cyber Storm IV: 2011-2014
Cyber Storm IV consisted of individual building block exercises at the federal, state, and international levels which provided the cyber incident response community with the opportunity to design focused events to evaluate specific capabilities. The building block approach also introduced cyber exercises to new stakeholders and prepared them for participation in future Cyber Storm exercises.
Cyber Storm IV included 15 tabletop and distributed exercises that involved over 1,250 participants from 16 states, 11 countries, and 14 federal agencies. CyberStorm IV exercises for external stakeholders included:
- State-specific exercises with Idaho, Maine, Mississippi, Missouri, Nevada, Oregon, and Washington. A state coordination exercise with the Multi-State Information Sharing and Analysis Center (MS-ISAC) that included Delaware, Iowa, Massachusetts, Michigan, Minnesota, New York, North Carolina, Pennsylvania, and Wisconsin.
- An international exercise with the International Watch and Warning Network that included Australia, Canada, France, Germany, Hungary, Japan, the Netherlands, Norway, Sweden, Switzerland, and the United States.
- Cyber Storm IV: Evergreen, a distributed national level exercise that engaged hundreds of players from the private sector, state and local entities, and the federal government in operational play.
- More on Cyber Storm IV
Cyber Storm V: March 2016
Cyber Storm V returned to the capstone, distributed exercise format of Cyber Storms I-III. The exercise took place March 8-10, 2016, with the Exercise Control located at the United States Secret Service headquarters in Washington, DC.
Cyber Storm V Highlights
- For the first time in the Cyber Storm exercise series, the exercise featured dedicated participation from the Healthcare and Public Health sector and Commercial Facilities: Retail subsector. The Information Technology and Communications sectors also played significant roles in the exercise.
- Federal agencies, and organizations from the law enforcement, intelligence, and defense communities also participated.
- Eight states participated as full players, with other states playing through the Multi-State Intelligence and Analysis Center (MS-ISAC).
- Participation included over 100 organizations and more than 1,200 registered players from across the globe.
Cyber Storm VI: April 2018
The sixth iteration of the Cyber Storm exercise series, Cyber Storm VI, took place in April 2018. Cyber Storm VI focused on the critical manufacturing and transportation sectors and included participation from the information technology and communications sectors; law enforcement, defense, and intelligence agencies; state and local governments; and international partners.
Cyber Storm VI Highlights
- Exercised federal, state, private sector, and international response to a significant cyber incident affecting non-traditional IT devices.
- Integrated new stakeholders into the exercise, including one new sector, Critical Manufacturing, and one new sector component, Automotive.
- Raised awareness of the rapidly expanding cyberattack landscape and the nuances of response to incident impacting Internet of Things (IoT) and operational technology (OT) devices.
- Integrated a simulated and dynamically-updated media and social media platform to replicate the customer and public components of an incident and provided a no-fault learning environment to practice strategies that support this aspect of response.
Cyber Storm 2020: August 2020
Cyber Storm 2020 was executed in August 2020. Sponsored by CISA, the exercise included more than 2,000 players from over 210 organizations across critical infrastructure sectors, exercising incident response procedures in a remote environment. Cyber Storm 2020 raised awareness of long-standing and ongoing vulnerabilities in the core infrastructure of the Internet and was the seventh iteration of the Cyber Storm series.
Cyber Storm 2020 Highlights
- Exercised federal, state, private sector, and international response to a significant cyber incident targeting underlying core services of the Internet.
- Planned for and exercised incident response across components of the following critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Information Technology (IT), and Transportation Systems.
- Tested the capacity of participating state and local governments to respond to cyber incidents and coordinate via the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- Organizations gained an opportunity to identify improvements to distributed communication and coordination processes – increasingly in place due to pandemic restrictions.
Cyber Storm VIII: March 2022
In March 2022, CISA conducted the eighth iteration of the Cyber Storm exercise series. Over 2,000 players participated in Cyber Storm VIII, which examined discovery of and response to a large-scale, coordinated significant cyber incident impacting multiple critical infrastructure sectors. Cyber Storm VIII further strengthened public and private partnerships and assessed areas of improvement for national cybersecurity plans and policies.
Cyber Storm VIII Highlights
- Raised awareness of the rapidly expanding cyberattack surface and the nuances of response to incidents impacting Industrial Control Systems (ICS)/Operational Technology (OT) and enterprise IT networks.
- Integrated one new sector into the exercise, Water and Wastewater Systems.
- Emphasized information sharing and communication as International Watch and Warning Network (IWWN) partner nations worked toward improving their incident response communications.
- Achieved the development and dissemination of an in-exercise joint Cybersecurity Advisory (CSA) for the first time in a Cyber Storm exercise.
Cyber Storm IX: Spring 2024
Cyber Storm IX, slated for Spring 2024, is the ninth iteration of the Cyber Storm exercise series. Cyber Storm IX aims to strengthen cybersecurity preparedness and response capabilities by exercising policies, processes, and procedures for identifying and responding to a multi-sector significant cyber incident impacting critical infrastructure. Cyber Storm IX will build upon past exercises by evaluating relevant national cybersecurity policies and clarifying response roles during a cyber event. Participants will include federal, state, and local government, the private sector, and international partners.