Integration of Cyber Events into Emergency Planning

1. Weaving cyber events into emergency management plans
Dave Sweigert, CISSP, CISA, PMP
January, 2014
1/14/2014

2. Intended audience
• Cyber security personnel working with
emergency planners, Crisis Management
Teams (CMT), Emergency Operation Plan
developers and business continuity
planners relying on current best practices
1/14/2014

3. Objective
• Assist cyber practitioners in leveraging
techniques to integrate cyber specific
plans into larger basic plans
• Provide background in best practice
planning processes
• Foster inter-disciplinary dialogue in the
emergency planning domain
1/14/2014

4. BACKGROUND
1/14/2014

5. Different plans for different objectives
• Strategic, Operational, Tactical Plans
i.
Strategic – goals and objectives set by
senior leadership
ii. Ops – roles and responsibilities,
integrated with partners (state,
regional, local, contractors, utilities)
iii. Tactical – personnel, equipment,
resources (standard operating
procedures (SOP))
1/14/2014

6. Planning backdrop
• Comprehensive Preparedness Guide (CPG)
101, Developing and Maintaining
Emergency Operations Plans as a guide
• Three types of threats: natural,
adversarial, technology (cyber)
• FEMA’s Emergency Support Function # 2
addresses cyber security (drafting ESF
#18 Cyber)
1/14/2014

7. Plans that support and supplement
the comprehensive basic plan
•
•
•
•
•
•
Administrative Plans
Preparedness Plans
Continuity Plans
Recovery Plans
Mitigation Plans
Prevention and Protection Plans
1/14/2014

8. Terms: CIKR, COOP , COG & DRP
Critical Infrastructure/Key Resources (CIKR)
Continuity of Operations (COOP)
Continuity of Government (COG)
Disaster Recovery Planning (DRP)
(I.T. specific recovery)
• DRP defines knowledge, skills and abilities
of technical personnel
• DRP defines specific guidelines to carryout specific functions
•
•
•
•
1/14/2014

9. Other plans orbiting the basic plan
• Organizational/agency specific plans
(planning can be to department level)
• Business Continuity (memorandums of
understanding/agreement (MOU/A))
• Business Safety plans (OSHA)
• Hazard Mitigation (identified major
threats, union strikes, terrorism)
• Home Safety Plans for essential personnel
(develop family preparedness mindset)
1/14/2014

10. Emergency Operations Plans (EOPs)
• Potential integration with National Incident
Management System (NIMS) and National
Response Framework (NRF)
• Describes how incidents are handled
• Base plan (organization-wide) with hazard
specific annexes (cyber specific)
• Information sharing between private-public
partners
1/14/2014

11. EOPs:
• Identification of response and recovery
actions, agencies, key resources
• Direction, control, sequence of events
• Specific communications procedures
• Identify triggers and processes to activate
personnel, resources, partners
• Times, periods, anticipation of needs
• Appendix (support material)
• Annex (threat / capability specific)
1/14/2014

12. PLANNING PROCESS
1/14/2014

13. The Planning table
• Identify community partners (law
enforcement, utilities, colleges)
• Build relationship (cross-functional)
• Identify resources (needed capabilities)
• Know the processes needed and
specialized procedures to acquire timely
resources (pre-existing vendor
agreements)
1/14/2014

14. Planning process issues
• Get the right folks at the table
• Walk thru your organizational structure
• Develop common vocabulary (avoid use of
career specific jargon and buzz words)
• Incentivizing participants: developing a
“hook” to retain participants
• Develop team around a planning scenario
common to all participants (72 hour
power black-out)
1/14/2014

15. Best practices
•
•
•
•
•
•
•
•
Project objective (create living document)
Core planning team (stakeholders)
Project schedule (tasks, durations)
Plan development (templates)
Plan preparation and review
Plan vetting and commentary
Final draft reviewed in workshop
Approval
1/14/2014

16. Project Management issues
• Need buy-in from top management
(compliance issues HIPAA, SOX, PCI)
• Scope statement (catalyst)
• Define clear objectives
• Project manager’s role defined
• Scope creep (focus on a functional plan)
1/14/2014

17. Planning Characteristics
• Reduction of unknowns
• Continual process (living document)
• Appropriate actions based on what is
likely to happen based on facts, typical
behavior, capabilities
• Training, education, exercises
• Testing the plans, revise and improve
1/14/2014

18. INTEGRATING
PLANS
1/14/2014

19. Integrated Emergency Planning
• Horizontal integration: developing
partnerships across your organization
• Synchronization and integration of plans
(your plan may be part of another)
• Promotes complementary goals
• Reduces fragmentation
• Ensures common focus
• Work out MOUs/MOAs (legal review)
1/14/2014

20. Linkages to promote integration
• Conduct gap analysis to determine shortfalls
• Convert needs to capabilities (need 72 hours
of power  mobile generators with fuel)
• Understand the missions of public-private
partners (law enforcement, contractors)
• Developing crosswalk of plan components
with partner plans to improve integration
• Identify all appropriate stakeholders
1/14/2014

21. CONCLUSION
1/14/2014

22. Planning for the cyber incident
• Understand that the cyber event plan is
part of a broader integrated approach to
emergency management
• Pre-response planning with partners can
greatly reduce impact (ounce of
prevention) of the event
• Strive to ensure your cyber plan is
integrated into the total response
1/14/2014

23. About the author:
An Air Force veteran, Dave Sweigert acquired significant
security engineering experience with military and defense
contractors before earning two Masters’ degrees (Project
Management and Information Security).
He holds the Certified Information Security Systems
Professional (CISSP), Certified Information Systems Auditor
(CISA) and Project Management Professional (PMP)
certifications.
Mr. Sweigert has over twenty years experience in information
assurance, risk management, governance frameworks and
litigation support.
1/14/2014