In the last year, we’ve seen a surge in cybercrime, plaguing organizations of every shape and size. However, 2018 also presented a relatively new trend of hackers increasingly targeting critical infrastructure operations, jeopardizing our national security more than ever before. Unfortunately, this has forced businesses to learn the hard way that they need to better arm themselves with security policies and plans to keep pace with evolving malicious actors.
Often, organizations find that it’s only after an incident occurs that they can appropriately prepare for another. When a malicious activity occurs, every minute counts, and the last thing an organization can afford is to waste time laying out processes and procedures. Having a well-designed plan for threat response allows organizations to respond to incidents as effectively and efficiently as possible.
In the critical infrastructure sector in particular, one of the most common challenges when dealing with a cyber incident is the integration between kinetic emergency operations and cybersecurity incident response. Often, a company in this sector will have both an emergency operations center (EOC) and a security operations center (SOC). Unfortunately, those EOCs and SOCs often operate independently as they are plagued by silos and don’t quite fit well together at a surface level.
Identifying integration points is necessary to put a response in place that allows organizations to quickly mitigate crisis. In this piece, I’ll outline a few ways that these two critical functions can better and more naturally integrate.
Striking a Balance: Incident Response and Emergency Response Plans
At a glance, a cyber incident response plan helps organizations perform their best by preparing for the worst. An incident response plan serves as a blueprint for what steps need to be taken, and by whom. In theory, a robust plan should empower teams to leap into action and mitigate damage as quickly as possible, outlining roles and responsibilities, the different stages of an incident, and how to determine the severity, workflows, decision trees, and call lists based on the particular situation.
While incident response plans provide in-depth detail on the cyber-related aspect of things, what these documents almost never address is the incident’s impact on the business side. There will often be a mention or consideration that describes when to press the big red button and take the affected system down, but what they miss is the impact on users and customers.
To compare, emergency response plans prioritize the impact to customers and business users. They still contain the essential elements of incident response plans (e.g. frameworks, models, decision trees, etc.), but generally do not include considerations for the relied-upon technology systems and what happens when those are not available. This is also a miss.
The natural integration of these two plans comes at the handoff points. During the early phases of a cyber incident, the response team will be struggling to understand as quickly as possible how an attack occurred as opposed to what the associated impacts are — that comes later. If organizations create a decision in the workflow to notify emergency operations at the onset, their resources can align with IT to determine impact. Then, depending on what they find, an emergency could be declared and members of the EOC staff can effectively take over coordination.
This handoff will tackle all the communications, executive notifications and updates, and ongoing status reporting, which offloads those responsibilities from the cyber team and allows them to focus on the crisis at hand.
Testing Organizational Preparedness
Incident response tabletop exercises are essential tools in helping to prepare organizations for cyberthreats. Generally, most companies have not had a catastrophic cyber incident affecting tens of thousands of people. More often, the cyber-response team deals with smaller intrusions and data theft, which require little to no outside communication unless the data theft involves personally identifiable information (PII). This (albeit fortunate) lack of large-scale, real-world experience has a hidden issue of not effectively preparing organizations for what they will encounter as an incident unfolds within their business.
Tabletop exercises are an excellent way to verify an organization’s readiness by putting them in very difficult situations and helping to navigate them in a safe environment. A best practice is to have different audiences participate in the exercises and consistently run them throughout the year, with a full-scale, company-wide exercise occurring at least bi-annually.
If an industrial company is conducting a realistic cyber-related exercise, a few things will happen in just about every scenario: the emergency operations team will swiftly become involved and the communications team will be eager to meet the information requests they are receiving from the media, as well as local, state, and national officials. Both teams should be prepared for the eventuality of a massive system impact on their customer base and how to respond to it quickly to ensure public trust.
For many in an industrial industry, it takes a major cyber incident in which this problem becomes front and center in order to get the necessary experience. When organizations have people working in similar functions with overlapping responsibilities, there can be a tendency to create inefficiencies through duplication of work or not leveraging each other’s strengths. Breaking those silos down, better understanding where handoff points need to occur and knowing when a cyber-situation requires an emergency response will help prepare the business and improve its ability to quickly and effectively recover. When it comes to cybersecurity, if you are failing to prepare, you are preparing to fail, so it is always essential to have a comprehensive threat response plan in place.
Scott King, Senior Director, Security Advisory Services, Rapid7.