November 8, 2018
by Scott King, Senior Director, Security Advisory Services, Rapid7
When it comes to cyberattacks, organizations that are failing to prepare are preparing to fail. When an emergency occurs, every minute counts, and the last thing that anyone wants is to waste time figuring out processes and procedures. Having a well-designed, cohesive plan in place is paramount.
In the critical infrastructure sector, in particular, one of the most common challenges when dealing with a cyber-incident is the integration between emergency operations and cybersecurity incident response. Often, a company in this sector will have both an emergency operations center (EOC) and a security operations center (SOC). However, unfortunately, many of those EOCs and SOCs operate independently because they are plagued by silos and don’t quite fit well together on the surface.
Looking for those integration points is required to put a response in place that allows organizations to quickly and efficiently mitigate crisis. Let me explain.
Cyber-related incident response versus emergency response plans
At a glance, a cyber-incident response plan delineates what steps need to be taken, and by whom. In theory, a robust plan should empower teams to leap into action and mitigate damage as quickly as possible, outlining roles and responsibilities, the different stages of an incident, and how to determine the severity, workflows, decision trees, and call lists based on the particular situation.
While incident response plans are very detailed on the cyber-related aspect of things, what these documents almost never address is the business impact the intrusion creates. There will often be a mention or consideration that describes when to press the big red button and take the affected system down, but there is nothing about the impact to business users or customers. This is a huge miss.
To compare, an emergency response plan prioritizes the impact to customers and business users. It still contains many of the same frameworks, models, decision trees, etc., as an incident response plan, but generally does not include considerations for the relied-upon technology systems and what happens when those are not available. This creates a gap of its own.
The natural integration of these two plans comes at the handoff points. During the early phases of a cyber-incident, the response team will be struggling to understand as quickly as possible how an attack occurred as opposed to what the associated impacts are — that comes later. If organizations create a decision in the workflow to notify emergency operations at the onset, their resources can align with IT to determine impact. Then, depending on what they find, an emergency could be declared and members of the EOC staff can effectively take over coordination.
This handoff will tackle all the communications, executive notifications and updates, and ongoing status reporting, which offloads those responsibilities from the cyber-team and allows them to focus on the crisis at hand.
Tabletop exercises and crisis communications
Next up are incident response tabletop exercises and crisis communications. Most companies have not had a catastrophic cyber-incident – generally, the cyber-response team deals with smaller intrusions and data theft, which require little to no outside communications unless the data theft involves personally identifiable information (PII). This lack of large-scale, real-world experience has a hidden issue of not effectively preparing organizations for what they will encounter as an incident unfolds within their business.
Tabletop exercises are an excellent way to verify an organization’s readiness by putting them in very difficult situations and helping to navigate them in a safe environment. The exercises should have different audiences and run consistently throughout the year, with a full-scale, company-wide exercise occurring at least biannually.
If an industrial company is conducting a realistic cyber-related exercise, a few things will happen in just about every scenario: the emergency operations team will become involved very quickly and the communications team will be eager to meet the information requests they are receiving from the media, as well as local, state, and national officials. Both teams should be prepared for the eventuality of a massive system impact affecting their customer base and how to respond to it quickly to ensure public trust.
For many in an industrial industry, it takes a major cyber-incident in which this problem becomes front and center in order to get the experience necessary to prepare for another one. When organizations have people working in similar functions that have overlapping responsibilities, there can be a tendency to duplicate work and not leverage each other to cut down on repetitions and ensure seamless communication. Breaking those silos down, better understanding where handoff points need to occur and knowing when a cyber-situation requires an emergency response will help prepare the business and improve its ability to quickly and effectively recover.
About Scott King
Scott King is the Senior Director, Security Advisory Services for Rapid7 and has over 20 years of professional work experience in the IT and cybersecurity fields. He started his career as a network and systems engineer in the midst of the Silicon Valley dot com boom in the 90’s. In 2001, Scott moved into an information assurance role supporting the Department of Defense, which kick started his career as a cybersecurity professional. Scott has worked extensively in the energy industry, DoD, state governments, technology companies, and manufacturing companies.