admin / AirportCyberSimulator
publicAirport Cyber Attack Simulation Application
AirportCyberSimulator / airport-cyber-sim-v2-exe / src / data / playbooks.json
9112 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 | [ { "playbook_id": "pb_01_ransomware", "name": "The OT Gridlock (Ransomware)", "ingress_point": "baggage_handling", "ingress_method": "Employee plugged in an infected USB drive found in the terminal.", "ingress_icon": "usb_drive", "spread_tempo": "fast", "spread_events": [ { "delay_seconds": 4, "target": "check_in", "vector": "Shared Network Drive" }, { "delay_seconds": 7, "target": "logistics", "vector": "Automated Routing API" } ], "description": "Adversaries exploit an unpatched remote-access vulnerability in the operational technology (OT) network. Ransomware encrypts fast — it usually outruns a patch.", "notifications": { "caa": { "required": false }, "dft": { "required": true, "reason": "Ransomware crippling baggage and logistics OT is a disruption to designated critical transport infrastructure — reportable to the Department for Transport under the Cyber Security and Resilience Bill." } } }, { "playbook_id": "pb_02_iot_botnet", "name": "The Silent Choke (IoT Botnet)", "ingress_point": "hvac_systems", "ingress_method": "Default admin credentials left on an internet-facing smart thermostat.", "ingress_icon": "unlocked_padlock", "spread_tempo": "slow", "spread_events": [ { "delay_seconds": 9, "target": "terminal_access", "vector": "Building Management VLAN" }, { "delay_seconds": 19, "target": "atc_tower", "vector": "Shared Environmental Controls" } ], "description": "Physical-environment compromise via poorly secured smart building devices. The botnet spreads slowly and stealthily — there is time to patch.", "notifications": { "caa": { "required": true, "reason": "The compromise reaches the ATC environment and threatens air traffic services — a Mandatory Occurrence Report to the Civil Aviation Authority is required." }, "dft": { "required": true, "reason": "Building-management and terminal systems are critical transport infrastructure — reportable to the Department for Transport under the Cyber Security and Resilience Bill." } } }, { "playbook_id": "pb_03_supply_chain", "name": "The Third-Party Siphon (API Breach)", "ingress_point": "retail_pos", "ingress_method": "Phishing email compromised a retail vendor's external support account.", "ingress_icon": "phishing_email", "spread_tempo": "medium", "spread_events": [ { "delay_seconds": 6, "target": "ticketing_db", "vector": "Payment Gateway API" }, { "delay_seconds": 11, "target": "public_wifi", "vector": "Customer Data Sync" } ], "description": "Data exfiltration via a compromised third-party vendor API connection. A patch can just win the race — if you are quick.", "notifications": { "caa": { "required": false }, "dft": { "required": true, "reason": "A supply-chain breach of passenger and payment systems affects transport-sector operations — reportable to the Department for Transport under the Cyber Security and Resilience Bill supply-chain provisions." } } }, { "playbook_id": "pb_04_insider", "name": "The Rogue Insider (Credential Theft)", "ingress_point": "security_screening", "ingress_method": "Disgruntled employee used a rogue smartphone to capture supervisor QR badges.", "ingress_icon": "rogue_smartphone", "spread_tempo": "medium", "spread_events": [ { "delay_seconds": 5, "target": "identity_db", "vector": "Admin Access Elevation" }, { "delay_seconds": 10, "target": "boarding_gates", "vector": "Biometric Override" } ], "description": "Bypassing perimeter defences using legitimate but stolen administrative access rights.", "notifications": { "caa": { "required": true, "reason": "Subversion of screening, identity and boarding controls is an aviation-security integrity event — reportable to the Civil Aviation Authority." }, "dft": { "required": false } } }, { "playbook_id": "pb_05_spoofing", "name": "The Blind Spot (Signal Spoofing)", "ingress_point": "atc_tower", "ingress_method": "Unsecured maintenance VPN accessed via a brute-force attack.", "ingress_icon": "vpn_breach", "spread_tempo": "fast", "spread_events": [ { "delay_seconds": 4, "target": "runway_lighting", "vector": "Tower Control Protocol" }, { "delay_seconds": 7, "target": "airplane_comms", "vector": "VHF Radio Spoofing" } ], "description": "Catastrophic kinetic impact via GPS and communication-signal manipulation. The spoof propagates almost instantly — patching rarely beats it.", "notifications": { "caa": { "required": true, "reason": "Manipulation of ATC, runway lighting and aircraft communications is a direct flight-safety emergency — an immediate Mandatory Occurrence Report to the Civil Aviation Authority is mandatory." }, "dft": { "required": true, "reason": "A safety-critical attack on national aviation infrastructure must also be reported to the Department for Transport under the Cyber Security and Resilience Bill." } } }, { "playbook_id": "pb_06_fids_deface", "name": "The Information Hijack (FIDS Defacement)", "ingress_point": "flight_displays", "ingress_method": "Weak CMS password cracked on the flight-information display controller.", "ingress_icon": "password_crack", "spread_tempo": "medium", "spread_events": [ { "delay_seconds": 6, "target": "pa_audio_system", "vector": "Shared Media Server" }, { "delay_seconds": 12, "target": "airport_mobile_app", "vector": "Content Delivery API" } ], "description": "Public-facing information systems defaced to sow passenger confusion and misinformation.", "notifications": { "caa": { "required": false }, "dft": { "required": true, "reason": "Defacement of passenger information, PA and app channels disrupts public transport operations and safety messaging — reportable to the Department for Transport." } } }, { "playbook_id": "pb_07_access_control", "name": "The Perimeter Ghost (Access Control)", "ingress_point": "electronic_doors", "ingress_method": "A rogue wireless router planted on the access-control network segment.", "ingress_icon": "rogue_router", "spread_tempo": "fast", "spread_events": [ { "delay_seconds": 3, "target": "cctv_network", "vector": "Physical Security VLAN" }, { "delay_seconds": 6, "target": "loading_bay", "vector": "Dock Controller Bridge" } ], "description": "Perimeter and surveillance systems subverted to enable undetected physical intrusion. It jumps segments quickly — too quickly to patch in most cases.", "notifications": { "caa": { "required": false }, "dft": { "required": true, "reason": "Loss of doors, CCTV and dock controls is an aviation-security and physical-perimeter failure — reportable to the Department for Transport, which regulates UK aviation security (TRANSEC)." } } }, { "playbook_id": "pb_08_pii_breach", "name": "The Data Hemorrhage (PII Breach)", "ingress_point": "passenger_services", "ingress_method": "Misconfigured cloud storage bucket leaked passenger records publicly.", "ingress_icon": "cloud_leak", "spread_tempo": "slow", "spread_events": [ { "delay_seconds": 8, "target": "frequent_flyer_db", "vector": "Data Warehouse Replication" }, { "delay_seconds": 16, "target": "border_control_api", "vector": "Advance Passenger Info Feed" } ], "description": "Mass exfiltration of personally identifiable information across linked passenger data stores. Replication is gradual — a patch can hold the line.", "notifications": { "caa": { "required": true, "reason": "Compromise of the Advance Passenger Information feed to border systems is an aviation-security data event — reportable to the Civil Aviation Authority." }, "dft": { "required": true, "reason": "A mass passenger-data breach affecting transport operations is reportable to the Department for Transport (in addition to the ICO under UK GDPR)." } } }, { "playbook_id": "pb_09_grid_overload", "name": "The Grid Overload (EV Infrastructure)", "ingress_point": "ev_charging_grid", "ingress_method": "Malware implanted in a charging-station firmware update package.", "ingress_icon": "malware_bug", "spread_tempo": "medium", "spread_events": [ { "delay_seconds": 6, "target": "power_subsystem", "vector": "Smart-Charging Management Bus" }, { "delay_seconds": 11, "target": "ground_support_trackers", "vector": "Facilities Telemetry Link" } ], "description": "Energy-infrastructure sabotage cascading from EV charging into core power and ground operations.", "notifications": { "caa": { "required": false }, "dft": { "required": true, "reason": "Sabotage of airport power and ground-operations infrastructure threatens critical transport continuity — reportable to the Department for Transport under the Cyber Security and Resilience Bill." } } } ] |