Welcome to week four of National Cybersecurity Awareness Month! This week, we will take a look at ways organizations in the critical infrastructure sector can better prepare themselves to respond to cyber-incidents.
In the critical infrastructure sector, one of the most common challenges I hear about is the integration between kinetic emergency operations and cybersecurity incident response. More often than not, a company in this sector will have both an emergency operations center (EOC) and a security operations center (SOC). Unfortunately, many of those EOCs and SOCs are not integrated because they don’t quite fit well together on the surface.
In this post, we will cover a couple of ways these two critical functions can better and more naturally integrate.
Cyber-related incident response plans
First, let’s explore a typical cyber-incident response plan, which is a living document that discusses roles and responsibilities, the different stages of an incident, and how to determine the severity, workflows, decision trees, and call list based on the type of incident (among other items).
While incident response plans are very detailed on the cyber-related aspect of responding to an incident, what these documents almost never address is the business impact the intrusion creates. There will often be a mention or consideration that describes when to press the big red button and take the affected system down, but there is nothing about the impact to business users or customers. This is a huge miss.
To compare, an emergency response plan prioritizes the impact to customers and business users as its main tenet. It still contains many of the same frameworks, models, decision trees, etc., but generally does not include considerations for the relied-upon technology systems and what happens when those systems are not available. This is also a miss.
The natural integration of these two plans comes at the handoff points. During the early phases of a cyber-incident, the response team will be struggling to learn as quickly as possible how something happened as opposed to what impacts it has incurred—that comes later. If you create a decision in the workflow to notify emergency operations at the onset, their resources can work with IT to determine impact. Then, depending on what they find, an emergency could be declared and members of the EOC staff could take over the coordination.
This handoff will tackle all of the communications, executive notifications and updates, and ongoing status reporting, which offloads those responsibilities from the cyber-team and allows them to focus on the response itself.
Tabletop exercises and crisis communications
Next up are incident response tabletop exercises and crisis communications. Most companies have not had a catastrophic cyber-incident affecting tens of thousands of people or an entire community. Generally, the cyber-response team deals with smaller intrusions and data theft, which require little to no outside communications unless the data theft involves personally identifiable information (among other legal causes). This (albeit fortunate) lack of large-scale, real-world experience has a hidden issue of not effectively preparing organizations for what they will encounter as an incident unfolds within their business.
Tabletop exercises are an excellent way to put game play around very difficult situations and navigate them in a safe environment. The exercises should have different audiences and run consistently throughout the year, with a full-scale, company-wide exercise occurring at least biannually.
If an industrial company is conducting a realistic cyber-related exercise, a couple things will happen in just about every scenario: The emergency operations team will become involved very quickly and the communications team will be eager to meet the information requests they are receiving from the media as well as local, state, and national officials. Both teams should be prepared for the eventuality of a massive system impact affecting their customer base and how to respond to it quickly to ensure public trust.
For many in an industrial industry, it takes a major cyber-incident in which this problem becomes and front and center in order to get the experience necessary to prepare for another one. This blog was written to highlight a couple of the challenges I’ve seen and talked to many companies about. When you have people working in similar functions that have overlapping responsibilities, there can be a tendency to duplicate work and not leverage each other. Breaking those silos down, better understanding where handoff points need to occur, and knowing when a cyber-situation requires a kinetic emergency response will help prepare the business and improve its ability to quickly and effectively recover.
This post was the fourth and final in a four-part series celebrating National Cybersecurity Awareness Month. Be sure to check out our previously published posts below: