The high-performance computing (HPC) cybersecurity engineers at the US Department of Energy’s (DOE’s) Oak Ridge National Laboratory (ORNL) typically face small cybersecurity incidents, so they don’t often get a chance to respond to bigger events.
Cyber Fire is a program that offers multiple cybersecurity training events to staff members at DOE laboratories each year to ensure they’re equipped to manage large-scale incidents. Last month, cybersecurity experts from Los Alamos National Laboratory (LANL) offered a Cyber Fire simulation training event at ORNL for staff members in the Oak Ridge Leadership Computing Facility (OLCF), the Information Technology Services Division, the Security Operations Center, and the Cyber and Information Security Research Group at ORNL; the DOE Office of Scientific and Technical Communication; and the Y-12 National Security Complex.
“The Cyber Fire simulations are more in-depth and hands-on than the biannual Cyber Fire Foundry events,” said Stefan Maerz, HPC cybersecurity engineer at the OLCF. “This was a focused effort, where an actual large-scale cybersecurity event was simulated.”
The simulation exercise, held December 3–6 at ORNL, focused on the security breach that occurred within DOE in 2013 during which hackers gained access to employee data from the Management Information System. Approximately 10 people attended the ORNL event.
To form a complete picture of the hardware, software, and network environments at the time of the breach, the simulation participants were divided into four teams—host forensics, reverse engineering/malware analysis, network archaeology, and incident coordination—to work on the problem. The host forensics team looked at computer files stored on different kinds of hardware, the reverse engineering/malware analysis team studied malicious pieces of a code to understand how it performs, and the network archaeology team looked at the network traffic at the time of the attack. The incident coordination team pieced each of the team’s results together to determine what might have happened.
“This was a great teambuilding exercise,” Maerz said. “It gets chaotic quickly when you’re thrown into that kind of environment, but this really helped us figure out how to work together and sharpen our skills in some of these areas.”
LANL cybersecurity research and development scientists Chris Rawlings, Grace Herrera, and Eric Michalak guided the teams through the exercise and helped them maneuver challenges they encountered along the way.
“It took a couple weeks to complete the original assessment of the incident,” said Ryan Adamson, HPC cybersecurity engineer and interim group leader for the OLCF’s new HPC Core Operations Group. “We only had four days to do the same thing, and we had help from the trainers when we needed it.”
At the end of the exercise, the teams successfully understood which systems were compromised and made recommendations regarding which systems would have needed to be rebuilt at the time of the incident. Maerz said the ability to work together to find correlations among the data was an extremely valuable takeaway.
“The incidents we deal with are pretty small and easy to respond to,” Maerz said. “But it’s good to train in case we ever do have a large incident. We need to know how to resolve larger issues when we encounter them, and this gave us the opportunity to face those kinds of problems firsthand.”
The OLCF is a DOE Office of Science User Facility located at ORNL.
ORNL is managed by UT-Battelle LLC for the Department of Energy’s Office of Science, the single largest supporter of basic research in the physical sciences in the United States. DOE’s Office of Science is working to address some of the most pressing challenges of our time. For more information, please visit https://science.energy.gov.