If one was to take a poll on how many industrial operators have a Cyber Incident Response Plan (CIRP) there would be an alarming number of organizations that fail to even realize the need. When I ask my customers about Industrial Control Systems Cyber Incident Response Planning the opinions are clearly polarized. Most of my clients usually mumble through a loose interpretation on what sometimes sounds like their Emergency Response Plan that was created for the purpose of safety. The other answer that I get is that it’s something that they need to look at in the undetermined future. This scares me, cause what it says to me is “We’re gonna wait till we have an incident and then we will react to that by creating a plan for next time!”. Creating an effective cyber incident response plan may seem like a daunting task and like most insurance it’s often forgotten till it’s too late.
This may be my tallest soap box but I am truly concerned that possibly 90% of critical infrastructure outside of power generation is not ready to respond to a cyber incident. In an effort to provide direction to the answer rather than join the normal group of armchair quarterbacks I have researched some of more successful incident responses and think one should begin with focus on the Command structure.
Like in most operations leadership is the most critical aspect of responding to an incident. Most of the other documentation can be useful but without proper leadership important documents may as well be confetti. Creating a successful Incident Command System (ICS) will definitely increase your success in response.
Understanding the need for an Incident Command System began as a calculated effort to respond to a series of California wildfires in 1970, local, state, and federal agencies came together to discover how to better integrate their efforts by developing a common language, management concepts, and communications. Centralization of authority normally occurs within organizations and on a relatively stable basis. The critical innovation that came of of this effort was to temporarily centralize response authority to direct multiple organizations. The incident commander is responsible for directing and coordinating the tactical efforts of all organizations involved during the response.
Response to the Oklahoma City bombing in 1995 utilized a similar format. Government and nonprofit responders were on the scene minutes after a massive truck bomb destroyed a federal building. Using a management structure of the California Incident Command System, one person was appointed as incident commander, responsible for directing all other responders. An after-action report argued that the ‘‘Oklahoma City Bombing should be viewed as ultimate proof that the Incident Command System works’’(ODCEM n.d., 36).
As a result of its perceived success in situations like Oklahoma, the ICS has been
mandated by the Department of Homeland Security (DHS) for all crisis situations. The DHS characterizes the ICS as a command and control style of management, emphasizing the importance of a clear hierarchy of authority. But if we look closely, the portrayal of the ICS as a hierarchy is misleading. The incident commander at the Oklahoma City bombing was a local government ﬁre chief. He was directing not only his own employees but also responders from other organizations, other levels of government, and the nonprofit and private sectors. Numerous interdependent organizations were working together toward a common goal. Identifying the most qualified person to take command during a cyber incident is the critical starting point to creating an CIRP and can be difficult or even impossible to do during an incident response.
The CIRP Commander needs to have authority over all organizations involved in the response. This is an often overlooked detail that should be agreed upon with vendors, integrators and all responders before the CIRP can be finalized.
How this can be accomplished will be covered in Part Two….