Incident Response: Training and exercising at Thales Ebbw Vale prepares SOC analysts and IR teams for cyber events

A safe environment to emulate attacks on OT network infrastructure.

Thales is a multi-disciplined technology and consulting firm with a strong background in defence, aerospace, and national security. The cybersecurity business is one of the largest globally and serves a global list of government, critical infrastructure and commercial customers with a product portfolio that consists of identity and access management, encryption and application security, and services from consulting to engineering and managed security services.

Thales Ebbw Vale includes a distinct research and development centre built on the site of an old steel foundry, dedicated to national resilience. The investment by the Welsh Government and Thales aims to consolidate Wales’ position as a leader in cybersecurity research and to build a pipeline of talent and pool of skilled cybersecurity engineers. Additionally, Thales is actively engaged in educational outreach, partnering with academia to equip young people with cybersecurity knowledge and skills.

The cyber campus encompasses the National Digital Exploitation Centre (NDEC) which launched in 2019 and ResilientWorks which followed in 2022. NDEC’s mission is to improve partner and customer’s digital trust and cybersecurity posture in industries reliant on Operational Technology (OT). This includes delivering advanced cyber research through collaboration with universities and PhD programs and providing a lab environment to evaluate systems and processes. ResilientWorks provides a collaborative environment for researching systems and technologies for autonomous and connected electric vehicles, including charging and energy supply infrastructure.

The site is comprised of three main buildings with a range of industry specific OT Test Benches enabling Thales and partners to develop approaches to OT security, test tools and processes, and to support training and testing of customer teams. Test Benches include manufacturing, connected vehicles, smart energy grids, and representative CNI distribution networks amongst others. The benches help asset owners to learn, design, test, implement and train, reducing the need to introduce new, untested software and tooling to critical processes. Using the NIST framework and other alternatives such as ISO 27001, the campus helps organisations to improve cyber governance, test tools and processes to help identify assets and protect OT networks, and to accelerate security program implementation.

Incident response planning, testing, and exercising is critical to operational resilience.

OT asset owners need to be able to detect and respond to cybersecurity incidents quickly and recover without compromising safety or availability. This includes cyber incidents resulting from a threat actor but also disruption caused by misconfiguration or software updates. The recent CrowdStrike incident provided a stark reminder of how reliant businesses are on software and the internet. It also illustrated how poorly prepared airlines and healthcare providers were at responding to and recovering from the system outage.

Cybersecurity incident response is a critical component of an asset owners’ risk and governance program but is frequently overlooked. It is more than a documented set of processes and requires regular communication, training and exercising for organisations to create and embed the culture and set of behaviours required to reduce risk.

NIST Special Publication 800-61 Revision 3 defines incident response as the process of preparing for, detecting, analysing, containing, eradicating, and recovering from cybersecurity incidents. It “guides the activities of the cybersecurity team to respond, communicate, and coordinate in the event of a cybersecurity incident.” This sentiment is mirrored by the SANS 5 Critical Controls for OT which stresses the importance of defining roles & responsibilities and training & exercising.

However, training and exercising is not easy. Asset owners can rarely use their own infrastructure to train and simulate a realistic attack, and table-top exercises, although a key component of ongoing training programs, are often classroom-based.

Critical infrastructure providers should look to conduct continuous training and development in environments that mirror real-world operations. This is where Thales Ebbw Vale provides organisations with real value, providing the physical environment, systems, and scenarios to conduct exercises. NDEC helps cyber incident response teams put training into practice and helps management to assess performance and identify areas for improvement. This is why National Gas partnered with Thales.

National Gas at Thales Ebbw Vale.

National Gas is responsible for transporting gas to more than half a million businesses and 23 million homes across Britain, providing secure energy to power Britain, achieve net zero and maintain industrial competitiveness.

The gas National Transmission System (NTS) comprises almost 5,000 miles of high-pressure pipelines and associated assets, transporting natural gas to power stations and major industries, storage facilities, interconnectors, and to the Gas Distribution Networks (GDNs) that take gas into homes and businesses. The NTS is the motorway network for gas, transporting energy safely and reliably to every part of the country – every minute of every day.

As one of the few remaining dispatchable power generation technologies, gas plays a significant role in electricity generation since the retirement of coal plants. This means that gas plants are flexible and can respond quickly to meet the needs of the UK power system. There were approximately 33 days in 2023, where gas’s share in the power generation mix averaged more than 60% during the day. Rapid, effective, and rehearsed cyber incident response is essential for minimising operational disruption to this capability.

Regulatory requirements and governance goals require National Gas to “Operate safely, reliably and flexibly.” Operational risks could stem from a range of incidents including misconfiguration, human error, parts failure, or a cybersecurity incident, and if realised, can lead to serious losses. The 2021 Colonial Pipeline attack highlighted how susceptible national infrastructure can be to cyber threats. Compromised credentials allowed attackers to access a corporate network and encrypt business and billing systems. This resulted in the company proactively shutting down the pipelines leading to fuel shortages and widespread disruption on the United States’ East coast. Therefore, gaining a full understanding of these risks helps National Gas to achieve its strategic objectives and proactively identify and control threats and vulnerabilities that could disrupt business continuity.

Thales and National Gas launched the Cyber Operations Research Environment (CORE) to design, test, and exercise cyber incident response, helping teams train to respond quickly and effectively to a cybersecurity incident.

Simulating high impact scenarios requires the infrastructure, systems, and environment to be as close to reality as possible. At the CORE facility this environment is created in separate locations on the site to replicate the distributed nature of gas transmission networks. One zone contains a physical replica of a gas transmission network, including gas pumping station and control systems, representing the ‘field’ network. The operations room is in a separate zone providing engineers with access to field monitoring and telemetry, whilst the Security Operations Centre (SOC) sits in a third zone.

Using the Thales cyber range, different threats can be introduced to evaluate responses to a variety of scenarios. This may include, for example, manipulating data in the operations room so that it does not correspond with data in the field. Through these exercises National Gas can assess the readiness of engineering and security teams, observing how they communicate and adhere to incident response processes. It also provides an opportunity to refine response plans and explore new attack vectors.

Conclusion.

Thales Ebbw Vale is an enabler to bringing businesses and sectors together to collaborate on training, testing, and exercising in a physical OT/ICS environment. To enhance organisational resilience, teams need to be well versed in incident response plans tailored to various scenarios. This knowledge is critical not only for the quick mitigation of operational disruptions, but also to avoid the associated costs and reputational damage that can ensue. Training is critical but exercising is required to improve incident response performance.