Prepare your organization for a blended physical, cyber threat.

REN-ISAC’s custom made Blended Threat Resilience Workshop Series creates a unique enterprise approach to risk management. In the past two years, we have offered 12 workshops that enabled experts from a variety of field in higher education community across the US to responded to a blended physical and cyber threat set at a fictional college campus.

In 2019, REN-ISAC members and guests participated in a workshop series’ scenario focused on an on-campus measles outbreak and subsequent cyber component impacting university data. All in higher education were welcome to attend, and we encouraged subject matter experts from health care, physical security, emergency management, information technology and security, and other pertinent subject matter experts to join us.

Discover the benefits of hosting

At our most recent REN-ISAC Member Meeting, we gathered several 2019 hosts for a panel discussion on the workshops, the hands-on training they provide, and the benefits of hosting, especially in light of the commonalities between last year’s topic and the current COVID-19 situation. Watch the video to learn more.


Description of the video:

REN-ISAC owes a huge, huge thank you to gate 15 folks, especially Brett and each bore and Davey. And we'll milk because without them, we would not have been able to be a successful, probably wouldn't have unveiled who have done that, the workshop series for the last three years. So thank you guys so much. Appreciate it. Last year we unknowingly created a scenario that will become all too real. And a few short months our panelists today will share with you their experiences, how they were able to integrate what they learned at the workshop into their existing preparedness activities and their most critical takeaways. We will then open up the floor for attendee questions after the panelists are finished, but please feel free to go ahead and type the questions into the Q and a pod as they come to you. If you'd prefer to ask your question out loud, that's no problem. You can use the raise your hand option, which you should see on Zoom toolbar. And then I will go ahead and mute your microphone. And we'll do that one at a time. And without further ado, I'm going to hand it over to Brett to share some additional information about the workshop series and some of the results from last year. Thank you, Brett. >> Thank you Sarah for that introduction. As Sarah said, my name is bread supine on one of the staff members that coordinates the blended threat workshop series effort. So I'm just here to give an outline of the BTW series for this. May not be familiar with it. And then quickly touch on some of the highlights from the 2019 report for a course. You get into the main panel discussion itself. So what is the blended threat workshop series? For those who may be entirely unfamiliar? If the concept, I'd like to start with the question, well, what is a workshop? So I do a lot of exercise activities in many different sectors. I'd like to go back to my DHS HCP to discuss this. Hcp is the Homeland Security Exercise and evaluation program. This is what the government uses for their own preparedness activities. They have 77 different types of activities that they lay out in this document. Anywhere from a kind of a quick discussion between leaders all the way to a kinetic sort of event where you have volunteers who are simulating injuries out on the tarmac. A workshop is the third tier out of this spectrum. It's mainly a large discussion-based exercise. It creates a product of some sort, which I'll get into in a second. So then what does the actual blended threat workshop series itself? There were three main goals that you can Milford has put together for this series. First, does the preparedness activities you want to be able to provide members a scenario that they can confront that involves a complex or blended threat. Now, there's many different ways to define a complex or blended threat. But in essence, we wanted to be able to have cyber professionals confront both a event with physical and cyber consequences as provides the ability to practice in a wheelhouse that's extremely familiar from anyone Isaac members, but also provide complications and really challenge folks to understand how they coordinate with other sections of their institution to be able to handle such a widespread threat. The second goal of the blended felt workshop series is priding a arena for peers security pierced interact, whether it's formally three and facilitated discussions or informally in between each of the modules, you want to have a chance for Isaac members to really understand the depth of professionals at all levels that are trying to secure higher education institutions. This has not only within institution workshops, you also try to create partnerships between institutions and also with local security partners, such as local government partners or for example, local arenas, or those who are bordering the campus that also at stake and the physical security of a higher education institution. Finally, this is where the product comes in. And we'd like to produce a product that's valuable both for the participants at the event and also for the sector as a whole. We create individual event reports after each of the six workshops that provide kind of a round up of the event for those who are participating and their institutions. And we also released a public port at the ended the series anonymized those observations, brings them together, does a little bit of additional analysis, and hasn't available not only for members to find value if they've not participated and why these events, but also for other sector partners to find value from, to understand where the higher education sector is coming from. Also government partners to understand what our priorities are, what our values are as well. So how does the blended threat workshop series actually work? So this started in 2018, and each year we've done a series of six workshops at a diverse set of host institutions across the United States who've tried to reach about every region and the United States, it's going to be difficult for this year for obvious reasons. But we've, we've tried to hit them, each of them so far. We've also hoping to in the future or reach out to international members as well. I've had discussions with Australia and Canada are hoping to be able to get one of those workshops out there as well. The event itself is six hours. A team comes out for brand Isaac. We have a facilitator to data collectors and our SME, Sarah beg them, of course, is our main estimations come out all these workshops. A lot of valuable insight, as well as other Breanna Isaac staff members that have come along. During these six hours. We present different modules. We break them up into modules were first, attendees are confronted with a situation update and then we go into the facilitated discussion where people are. It's not really a guided discussion. We have some questions that we try to follow, but in general, we try to go across the course of the discussion and see what topics are most critical to people for each module. And we've had some really surprising details come up, some of which I'll actually be covering just a little while, the things that we never would've expected and playing these workshops. So being able to go with the flow and have our facilitator brings some really strong results is extremely important for this. We also have breaks, and of course, we generally have a lunch in the middle. And afterwards we try to get the reports out to the attendees within a few months at that point. So what have we done for Prior Learning threat workshop scenarios? In 2018, the launch of the program, a controversial speakers were still a pretty big topic. Folks come into campus. Discuss topics that generally incited a protest and different types of damage, legal, reputational, et cetera, to institutions. In order to discuss this, we came together with a scenario that I had a controversial speaker Going to a generic kind of institution. For this scenario, we actually broke it into two different modules, but the thrust was the same. A controversial speaker publicly announces that go into an institution. There's a lot of blowback from that, including potential hacktivist attacks than the day of speech. There are on campus protests that are then followed by a hostel that you'll see for both the scenarios we've done so far. At the end, we'd like to go a little extreme. We like to push the reigns of the scenario. Really have people confront the worst that could happen, could be for the variance. For the first variant of the scenario, the hacktivist activity was scouting out for a DDoS attack. And then after the speech, an IED exploded amongst the crowds, protesters. Second variant was docs seen occur. The campus director, he was compromised. The public campus director is compromised. And a list with shared on certain extremist websites targeting certain professors and students. Threats that should be taking care of what's concerning language. And a vehicular ramming attack occurred on the protesters afterwards. For last year, as Sarah mentioned, we're patting ourselves on the back is not really a great thing to say, but we really kind of nailed what was going to be happening with the 2019 scenario and international disease outbreak that occurs elsewhere. And then suddenly comes the United States. Now it's interesting, interesting kind of side note for this scenario. We were a little concerned that we had gone a little too extreme and having to an outbreak appear on campus and be able to affect so many students. And it turns out that we actually kinda under scope the scenario considering covet 19 by the scenario itself, the outbreak appears on campus. It's in fact strained a vaccine resistance, measles, that we call measles to. At that time, there are shortages of critical personnel that occur that especially target the IT department at this time. There's also a suspect, the data breach that occurs as the ID IT department and other security professionals are dealing with pretty severe shortages of critical personnel and having to move their working style transition, how they work in a different way. And again, kind of AMP this up to 11 At the end. Having NEA, having this data breach occur from a state-sponsored actor. And also appear that there is an adjunct professor at the generic institution that was actually conducting some espionage on campus. For both the scenarios, you can see how they, they suddenly different. For the, for the controversial speaker, That was a physical event that had also cyber consequences that we call a blended threat for the disease outbreak. This is more of a complex threat. The disease itself did not cause a cyber attack. But again, it brought together cyber consequences that people had to face. So again, very hard, as you can see, to, to define what exactly is that. Having a cyber component and a physical component Really is essential to challenge members and really work on institutional togetherness and preparedness. Before, again, to be a highlight of some of the observations from that report. I just wanted to list where we went last year. We had great exercises and the University of Iowa, Pune University for Wayne, Indiana sound State University in Ohio. We went out to the northwest academic computing consortium conference in Oregon. And we also go out to conferences as well as individual institutions, Abilene Christian University in Texas, and of course, University of Maryland, Baltimore County all had great hosts. You will be hearing from them just in a little bit. So the way we divide our reports is that the bulk of them are observations that we have gleaned from the workshops. You divide these observations in the three different categories. Best practices, which are things that institutions or security partners are already doing, that they found a lot of great success and, and they really promoted during a discussion on areas of improvement, which are places that, you know, I think people recognize that they really need to get better at, or plates that we just haven't explored very much, or they've only kind of started doing good things and but not having a full experience for which are the majority of the observations. Finally, challenges, which are just inherent issues that the scenarios confronts and you really, you really can't fix them, you can only mitigate them. This is just something that's going to happen and people have to work around them instead of working through them. So I have kind of three highlights for each of these sections of the report. Kind of divided them out into different categories, emergency response, cyber, and physical. So for best practices, one of the interesting items that we had was one of the participating institutions was actually extremely prepared to use social media to inform their emergency response processes. In essence, the social media department both had the capability and the connections to be able to track that discussion of what was happening during an emergency on their campus. And then be able to basically take those concerns, take those questions to their peers in other departments, and be able to tell these departments, Hey, this is a priority they should really consider addressing at that time, the cyber best practices. Actually, this one was from a security partner, a city government, but their first responders and their health care system that we're participating at that workshop. What they had done was they had connected their healthcare databases with that of the first responders and through various excuse me, through various means to be able to get this correct in a legal sense, made it so that way when first responders were responding to a certain address, that something would pop up on the screen saying that, you know, this person requires this type of PPE in order to response of someone who's registered the health system as sick, the first responders would know that. Okay, well, there's someone at this address, and this address a cookie, potentially infectious and they keep us safe. Very major effort for them, but they found a lot of benefits out of it. On the physical side, one institution actually was providing what they called self-care kits to students, specifically freshmen Freshman coming in maybe the first time we're living on their own and they may not have all the supplies they need. And this institution saw an increased number of 9-1-1 calls from students saying I'm sick or I need the ambulance as for the cold, for example. So, you know, providing self-care kits to come in and to make sure they have the minimum necessary healthcare supplies on hand to be able to handle themselves for areas of improvement. One of the interesting areas that we found in emergency response, and this was actually something that came out the discussion. We had no expectation this is going to happen, but really kinda shows the importance of workshop as a discussion, a forum, as a place for people to bring up their thoughts on issue. Because together we can tackle things a lot bigger than we can by ourselves. Because that actually this institution, their emergency response, was somewhat constrained by their contracts with certain unions. In essence, the certain IT employees were part of the same organization as filled these employees. And so when discussing how to transition themselves to remote work, institution said, well, we can't offer remote work to our IT employees because we have to also offered to facilities employees. And if there's an outbreak on campus, they sell. These employees are likely stayed on campus because they have to clean. So kind of an area of improvement was understanding how different contracts and policies amongst employees and institution could really kind of proved to be a black swan, a blind spot for people to prepare for. As for areas of improvement for cyber, I feel like for everyone on here, they've really had a lot of experience with both of these right now, so I'm not going to go with him very well. But, you know, the transition to remote work was a big concern for LET IT departments and being able to do that in a very smooth and elegant manner. And also managing clinical student employees during an outbreak. For some IT departments, especially the smaller institutions, your student employees are really the frontline and helping people understand changes in technology. And if the students are, as we saw uncovered 19, where, where universities kinda universally had students go home. A very strong response and probably one of the best ones out there, you know, if they're home. How does the department manage not having these critical pieces, their response, and still be able to do things effectively. Student employees, I think, are kind of thought of as temporary, but really there can be an important part of an IT department's response in an emergency. And finally, for challenges, you know, again, these are inherent things you can't really fix. Health care fund, fear, uncertainty, and doubt, both deliberate. And nine, people transmitting false information about a disease makes I think we've seen uncovered 19. This is still continuing even today. Lots of concerns about it that are maybe unfounded. I think people have heard about, you know, the 5G towers in the UK for example. But, you know, being able to, to counter that really is a full time effort. And while it may be a big responsibility of the social media department and Media Department. There, there are many parts that other departments can also counter. On the on the side of cyber This is a general concern, especially for more flexible employment, is that instead of having a managed transition for an entire team to remove, do remote work, people, personnel making a unilateral decision decision to just not report to work either by using up their leave or just, you know, saying, you know, I have a sick kid, I have a sick parent, or they could be in an area that is a risk for them to get this disease. I just can't come in, sorry. No matter what you say and you'll be able to manage that is is a concern and being able to figure out how to mitigate that immediate concern when people hear the word outbreak. Finally, physically, for those institutions that are really integrated into a city center, being able to control access, students are still on campus. An interesting side note, a lot of our discussions assume that schools would at the start, continue having students on campus, even with an infection on campus. But again, not exactly what we saw when Kobe 19 came around. That was very quick decision to bring students back home and go immediately to remote learning. But if a campus for a small outbreak side, you so being able to construct control infected people's access to an integrated campus can be extremely difficult since there's not really any kind of security barriers or anything of the like there. So this is kind of the highlights of the 2018 report. Again, 2019 final report is available publicly. I really urge everyone go look at that. It's a dense report, a lot of reading, but it could be valuable for those who find it interesting. And we tried to make it a little, provide some more executive summary type of items this year for leaders to use to navigate that report. So with all that said, I'd like to thank you for listening to me chat. I'd like to turn things back over to Sarah for the panel, right. >> Thank you so much, brat. That was great insight and hopefully that will kind of provide a little more information for what the panelists are going to be talking about in case you missed it. My name is Sarah. I am well, lead security analyst. Deborah and I sack our panelists today. First is Ken Conley. He was nice enough to host our first workshop. He's the Director of the Information Security with University of Northern Iowa. >> The second is Chris once. >> He is the Chief Information Security Officer at Youngstown State, Youngstown State University. He was the second to host. And then Adrian Irish, He is the IT security office. He's actually with University of Montana, but he is the main contact for the Northwest academic computing Consortium, which is where the workshop was actually held. So he wears many hats as I'm sure the rest of it audience and panelists do as well. And we have Arthur brand. He was our last workshop or second to last workshop. He is the director of Enterprise Infrastructure Information Technology, and he's with Abilene Christian University. So I just first want to thank you guys so much for taking time out of your schedule. I know everybody's really kinda everything is kind of hectic right now and kind of is understatement. So with that, I'm going to go ahead and start with the first question. I will just go down the line. We have three questions we're going to talk about. And maybe if there's time we can I have two additional questions we can cover Again, if you have any questions that you think of, please use the question and answer panel and we'll get up to all your questions at the end once the panel is this test has finished assessing your questions. So with that, I am going to start with can, like I said, Ken was our first workshop, so he was kind of the beta tester, or if you will, so can what value did you find in conducting the blended threat workshop? >> You and I meets security team wise with the other two regions institutions in the state of Iowa, Iowa and Iowa State on a regular basis. >> But we don't typically get together with other campus resources. >> And the blended threat workshop allowed us to bring people from Iowa and Iowa State, as well as Drake University and local health officials, Blackhawk county health together for discussing this workshop and the threat that was laid out by the workshop. >> We had great insight from a lot of those areas that InfoSec doesn't normally talk to. >> And it was it was very good to bring everybody to Cedar Falls for the day and be able to share thoughts and ideas we all had from past efforts. >> Kind of a pandemic threat scenario in our dusty work shell or dusty shells. But this gave us a chance to talk freshly about what might really happen. >> And that was oddly, pre, hasn't so grateful to have had the opportunity and it made it somewhat more simple for us to jump in with both feet when the stuff hit the fan this past March. >> Great. Thank you so much. Can I'm going to talk to Chris once next. Can you please tell us the value that you found in conducting the one that threat workshop? >> Sure. >> As Ken mentioned just previously, I think one of the big advantages that we found was the collaboration not only with the Higher Ed peers within Northeast Ohio, but the, the groups surrounding kinda those support services, if you will, both within the university and external to the University, there was an opportunity to get some of those folks where, you know, you're going to work together in a situation like this, but it kinda gave us that reason to all get in the same room and explore what game plans each one of us have in our own separate department, we find even a single institution. We tend to be siloed off a little bit. You know, not everyone knows everything about the other person's job. So, you know, one of the examples that comes to mind is the, the interaction we had with our communications and marketing folks. So that typically wouldn't happen on any kind of day to day. Activity. But this gave us that opportunity to bring, you know, bring those folks in and then really hearing from the other institutions in attendance as well. As we listen to this broad audience. Within, within our workshop, we were able to take pieces of everyone's narrative and really build a good background and really build a good story to tell to some of our own institutional folks as to, you know, this isn't just the folks at y issue coming up with a plan. I mean, this is this is really, you know, a discussion that was held with many individuals, many different walks of life and things that, that are, are truly happening and we're seeing in the out in the real world. >> So it helped give, give us a narrative, or a little bit of a cheerleader, if you will. >> So I thought that was one of the things that really stood out. >> And mark, in my mind, you know, we have a very similar background or we kind of get all lumped into the same type of industry. But the difference in leadership, the difference in vision that each institution has is, is so different. And this helps form that, that discussion in such a way that you can, you can really learn from the strengths and weaknesses of each individual institutions participating. >> Wonderful. Thank you so much, Chris. That's extremely helpful. One thing I've noticed kind of from all of our hosts in general, is that this has really opened up the communications between the physical and cyber side. And initially they were saying, oh, you know, they think we don't really need to talk to one another. That now they're realizing that it's in their best interest to stuff that start that conversation before there's a problem. And I think that that was for me, that was probably the biggest take away as well. So I am going to move on to Adrian, What do you think the value was for conducting this blended threat workshops? And I'm going to preface that with saying this was the national or northwest academic computing Consortium, which is, I would say a good part of, it's a good part of the attendees are cyber. So I'm just curious to see how that tied into also having to deal with the physical side of the house? >> Yeah. >> Thanks, Sarah. >> So just as a little bit of background for some of you that may not know. >> So we have a regional security conference every fall. >> And so for the last two years, we've kind of tag this workshop onto the front end of that workshop. >> And as a result of that, while we've had a very diverse representation from the perspective of the number of institutions represented. >> We had at this last, most recently when we had 25 different different organizations represented. >> I will say the representation was heavily skewed towards IT. >> Folks, we had really minimal >> Involvement. >> We did have some I don't want to say we didn't have any, but we had minimal participation from, from the campus safety and health folks, but we did have some. And so I would say for us, just the value of the workshop really comes from just the discussion with our peers and really getting the view of non-IT folks, getting that discussion stimulated and just sort of getting the IT security folks out of their comfort zone is having to deal and think about issues that quite frankly, we don't really think about very often. >> So wonderful. >> Thank you so much. And last but not least, Arthur Brand. He's with Abilene Christian University. What do you think the, what did you find most valuable in conducting a laggard threat workshops this year? >> I think I would echo everything that can and Chris and Adrian said about elevating the conversation beyond IT. It was great having both campus partners in the room and regional partners, whether it's University's first responder, city, county officials, just that conversation was was Myths. The other thing that I would add is sort of the elevation that IT received as being the coordinator of this, this workshop, both at our university, within original university groups as well as the city. >> I guess it's sort of elevated. >> The, hey, look, IT, they're interested in more than just the compute and memory and network connectivity that hey, they have interests beyond that. >> And so I think that was a great benefit anecdotally in talking with our risk management. >> This was a great opportunity for us to partner even in the coordination of this workshop with risk management or public safety folks are our communication marketing folks to say we want to do this, we want to do this, right? >> How can we best do that? >> And just that synergy and that energy and just put it in the coordination effort together really was a benefit for our IT group as well as for the university being able to host it. >> Hey, thank you so much, Arthur. The next question I'm going to kind of bounce around from in a different order from panel for the panelists. Let's talk to you first, Chris. How did the workshop series fit into your existing preparedness activities? Especially since a lot of this was actually put into into effect unknowingly. >> It's going to happen. >> Sure. Yeah. >> If if we can put all our efforts into predicting the lottery numbers next year instead of the worldwide pandemic? >> Had appreciate that. >> No. >> If I'm on a, on an overview of the fit into our existing preparedness exercise. Not I'll be honest with the group and very candid. >> R, DR and BC plants lacked maturity. They still do, to be quite honest with you, and I think in light of recent events, we should all be >> In some degree of that same boat. I don't think anyone could have, aside from folks at Brandeis, accurately predicted the, the immense impact this, this type of Black Swan event will have on us. >> But, you know, to be again, to be perfectly frank, you know, our our PCP DR. plans are our preparedness activities that we had undergone. >> This was really a big first step for us. This helped us formulae some of that out of the box thinking, if you will, and start to move in a direction where we can really formulate those plans. What was really interesting for us as far as the movement of a preparedness plan when we came back from this activity and at a very high level started to work through the scenarios and through some of these concepts and ideas. It, I want to say it kind of opened up the arm are a little bit on some of the struggles we have as an institution to really embrace some of the preparedness activities and some of the things we needed to do. It's started the conversation before. This was one of those ideas where yeah, we should do it. >> And yeah, those things might have happened, but there was never a lot attraction to it. >> When we came back from this activity, given the magnitude and the National involvement, it really started to allow the conversations to happen. Formerly, Can I say that there was the whole lot of business continuity planning that that was off to the races afterwards. Now, but the fact that months prior we began these conversations made the transition through the last, through the last few months much, much easier because those seeds were already planted. >> Now we came back from his workshop and you're able to start to grow those ideas where it wasn't just those crazy IT folks always worried about everything. >> I mean, these were very real things, very tangible things. >> And, you know, it helped to get those concepts up in front of folks to begin and have that conversation where I think we wouldn't have had that opportunity prior, we would have we would have been with the current situation almost almost blindsided. And this gave us a definite entry points that made that, I think a lot more beneficial. >> That's awesome, Chris. Thank you. That's definitely something like say here, I'm gonna go ahead and move on to Arthur. Were you able to fit in to the your existing preparedness plans? Were you able to incorporate the workshop series findings? >> So I want to echo Chris's honesty and offer my appreciation because like like him, if I remember correctly, We really received our report at the end of February or sorry at the end of January and struggled to get that disseminated out to everybody. And so the timetable was pretty tight for us to say, OK, we're going to incorporate this in our business continuity plans that do use of Chris vernacular was off to the races. >> Now, it wasn't that, but like him, like he express really and truly the, these, these were seeds planted and we saw it. We start to seem fruit of those seeds planted when we started dealing with some of the more than anything, it was the returning kids to Campus Conversations that began just over the last several weeks. >> And that's not the job of risk management to do that. He's reaching out across the isles to various departments saying, help us create these plans and, and, and these return to normal business function procedures. And so that's really where we're seeing the fruits beam bore out this workshop. >> For so long. >> We have been autonomists and I've and siloed when it came to our preparedness activities and plans, procedures. And it wasn't being shared across the university, let alone with the Public Health Department or even state emergency management systems. And so now all of that, It's it's a much broader conversation today than it was prior to October 20th, octane. >> Wonderful. Thank you so much. I know that like Arthur mentioned, they didn't get the report TO January, which didn't give them a lot of lead time for what they would eventually encounter, what we all encountered. That is definitely something that we work too. Shorten the timeframe between the actual workshop series and when the reports are put out. So thank you for the feedback. That's definitely something that we are working on, but we do appreciate you letting us know and you know, that's that's awesome. So I'm going to go ahead, move on to Adrian. How did the workshop series fit into your existing preparedness activities? It's a little I know since and whack, it's it's a little bit different for you, but yeah, I'm not really talk in terms of specifically University of Montana is, but just the general for everybody. >> I think what it really did is it helped identify when, where folks had gaps in their preparedness plans and you're going to have such a wide variation in what those plans are alike. But just talking to other people and getting a sense for things that you may not have thought about. For example, one institutions, campus safety office, actually keeps a registry of folks that are traveling, specifically faculty, so they can be notified. And the event of some sort of an emergency, you know, that's not something that a lot of folks heading I thought about doing. >> And so just bugs like that had been or were very helpful from the workshop. >> Great. Thank you so much. I always enjoy hearing about how you know the workshop series and WACC has this the second year that they hosted for us. So it's interesting to see how the people that attended last year's, how they come into this years and they kind of know what to expect. But I also like hearing what they're able to take back to the university and share with their emergency services personnel. So that's great. Thank you so much, Adrian. Alright, Ken, go ahead and finish up the question with you. How did this workshop series that interior existing preparedness activities? >> Well, we had on a dusty bookshelf are H1N1 plan from probably ten years ago. And that I think probably didn't play into things at all. Our disaster recovery and business continuity plans are more geared towards o. We had a tornado hit our data center and we have to regroup from that. But this event was certainly far more widespread than anything anyone could have imagined the transition from on campus in-person classes, the week leading up to spring break to nobody's on campus. We've sent the student's home. Faculty and staff are all working from home. And by the way we're doing in our classes online through zoom primarily was something that the, the whole university really came together and made that work. It got a lot of credit for making that transition, but it was, it was certainly team effort on, on everybody's part. Leadership was certainly highly on the high, on the list. They said, this is what we're gonna do. This is how we're going to try to accomplish this. And our technical people made it work, work with faculty to help them understand things about Zoom and video conferencing that they thought they would never, ever need to know. Blackboard was already used in a lot of classes, but certainly not as the primary way to deliver instruction. And just the combination of all of those things on, on such a wide at massive scale was very eye opening than very, very much a plan for us to remember going forward. Because this may not be the last time that we have to deal with something like this, right? >> Yeah. And Ken, I know it's it's a lot of times in IT you here only the bad things. You know, it's broker and you don't often hear when you've done a good job. So it's nice to hear that you got the credit. It General got the credit for kind of heading this. I'm going to, I'm sure everybody heard negatives, but it is nice to share that. You guys got some credit and it was well-deserved. >> Tease me. >> So the next question, I'm going to throw it out to Adrian's first out of your entire workshop. With that, what do you think was the most critical takeaway? That was discuss? >> Oh, well, it's not really a takeaway so much, Just a general observation. >> But you know, it's interesting that we wound up with a scenario that was very prophetic. And yet when the real thing hits, there's nothing really quite like it. >> So I'm really struck by how different the reaction actually is whenever this sort of thing really actually jets. So, and really, even if you're, I suspect even if you had really good plans, I don't for us, you know, the plans that did exist largely went out the window once we were dealing with a, with a pandemic. >> So the really the value of these scenario and workshop and desktop, not desktop, but tabletop exercises, is really to rapidly adjust and change in response to unanticipated events. And we tend to get caught up a little too much on the details of any particular scenario, and that's good for discussion. But where the real value comes is, is really you deal with and how you rapidly reorganize to deal with just those unanticipated things. >> There's nothing actually like going through the real thing. >> And, you know, at the University of Montana we had all kinds of new groups form the communication lines that were never anticipated and, you know, just, just completely unanticipated thing. So really that's, that's my takeaway is, is it's just a focus more on the actual organizational aspects as opposed to the details of the exercise. >> Yeah, and part of personally, I feel like this workshop is a really good way to get your feet wet. You can pick up ideas from other people that are doing things that you may not have thought of. But I also like to say a tabletop exercises are a great way to follow up because you can then click the plans that you've got in place that you think are good to go, you can exercise them and you're able to see some additional holes that you may not have thought of so that, you know, even if it's just a department or it's everybody as a whole. And that way that kinda gets you use to how things are going to work out, gets you a little more comfortable with those people. In case in the off chance, or unfortunately this year in case when it happens, you know, you kind of have a better understanding and are a little more comfortable. So I'm going to go on to Ken, what was your biggest takeaway or the most critical? >> I think for us it was the scene people and similar positions and related positions at the other universities that provided footing for communication. Once the pen hit home here at Iowa and getting feeling the Satan. I don't know the security that you had talked about this not very long ago. And now we can we can work through this and make the best of what we've got. >> Thank you so much. Can and with that, I'm gonna go ahead and move to Chris, What was your most critical takeaway after you finished hosting a workshop? Sure. >> I think as far as the the takeaway was just a a change of mind or change of mindset and enforcing that idea that things just don't go wrong in this nice little neat line of issues that we have in anticipation of multiple things going wrong all at once because of the nature of the blended threat, because of the workshop, you know, within that, that very controlled environment, we saw resources being stretched, then we saw capacity at an overflow level, if you will. And reinforcing that idea of, you know, whether it is a threat actor, whether it is a breach, whether it is a, a sickness outbreak. >> We had these things at my institution. >> We refer to them as Houdini moments. And it's simply moments of misdirection. >> And this helped emphasize those, those ideas where, you know, you may have a health emergency. >> And naturally we're going to direct efforts to that, whether it's in the current scenario of setting up online learning and remote work and work from home. >> And you know, whether it's intentional or not, whether it's a bad actor setting in front of us or not, we're going to have these moments of misdirection. >> And I think one of the key takeaways within the, within the workshop was that you need to be aware of that. >> You need to be anticipating that and not get lost in those moments. We have a tendency to go into tunnel vision. We want to solve what the issue is or what the highest level issue is currently. But we also have to remember the, the solution we introduce today is going to have some type of consequence in the next day, week, month, six months. And that may be a good consequences, may be something that we reap rewards from. >> Or it may be something that, you know, is, is now equally challenging weeks and months down the road. >> So that that being able to, to juggle, if you will, multiple things all at once. >> And having that reinforced through the workshop is definitely a takeaway and something helpful within, within my own group. >> Okay, great, that's awesome. And Arthur, what AVI, What do you think about the most critical takeaway that was discussed throughout the workshop? >> I have two thoughts. The first one more relevant to discuss during the workshop. The second one is sort of now in hindsight. So the first one during the workshops, and I think Chris alluded to this, you know, there is a lot of energy and effort expended on the situation that, that right in front of you. And so as we talked about a pandemic or a contagious outbreak, lots of energy and effort and focused on what that looks like and everybody who sort of work and a little bit siloed. And one of the things that were called out in our report was unique to have effective communication because you need to be you have a wealth of resources at your collective disposal. But a, but they can't actively and intentionally be leveraged and mobilized are utilized unless you have intentionally and active communication about the situation, the responses, the considerations, et cetera. And so that obviously is a big thing, is that we need to be able to, whoever you are, be able to tell others what you're seeing, how with how you're responding to it. And you know, as we think now post workshop and dealing with the current situation to air quotes, no, it's we're we're seeing that play out. I'm seeing faculty members talk about how that they are actively communicating, probably more so than they would do in a normal face-to-face classroom with students who aren't physically here. We have, you know, now that we have lots of folks that are remotely were remote working, there is lots of recommendations that you need to actively talked to those folks on a regular basis. Don't let them get this connected. And so that communication is critical not only during this situation when, when the adrenaline pumping, but also now as things sort of subside. You recognize though, I need to keep that communication level up and whether that's with my employees or across the university, a difference. But the second thing that's sort of, you know, sort of hindsight is 20-20 is I mean, we walked into this scenario when we first read it with a lot of skepticism, but some kind of international contagion that is going to affect folks in Abilene Texas, out in West Texas. >> Come on. >> And all of a sudden it's like, ooh what? We've talked about, how prophetic It was. Well, it was even more prophetic than that because within 30 days I'm sending students tome and faculty home. We got hit with a data breach. And within 30 days of that, we got hit with a massive phishing campaign. And so it's like, okay, so I think one of the other takeaway, sorta again, hindsight is 20-20 is the idea that we can draft up some outlandish and maybe go too extreme. And there's a resident of truth and all of that thread of truth. And the reality is we need to pay attention to that thread of truth. >> Absolutely. Thank you so much. A question I want to end with is and more about the relationships you've been able to forge. Have you noticed that it have you have you been able to maintain these relationships? Obviously, most of the people are all the people on this call or our IT cyber side? Have you been able to forge relationships with the emergency services side? And if you have, have you been able to maintain it? We'll start with Ken. >> Our campus has has handled this from kind of a top-down approach. There have been a a group of high level administrators that have had discussions and from that there have been a variety of committees and working groups that had been established to tackle different pieces of this puzzle and this problem. Those groups have always contained a wide variety of campus representatives of faculty Facilities. It in many cases where necessary, as well as, as other areas of the campus. Those, those groups have communicated across the different aspects of campus very well. They have shared information back and forth. Relationships have been formed with others that you may have known only by name prior to the middle of March, but I do think that this is a very good situation for our campus going forward. People do know others, know their positions, know their responsibilities, realize that because I'm an IT that IT is not my only thing that I'm concerned about and worried about and therefore provides more of a human picture of people. Then you might just assume from the fact, well, this is the chief of police. What, what can I assume from from that? And she's got feelings and personality and just like all the rest of us. So I think those, those channels in the sharing of information across different areas of campus has been a very good aspect for us. >> Awesome. Yeah. And I will mention at Cannes, at your workshop, we had a really good participation from the county health department. It an epidemiologist there. So it was nice to see not only internally the school working together, but also being able to include local law enforcement, some external, external partners that may have fresh pair of eyes that can blend and they can learn help, or they can make suggestions in the heat of the moment. So that was really nice to see. Excuse me. Adrian, what about you guys? Have you been able to forge any new relationships with people outside of your comfort zone, outside of cyber, either, you know, within your institution or, you know, like I was saying about you and I, they were able to bring in their local county or their county health department and things like that. If you've been able to establish any similar relationships and have you been able to maintain those? Are the communication lines open? >> Yeah. Well, so as a result of the pandemic, honestly, I mentioned before about the plants just basically going out the window and, and new committees being formed and landed, right? Well, there's a much more, there's a definitely a much, much more of an interest in upper level administration and all of these aspects when the real thing happens, I can kind of alluded to that. So actually I can only speak for university Montana, but at UNM, I would actually have to say no, that, that there's actually people between me and both campus security as well as any outside institutions or not outside institutions like County Health and stuff like that. So the security office really has had minimal, if anything, a reduce involvement there, I will say, where we've strengthened our relationships and had new communications open up for us at UNM has been around things with it technically or within IT. >> They're not really security. >> But, you know, r i, I got to know our zoom administrator very well as it was first one thing, then another in our Moodle administrator and the people that run that system. So it's sort of funding it. It didn't happen the way you i would have thought it did or I thought it would, but in the relationships happening at different places. >> So for us that's kinda how it worked out. >> Great. I think you I'm going to go ahead to the last question. Since we're kind of running out of time, we have it scheduled until 230, but I'd like to be part of your day back. So for the next question, I'm going to throw it over to Chris and Arthur. Did the workshop give you any insight into what who or what relationships needed to happen? So were you able after the workshop Maybe you didn't know who the chief police was for campus PD or your local health department? Did this, gave you insight as to who this needed or those connections needed to happen with. >> So this is, this is cribs. I'll jump in and I'll just keep the this piece brief. >> I, I think based on the input of the other participants, it was definitely a moment where we had some of those, Aha, we, we didn't really think of that individual or we, we didn't have that same avenue of approach, but that may work for us or that makes sense for us. At y issue, we are very lucky to have a strong university police force that's, that's very quite tightly aligned with our city police said that the law enforcement side and some of that aspect was good. But listening to some of the other institutions within our own discussion, I'll talk about the relationships they have with some of the people in the community that you wouldn't necessarily think of and have involvement with these types of exercises, that that is what we we found beneficial in those conversations. >> And Arthur, What did you think to Sheila? Were you able to identify relationships that would be probably critical or at least very helpful with others or who or what relationships needed to be developed after you attended the workshop? >> So the short answer is yes, as I think about and cosmides and visualize the room back in October where we hosted everybody, you know, sand county Health Director, Health Services Director, who now I see on TV or at least in April, I always saw a weekly TV episode where the local news media outlets are interviewing her. We had at least four of the five fire captains, fire chiefs that or in our city were in attendance to this. And so yeah, this this workshop provided a lot of clarity to Chris's point. You know, we have a very strong public safety department and police department. And they have a tight integration with the local police. And they do active shooter drills on at least an annual basis. But the reality is, is that that's a tight and there's not a big as tight connection with fire or ambulatory services. And so organizationally, we recognized is that we need to really foster those. The anecdote I would provide is a couple of weeks ago, our university president that a a YouTube meeting Town Hall for all staff and talked about sort of the the committees that they were being mustered to be able to make recommendations on how we return to normal air quotes. Again, And part of the conversation, the Q and a that happened were lots of folks gain say, you need a medical professional in the county services to help us make these decisions and we can accurately say you're absolutely right. We have contacts with those individuals and we're talking to them maybe not on daily basis, but on a weekly basis about what are the concerns that you guys have, what you know, here's some of the plans that we have. Can you talk about PP and E PPE? Can you talk about procedures that need to be in place as we think about students and faculty returned to campus. And so those interaction probably wouldn't have happened as readily had we not done this workshop. >> That's wonderful. Thank you for sharing. I am at this time, I want to thank the panelists. You guys have been fantastic. You're amazing hosts and volunteering your time today to come share with others as to what you gained from these workshops and kind of giving us feedback at the same time, we really appreciate that. I'm gonna go ahead and open the floor to all of the panelists. If you guys want to share anything else, please feel free to do so now. And then I will go ahead and open up the Q and a, um, everybody speak at once. >> Alright. >> So I will then go ahead and move on to the attendee. Q and a. If again, you can type it into the Q and a box or you're you you're obviously welcome to raise your hand and we can unmute your mike. Doesn't look like there's any questions yet. We'll just give it a few minutes or a few seconds. You guys did a fantastic job. So there aren't any questions again. Thank you to the panelists. Thank you to breath and gate 15 and run, Isaac, for giving us this opportunity to speak about something from the very dear to my heart since I had been involved from the beginning. With that, I am going to turn it back over to Sarah. >> Looks like we have one question I get asked. >> Let's see. >> Okay. Frank, what would you suggest for people looking to set up their own scenario that any of the attendees can answer. >> So this is Arthur without linkers University. Frank, I would say work with for an Isaac to host one of these workshops. I mean, for me it was a, we saw it come over across the RI, announcement feed and we said that's interesting. And I immediately took it to my boss, the CIO, and we took it to a Risk Management and said, let this be something interesting. And they basically said, yes, let's do it so that there are tons of tabletop exercises available. But having somebody outside the sort of do all the heavy lifting in the scenario work. It was probably a big benefit for for from my perspective >> We tried to get involved the year before and we're too late with our offer to host that got included for the 2019 series. Excuse me, I was a little leery of the topic when I first heard what it was. I thought, well, that's not very cyber related, but it was a excellent job done by 815. And putting things together, we talked about how details of what should be presented and what shouldn't be presented in advance. And they were very cooperative and molding the problem and the issues prevent scented to our particular situation. So yes, I would certainly agree that if you can get on the list to host one of these yourselves, that's great. If not, DHS and others have lots of tabletop exercises out there to choose from. >> And that brings up a good point. Last year, DHS Office of Academic Engagement, they'd they typically handle or plan the national tabletop exercise that includes schools from all over the United States and Canada. This year they were able to provide that. Or this last year, however, I'm pretty sure that they're going to be back and actions coming here. So that's definitely something that you can take a look at. They have their own, you know, you can do it yourself, workshops or you can, you can administer your own tabletops. But yeah, like like he said, sometimes it's nice to have somebody come in and do the heavy lifting. And with that, I'm going to go ahead and tie it into or tie up what we had. I will say sorry, I was getting I am getting slack. I will say next year or for the 2020 series, we are looking at doing a ransomware scenario of some sort. Now that's really big with a lot of people. It's ongoing. It's not something that kind of stops, I mean, its interface every time or all, all the time. And it definitely affects with the way that everything is, you know, in the back and all that. And then you have the Target breaches and stuff like that. It's all kind of jumbled up into one. So we're hoping that we can kind of, I'll talk about that, look at ways that maybe we can avoid some of these problems. So yeah, like can set also if you're interested in being a host or you'd like to find out more information, please feel free. If you have any questions, please e-mail me directly. I'm happy to answer anything or if you have any questions for our panelists or bread, I can make sure those get to him or to them. And so with that, I am going to hand it over to Cheryl. Thank you guys so much. Thank you everybody for listening in. Thank you to the panelists. >> Thank Sarah. >> Let me just pull up my outro slide. I've got ready to go. I promise I won't pick. Well, first off, I want to thank everyone for coming and joining us. We appreciate it. All of you taking time out of your day does on our virtual conference. As a reminder, we'll post the recording from today's this session from today. We'll have it up on our website by early next week, or virtual conference resumes on Tuesday of next week, we have a whole nother week sessions planned. You can take a look at the agenda. I've got it listed there and the second link on my slide, hopefully can all see that where it says additional information about the rim. That's our public site. Members of dissection? No. There are some additional members only sessions that are not listed on the public site. And to see those, you can go to the Members wiki and login with your RNA-seq credentials. I also wanted to share a link the first like this on my resources page here, which is where you can find more information about it. Blended threat workshops. There's a nice write up on our website there about that. And Sarah had offered to answer any questions. Her email address is Sarah that Sarah with an H at ren hyphen So I'll, I'll go ahead and read that out, see if you want to jot that down. You can shoot her note and with no other information and I don't see anything else going on in the session other than a few thank yous. And with that, I'll end today's session. >> Thank you again for joining us and thank you everybody.

2019 Workshop Findings

In 2019, REN-ISAC facilitated six Blended Threat Resilience Workshops that posed real-world scenarios for both physical and cyber threats caused by a measles outbreak on a university campus. Use our 2019 Final Findings Report to discover the best practices, areas of improvement, and challenges discovered during last year's workshops, as well as actionable suggestions for improving your institution’s security posture.

Read 2019 Report

Short on time? Check out the top four best practices discovered during the workshops in the Final Findings Report Brief, an abbreviated, executive version of the report.

Read 2019 Report Brief