Building community-wide resilience through scenario exercises and cyber incident command training
The recent attacks on the Colonial Pipeline Company and a Florida water treatment facility were targeted attacks against a specific entity. The DarkSide group behind the Colonial Pipeline cyberattack used ransomware to threaten the company. Colonial responded by shutting down the pipeline, and a wave of gas shortages cascaded across multiple states.
In the Florida incident, a hacker gained access to the water system and tried to poison the water supply. A worker at the water treatment facility noticed the influx in chemicals and restored balance before it could cause major problems.
These two events are not the first time a real-time system has been impacted or targeted, and they certainly won’t be the last. They provide another round of eye-opening reminders that critical infrastructure is becoming a target of choice by adversaries who recognize the value and advantage of disrupting technology that can threaten or cause downstream kinetic impacts.
By targeting the vulnerabilities that exist with IT/OT convergence points, adversaries achieve a force multiplier effect. When it comes to critical infrastructure, the effects spill out into the community. The resilience of the target, therefore, determines the downstream impact on other community members. If those community members are not properly prepared, then the effects continue spreading.
When you take a step back and notice the full ripple effect of a cyberattack, it becomes more evident that increasing overall resilience requires a whole of community approach. This means that interdependencies are well understood and there is a common language for incident response. This also means that information sharing, reporting, and cross-sector communication is already in place and not scenario-induced.
Two tools that municipality, county, state, federal, and private sector entities can use to strengthen whole of community resilience are the Jack Voltaic Automated Tools for scenario exercises and the Incident Command System for Industrial Control Systems (ICS4ICS) framework for creating a common language. These two resources can help address the cascading effects of a cyberattack across multisector and multidomain environments by identifying and addressing gaps in incident response.
Jack Voltaic Automated Tools
Jack Voltaic is a research experiment series developed by the Army Cyber Institute (ACI) to investigate how cyberattacks can impact multiple critical infrastructure sectors and the corresponding response from both public and private partners. The Jack Voltaic research series was launched in 2016 with the goal of developing a repeatable and adaptable framework that could be used by major cities as part of their cyber incident response standards.
One of the key findings and conclusions from the Jack Voltaic 3.0 event in September 2020 was that a one-size fits all framework does not make sense because that incident response resources and capabilities are not the same from city to city. Therefore, ACI partnered with an academic institution and software development company to develop automated tools to help planners in cities of any size quickly design and execute a Jack Voltaic-like exercise. Using the tools, planners can shorten the design and development phase of a cyber exercise to a few weeks.
The Jack Voltaic Automated Tools scale the benefit an organization gains by conducting a cyber exercise by supporting participation of public and private stakeholders in the same exercise. The tools provide the capability to stress participants with relevant injects that escalate to a comprehensive multi-sector attack to identify interdependencies, strengths, and weaknesses. The exercise helps identify gaps in capabilities, response plans, and cross-sector communication that can be integrated into a strategy for improving whole of community resilience.
Incident Command System for Industrial Control Systems (ICS4ICS)
The second resource available to help organizations improve cyber resiliency is ICS4ICS, which is a public-private partnership based on the FEMA Incident Command System. Megan Samford, the current chair of the ISA Global Cybersecurity Alliance, created the concept based on firsthand experience managing an incident command system to deal with natural disasters. She realized that the ICS community would benefit from a similar structure to respond to cyber incidents.
ICS4ICS introduces a set of integrated roles to support a synchronized incident command structure that can be further adapted by stakeholders to best fit their environments. ICS4ICS is now an initiative of the ISA Global Cybersecurity Alliance, and FEMA, DHS and INL are serving as government partners and collaborators. The ICS4ICS working group is currently developing response plan templates and finalizing a cyber-first responder credentialing program.
See also: Megan Samford will be giving a talk on ICS4ICS on May 21 at 12pm ET. For more details and to register click here.
By taking a whole of community approach to adopt a cyber incident command structure using a framework like ICS4ICS, organizations enable streamlined communication and information sharing that raises the overall resiliency bar.
Cyberattacks will continue to pose a risk to critical infrastructure, but a whole of community approach to improve resilience can greatly mitigate that risk. The Jack Voltaic Automation Tools provide public and private sector stakeholders with the ability to design and implement cyber exercises that promote continued communication and collaboration for preparedness. ICS4ICS provides a framework for a cyber incident command structure, providing public and private sector stakeholders with a common language and role-based training. Taken together, these tools can decrease the downstream effect of a cyberattack.