To be fair, not everything related to cyber preparedness and response is unknown. Agencies may have acknowledged the potential for an incident to occur in their hazard mitigation plans or their Threat and Hazard Identification and Risk Assessments, and some may have a cursory understanding of specific vulnerabilities. Yet even with admittance, there still exists a hesitancy to move the process beyond threat identification. But there have been some successes: The Indianapolis Division of Homeland Security created a cybersecurity defense force and the Maryland Emergency Management Agency has started the risk assessment process. These examples, however, are not replicated by the majority of jurisdictions nationwide.
Just 24 percent of state chief information security officers are confident in their state’s ability to protect against cyberthreats, ranking cybersecurity as their weakest core capability in the 2013 National Preparedness Report. Fewer than half of the country’s fusion centers, often owned and operated by state or local governments, have a dedicated cyberprogram. And though local preparedness falls somewhere between the gold standard and nonexistent, the most common trend for emergency managers is to incorporate the IT department’s disaster recovery plan into the emergency operations plan and resolve to being the “consequence manager” if and when an incident were to occur.
IT permeates nearly every aspect of our lives, and it is a necessary component in successfully delivering many public services, from waste management to first response to water and wastewater treatment. Such a critical element of these programs deserves preparedness levels that rival that of floods and hurricanes.
What to Ask?
So why the lack of preparedness? It can likely be tied to the mindset and level of comfort that the emergency manager has with IT. Some are intimidated by IT issues and consciously avoid cybersecurity, and others have started down the path of preparedness by identifying the threat, but need guidance on taking their program to the next level. The latter group knows that the threat is evolving and accepts that something needs to get done. It has a disaster recovery plan, open lines of communication with its IT department and good intentions of developing a cyberincident response plan. But without access to cybersecurity experts, it does not know how to proceed or what questions to ask the experts. Cyberincidents follow the same path as other emergency incidents, and preparing for them is a similar and familiar process as well. It is: define, assess, plan and act.
Establish a Definition
Before the assessment and planning process can begin in earnest, it’s important to establish a definition of the term cyber and what it means to emergency management. Modern society and pop culture have fueled a misinterpretation of the term leading everyone to believe that cybersecurity means protecting computers and servers from terrorists and foreign adversaries. But cyber is much more than computers and servers, and its infrastructure is vulnerable to both natural and human-caused hazards. It’s easiest to think of cyber as anything with a digital or analog component. GPS systems, mobile telephones, digital watches, motor vehicles and televisions are a few of the everyday things that have a cyber-component.
For emergency managers, GIS, first responder communication systems, the electrical grid, remote wireless sensors or monitoring stations, WebEOC and water and wastewater treatment plants also fall into this category. To fully understand this new definition, list all of the public functions your jurisdiction provides and then determine which of those are supported by a digital or analog component in development, execution or delivery. The list will be far more complex than a catalog of personal computers and server locations.
Risk Assessments
Next, a thorough risk assessment should be performed focusing on cyberinfrastructure and the dependencies within governments’ critical services and functions on that infrastructure. Since most agencies have conducted a basic risk assessment for emergency operations plans and hazard mitigation plans, basing one on services and functions brings the assessment to a new level, enhancing the depth of the analysis.
Conventional risk assessments are conducted by analyzing a variety of factors, but generally focus on critical infrastructure, the likelihood of a hazard occurring and population density. Enhancing this method to include a service and function focus requires that a clear distinction be made between what emergency management used to be and the role it plays today. Accepting this distinction will better ensure a more comprehensive risk assessment.
The first step is to work with agency or department heads and ask what are the most critical services and functions provided to its citizens. Start the conversation by going through each essential support function in the emergency operations plan or by critical infrastructure sector as defined by the U.S. Department of Homeland Security. Together, work to identify what is important to your constituents and how those services and functions are delivered. List what programs, systems and equipment are used for each, noting specifically where the execution of that service or function is dependent on a cyber-component. Clearly identify the owner-operator associated with the service and function as well, as this will go directly into the cyberincident response plan.
Once the master list of services and functions is developed, the next step is to map out the interdependencies and relationships between those systems. Again with the agency or department heads, ask how each service or function affects the others. If one service is compromised, will it affect the delivery of another? Understanding these interdependencies is crucial. The result is a cyber-based risk map showing the relationships between the most critical cyber-based services and functions. This will help identify a priority order for which systems need to be protected before, or recovered after, an incident.
One of the last steps of the risk assessment process is to work with the IT department and other agency or department heads to identify the specific vulnerabilities within the critical cyber-based services and functions. A vulnerability can be a system that is unprotected, has no contingency plan if compromised, contains aging infrastructure or anything else the assessment team qualifies as a vulnerability. Indulge in a conversation focusing on fixing the problems that have been identified. What specific actions can be taken to protect, prevent or mitigate the impact from a cyberincident to those vulnerable systems? Create an action plan with a timeline for execution of these items.
Incident Response Plan
Cyberincident response plans should be developed as a complement to the disaster recovery plan and information systems contingency plan. Neither should be trumped by the other and each serves its own purpose, though recovery plans and information systems contingency plans are generally maintained by IT departments. Cyberincident response plans should be treated like any other incident-specific annex to an emergency operations plan. Primary and support agencies should be identified, roles and responsibilities clearly delineated, communication and coordination thoroughly fleshed out, and a concept of operations provided in detail.
One of the key differences between this plan and a traditional incident-specific annex is that the list of critical systems and functions identified in the risk assessment, along with the risk map, should be prominently placed within the annex. Owners and operators of each critical cyber service and function (along with their correlating programs, systems and equipment) should be listed with their contact information as well, including private industry partners. Also ensure that related emergency response contracts are included in the plan, with copies of the agreements included as attachments for reference.
As with any effective planning effort, cyberincident planning and the accompanying risk assessment are iterative processes. They are meant to be updated frequently and probably more often than other plans. Cyber infrastructure, capabilities and reliance on those capabilities is evolving, and the threats and perpetrators are changing just as rapidly justifying the need for frequent updates. As a general rule, when systems are upgraded, mitigated or acquired, consider making the appropriate changes to the plan and risk assessment accordingly.
Take Action
Following the completion of the risk assessment and cyberincident response plan, act on the prevention, protection and mitigation actions identified during the risk assessment process. This might include acquiring computer programs like anti-spyware, anti-virus protection, encryption programs and robust firewalls. If your jurisdiction already has a cybersecurity team, one of its tasks should be to conduct continuous monitoring of the jurisdiction’s systems. This not only ensures that any programs, and updates to those programs, are successfully reaching the end user, but also that suspicious or malicious activity can be immediately detected. Other actions can include hardening infrastructure, ensuring that it is physically protected from human interaction as well as environmental impacts.
Obtaining the resources to define, assess, plan and act might seem like a challenge. Emergency managers are already doing more with less. Fortunately, the federal government has placed cybersecurity as a high priority initiative, acknowledging that a serious cyberattack is coming and that it is flexible and forward thinking in its own preparedness initiatives. But the federal government can’t offer assistance if it’s not aware of your vulnerabilities.
Although the requirement of reporting on capability estimations and targets has been left to the Urban Areas Security Initiative and states, local jurisdictions are urged and invited to provide their capability reports to strengthen the Threat and Hazard Identification and Risk Assessments and State Preparedness Reports. These reports document the need for specific assistance to help boost capability shortfalls and can aid in grant justification in the following years. Use this opportunity to sit at the table and provide an accurate account of your vulnerabilities.
Carrie Speranza is an emergency management consultant at MBL Technologies.
