Cyber Storm: Securing Cyber Space

CISA hosted the ninth iteration of the National Cyber Exercise, Cyber Storm IX, in April 2024. Over 2,200 players from around the globe examined their cyber resilience and coordination mechanisms in response to a distributed attack on organizations’ cloud resources. Response and recovery efforts included internal collaboration, coordination with incident response and cloud vendors, public messaging, and federal reporting. The exercise provided players a realistic, no-fault environment to validate cyber incident plans, policies, and procedures. 

Cyber Storm IX Highlights

• Featured the Food and Agriculture sector as the primary impacted sector for the first time in CS exercise history.
• Highlighted critical considerations in the cloud security shared responsibility model.
• Exercised reporting to Sector Risk Management Agencies (SRMAs) and other federal government entities.
• Examined cyber information sharing networks both domestically and internationally.

More on Cyber Storm IX

Cyber Storm VIII, 2022, engaged 2000+ participants through a multi-layered scenario that impacted both industrial control systems (ICS)/operational technology (OT) and enterprise IT networks, raising awareness of the rapidly expanding cyberattack surface.

In March 2022, CISA conducted the eighth iteration of the Cyber Storm exercise series. Over 2,000 players participated in Cyber Storm VIII, which examined discovery of and response to a large-scale, coordinated significant cyber incident impacting multiple critical infrastructure sectors. Cyber Storm VIII further strengthened public and private partnerships and assessed areas of improvement for national cybersecurity plans and policies.

Cyber Storm VIII Highlights

• Raised awareness of the rapidly expanding cyberattack surface and the nuances of response to incidents impacting Industrial Control Systems (ICS)/Operational Technology (OT) and enterprise IT networks​.
• Integrated one new sector into the exercise, Water and Wastewater Systems​.
• Emphasized information sharing and communication as International Watch and Warning Network (IWWN) partner nations worked toward improving their incident response communications​.
• Achieved the development and dissemination of an in-exercise joint Cybersecurity Advisory (CSA) for the first time in a Cyber Storm exercise.

More on Cyber Storm VIII

Cyber Storm 2020, 2020, provided 2000+ distributed players from approximately 210 organizations the opportunity to stress test incident response procedures in a remote environment and raised awareness of long-standing and ongoing vulnerabilities in the core infrastructure of the Internet.

Cyber Storm 2020 was executed in August 2020. Sponsored by CISA, the exercise included more than 2,000 players from over 210 organizations across critical infrastructure sectors, exercising incident response procedures in a remote environment. Cyber Storm 2020 raised awareness of long-standing and ongoing vulnerabilities in the core infrastructure of the Internet and was the seventh iteration of the Cyber Storm series.

Cyber Storm 2020 Highlights

• Exercised federal, state, private sector, and international response to a significant cyber incident targeting underlying core services of the Internet.
• Planned for and exercised incident response across components of the following critical infrastructure sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Information Technology (IT), and Transportation Systems.
• Tested the capacity of participating state and local governments to respond to cyber incidents and coordinate via the Multi-State Information Sharing and Analysis Center (MS-ISAC).
• Organizations gained an opportunity to identify improvements to distributed communication and coordination processes – increasingly in place due to pandemic restrictions.

More on Cyber Storm 2020

Cyber Storm VI, 2018, focused on response an incident affecting to non-traditional IT devices and included new participants from critical manufacturing and the automotive industry.

The sixth iteration of the Cyber Storm exercise series, Cyber Storm VI, took place in April 2018. Cyber Storm VI focused on the critical manufacturing and transportation sectors and included participation from the information technology and communications sectors; law enforcement, defense, and intelligence agencies; state and local governments; and international partners.

Cyber Storm VI Highlights

• Exercised federal, state, private sector, and international response to a significant cyber incident affecting non-traditional IT devices.
• Integrated new stakeholders into the exercise, including one new sector, Critical Manufacturing, and one new sector component, Automotive.
• Raised awareness of the rapidly expanding cyberattack landscape and the nuances of response to incident impacting Internet of Things (IoT) and operational technology (OT) devices.
• Integrated a simulated and dynamically-updated media and social media platform to replicate the customer and public components of an incident and provided a no-fault learning environment to practice strategies that support this aspect of response.

More on Cyber Storm VI

Cyber Storm V, 2016, included more than 1,000 distributed players and brought together new sectors, including retail and healthcare participants.

Cyber Storm V returned to the capstone, distributed exercise format of Cyber Storms I-III. The exercise took place March 8-10, 2016, with the Exercise Control located at the United States Secret Service headquarters in Washington, DC.

Cyber Storm V Highlights

• For the first time in the Cyber Storm exercise series, the exercise featured dedicated participation from the Healthcare and Public Health sector and Commercial Facilities: Retail subsector. The Information Technology and Communications sectors also played significant roles in the exercise.
• Federal agencies, and organizations from the law enforcement, intelligence, and defense communities also participated.
• Eight states participated as full players, with other states playing through the Multi-State Intelligence and Analysis Center (MS-ISAC).
• Participation included over 100 organizations and more than 1,200 registered players from across the globe.

More on Cyber Storm V

Cyber Storm IV included 15 building block exercises between 2011 and 2014 to help communities and states exercise cyber response capabilities for escalating incidents.

Cyber Storm IV consisted of individual building block exercises at the federal, state, and international levels which provided the cyber incident response community with the opportunity to design focused events to evaluate specific capabilities. The building block approach also introduced cyber exercises to new stakeholders and prepared them for participation in future Cyber Storm exercises.

Cyber Storm IV included 15 tabletop and distributed exercises that involved over 1,250 participants from 16 states, 11 countries, and 14 federal agencies. 

Cyber Storm IV exercises for external stakeholders included:

• State-specific exercises with Idaho, Maine, Mississippi, Missouri, Nevada, Oregon, and Washington. A state coordination exercise with the Multi-State Information Sharing and Analysis Center (MS-ISAC) that included Delaware, Iowa, Massachusetts, Michigan, Minnesota, New York, North Carolina, Pennsylvania, and Wisconsin.
• An international exercise with the International Watch and Warning Network that included Australia, Canada, France, Germany, Hungary, Japan, the Netherlands, Norway, Sweden, Switzerland, and the United States.
• Cyber Storm IV: Evergreen, a distributed national level exercise that engaged hundreds of players from the private sector, state and local entities, and the federal government in operational play.

More on Cyber Storm IV

Cyber Storm III, 2010, focused on response according to national-level frameworks and provided the first operational test of the National Cybersecurity and Communications Integration Center (NCCIC).

Cyber Storm III built upon the success of previous exercises; however, enhancements in the nation's cybersecurity capabilities, an ever-evolving cyber threat landscape and the increased emphasis and extent of public-private collaboration and cooperation, made Cyber Storm III unique.

• National Cyber Incident Response Plan
  • Cyber Storm III served as the primary vehicle to exercise the newly-developed National Cyber Incident Response Plan (NCIRP), a blueprint for cybersecurity incident response, to examine the roles, responsibilities, authorities, and other key elements of the nation's cyber incident response and management capabilities and use those findings to refine the plan.
• Increased Federal, State, International and Private Sector Participation
  • Administration-Wide - Eight Cabinet-level departments including Departments of Commerce, Defense, Energy, Homeland Security, Justice, Transportation, and Treasury in addition to the White House and representatives from the intelligence and law enforcement communities.
  • Eleven States - California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, and Washington, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC) compared to nine states in Cyber Storm II.
  • 12 International Partners - Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom compared to four international partners in Cyber Storm II.
  • 50 Percent More Private Sector Partners - 60 private sector companies participated in Cyber Storm III, up from 40 in Cyber Storm II, several of which participated on-site with DHS for the first time. DHS worked with representatives from the Banking and Finance, Chemical, Communications, Dams, Defense Industrial Base, Information Technology, Nuclear, Transportation, and Water sectors as well as the corresponding Sector Coordinating Councils and Information Sharing and Analysis Centers to identify private sector participants.
• CISA Central
  • Cyber Storm III represented the first opportunity to test CISA Central, which serves as the hub of national cybersecurity coordination and was inaugurated in October 2009.

More on Cyber Storm III

Cyber Storm II, 2008, exercised individual response capabilities and leadership decision making.

Cyber Storm II Highlights

• Involved 5 countries (Australia, Canada, New Zealand, United Kingdom, and the United States); 18 federal cabinet-level agencies (Departments of Defense, State, Justice, etc.); 9 states (Pennsylvania, Colorado, California, Delaware, Texas, Illinois, Michigan, North Carolina, and Virginia); and over 40 private sector companies (Juniper Networks, Microsoft, McAfee, Cisco, NeuStar, The Dow Chemical Company, Inc., PPG Industries, ABB Group, Air Products & Chemical Inc., Nova Chemical, Wachovia, etc.);
• Affected 4 critical infrastructure sectors including chemical, information technology, communications, and transportation (rail/pipe) and used 10 Information Sharing and Analysis Centers;
• Exercised the processes, procedures, tools, and organizational response to a multi-sector coordinated attack through and on the global cyber infrastructure;
• Allowed players to exercise and evaluate their cyber response capabilities to a multi-day coordinated attack and to gauge the cascading effects of cyber disasters on other critical infrastructure, shaping response priorities; and
• Exercised government and private sector concepts and processes developed since Cyber Storm I, requiring great interaction and coordination at the strategic, operational, and tactical levels.

More on Cyber Storm II

Cyber Storm I, 2006, marked the first time the cyber response community came together to examine the national response to cyber incidents.

Cyber Storm I Highlights

• First government-led full-scale cyber exercise;
• Included over 115 organizations, including federal, state, and local governments and the private sector;
• Featured four sectors: information technology, communications, energy, and transportation (air); and
• Allowed participants to respond to a variety of cyber and communications degradations and simulated attacks against critical infrastructure and to collaborate at the operational, policy, and public affairs levels.

More on Cyber Storm I