Corporations in energy, finance and telecommunications got together last week to square off on their cyber-defense skills, a match that participants claimed was the first tri-industry exercise organized entirely by the private sector.
Power companies Southern Co. and Southern California Edison, telecoms operators AT&T Inc. and Lumen Technologies Inc., and Mastercard Inc. and Morgan Stanley participated in the two-day cyber defense exercise, or CDX, hosted by AT&T at its Dallas headquarters.
Rather than a typical “tabletop” exercise, where executives role-play a crisis scenario, the event set teams of cyber specialists at each company against each other in a no-holds-barred clash of cyber skills, said Ron Green, chief security officer at Mastercard.
“This is the new civil defense. Our infrastructure is the critical infrastructure for the country, so we should exercise that, we should test ourselves,” Mr. Green said.
Each company brought two teams to the CDX: a blue team, specialized in securing digital barricades, and a red team, set loose to hunt for gaps in those defenses and break in.
All players worked from the same toolset and on Mastercard’s “cyber range,” which simulates IT networks for cyber exercises.
The teams were then scored on their performance; Mr. Green declined to say who the top-ranked players were—or the lowest.
The U.S. government has urged companies to do more to enhance their cybersecurity, including tests such as the CDX to improve defenses, following a spate of cyberattacks and data breaches at firms of all sizes in recent years.
Critical infrastructure owners, in particular, are under pressure to improve defenses, after government warnings that Russia’s war in Ukraine, among other geopolitical eruptions, could lead to cyberattacks on key U.S. companies.
Cyber exercises within industries have been held for years, but most have been organized either by the government or by public institutions, such as the Bank of England’s Waking Shark exercises, or by sector-specific information-sharing bodies or trade associations, including the Securities Industry and Financial Markets Association’s biennial Quantum Dawn event.
“This is the new civil defense. Our infrastructure is the critical infrastructure for the country, so we should exercise that, we should test ourselves.”
But Bill O’Hern, chief security officer at AT&T, commented that multi-industry exercises, like last week’s, were also needed.
“We do a lot of public-private exercises, and we have a lot of interaction within sectors, but we thought there was a place for cross-sector exercises like this one,” he said.
The financial, energy and telecoms sectors already had cybersecurity ties to each other prior to the event, having been on sector coordination councils established for intelligence-sharing and other efforts between critical infrastructure operators. Planning for the event began in 2019, said Jason Lish, chief security officer at Lumen, but was delayed by the Covid-19 pandemic.
“Some of these folks had not ever interacted in person. So, this was the first time, even within companies, that teams were able to come together,” he said. Having a personal connection will help if an actual cyber incident occurs that involves all three sectors, he added.
Observers at the event included representatives from the Treasury Department, the Secret Service and the Cybersecurity and Infrastructure Security Agency, along with officials from the city of Dallas, Mr. Lish said.
Participants said they hope the exercise will be repeated with new entrants from other sectors, though they are reviewing last week’s event before planning the next one. They all agreed, however, that such events are critical to cybersecurity.
“The collaboration, the sharing, the understanding, the relationships, it’s all extremely beneficial” for reacting in a crisis, said Mr. O’Hern. “When we’re defending national infrastructure, we’ve got to work together to do that.”
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
