Lessons learned from a cybersecurity tabletop exercise - Motorola Solutions Blog

The Public Safety Threat Alliance (PSTA),  hosted a tabletop exercise with a select group of members representing public safety and government agencies in April 2024. The event was designed to proactively increase awareness of cyber threats and vulnerabilities and help the agencies strengthen their incident response (IR) capabilities and defense strategies, particularly against nation-state threat actors targeting critical infrastructure and emergency communications  This blog highlights key takeaways from the PSTA’s June 2024 Intelligence Report, which featured a recap of the event. The PSTA is an information sharing and analysis organization (ISAO) established by Motorola Solutions and recognized by the Cybersecurity and Infrastructure Security Agency (CISA).

Exercise Knight Siren was led by cybersecurity advisors from the Motorola Solutions Advisory Services team that regularly helps agencies test and improve their cyber defenses.  The exercise engaged select representatives from U.S. and Canadian local governments, state and provincial emergency response agencies, and key cybersecurity stakeholders from the U.S. Federal Government. During the four-hour event, participants collaborated in response to a simulated cyber attack that targeted the primary P25 radio network of a fictitious municipality.

The event consisted of eight ransomware attack phases, each requiring participants to think through a series of prepared questions. While working together to determine the appropriate response action for each phase, along with our security experts, participants also examined their own agency plans to identify gaps and susceptibilities to be better prepared for attacks in the real world. 

Key takeaways

The lessons learned as a result of Exercise Knight Siren highlight the importance of collaboration and preparedness in the face of a cybersecurity incident and serve as valuable reminders for all emergency communications agencies. Throughout the exercise, the recurring theme across the PSTA members was that planning and rehearsing are critical components of an effective incident response. Other recommendations to avoid confusion and create a stronger incident response plan include:

• Proactively prepare for compromise
  • Have clear and defined plans for who to contact and how; regularly maintain the contact information
  • Ensure the means of communicating with responders remain secure and operational
  • As investigation commences, approach with an “assumed breach” perspective; ensure to document discoveries.

• Have pre-approved plans in place
  • Have proper triage plans in place, especially for critical systems
  • Use decision markers to indicate incident severity; define decision points for when events transition to a cyber issue
  • Establish a secondary and tertiary communication plan quickly and communicate with key internal and external stakeholders

• Raise the alarm
  • Contact executive leaders (e.g., elected officials, legal counsel, the FBI) through a predetermined escalation chain  and the legal team responsible for the cyber insurance policy (if applicable).
  • Consider using a secondary means of communication if the primary means are compromised
  • Alert your internal emergency services organization

• Isolate and restore
  • Review data inventories to understand what critical data has/has not been impacted (and maintain proper inventories for preparedness)
  • Know what technical levers are available to isolate critical emergency services systems, stabilize security and hinder the adversary’s ability to traverse the network
  • Ensure well defined roles and responsibilities are in place, particularly when challenging containment decisions, such as system isolation, must be made

• Consider communicating to stakeholders
  • Notify and engage with the media and general public to prevent confusion and loss of public confidence; send a unified, transparent, and sincere message through a single distribution channel
  • If the situation allows, communicate with employees and contractors requesting they direct all inquiries to the assigned public affairs individual. 
  • Establish and maintain a timeline for restoring the compromised system

Protecting communities starts with protecting mission-critical systems and networks. By implementing best cybersecurity practices and 24/7 monitoring, incorporating tabletop exercises and regularly rehearsing IR plans, your agency can be better prepared for and protected from a cyber disaster. You can also learn more about the threats facing public safety agencies by joining the PSTA for access to specialized threat intelligence among other no-cost products and services.

Cybersecurity Advisory Services 

A complete understanding of your agency’s vulnerabilities is a critical step in protecting your networks and systems. Motorola Solutions’ Advisory Services are a great way to assess your organization and provide insights to help make informed decisions. Our professional services include the following; 

• Risk assessments
• Penetration testing (aka ethical hacking)
• IR planning
• Tabletop exercises
• Compliance assessments

Consistently Improve your defenses against cyber threat actors even further with routine Advisory Services. Learn more here.