SlideShare a Scribd company logo

Cybersecurity Framework for Executive Order 13636 -- Incident Command System

David Sweigert
David Sweigert

The relevant features of the Incident Command System should be endorsed by operators of private-sector Critical Infrastructure and Key Resources and should be embedded within the Cybersecurity Framework as proposed by Executive Order 13636. Dave Sweigert CIP 009 Disaster Recovery Plan Incident Command System CIP 008 FERC NERC Power Grid CISSP CISA PMP DHS NRF NIPP US-CERT COOP CIP Reliability Standards DRP BCP HSPD RMF NIST 800 NARUC SERCAT CIPAC NASEO PPD 21

1 of 5
Download to read offline
1 Moving toward a flexible, standards-based response protocol for CIKR cyber incidents June 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT The relevant features of the Incident Command System should be endorsed by operators of private-sector Critical Infrastructure and Key Resources and should be embedded within the Cybersecurity Framework as proposed by Executive Order 13636. Background Private sector incidents can have a major impact on the public, as the June, 2003 City of Commerce train derailment illustrates. The failure to engage hand brakes in a rail yard caused 31 rail cars to escape the yard near Los Angeles. These cares traveled 28 miles (reaching speeds of 95 M.P.H.) before derailing in a residential community destroying five homes. Fortunately, this occurred at the noon hour, so many residents and children were away from their homes at a new community pool grand opening. However, the public sector was never informed of this situation until 911 dispatch operators began receiving emergency calls from local residents1 post-derailment. The railroad never notified public safety of the situation. One wonders, if a private sector cyber security incident (hand brakes) can affect a key resource (railroad) and cause such a disaster, how will the 1 NTSB Report DCA-03-FR-005 private sector response activities and information sharing be appropriately coordinated in a cyber-centric disaster that affects critical infrastructure? Executive Order 136362 appears to address this problem as it (1) promulgates the need for a consensus sriven “Cybersecurity Framework” to strengthen the protection of Critical Infrastructure and Key Resources (CIKR)3 and (2) proposes a consensus- based national risk management framework (implemented via voluntary compliance as the vast majority of CIKR is owned by the private sector). 2 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure 3 Critical Infrastructure: Assets, systems and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters. Key resources: Publicly or privately controlled resources essential to the minimal operations of the economy and the government.
2 Limitations of cyber-centric prescriptive standards to address incident response Many industry specific cyber security standards-based frameworks are in place; but most fall short of addressing interdisciplinary response activities. As an example, the Critical Infrastructure Protection (CIP) program (created under the Energy Policy Act of 20054 for the power generation industry) requires response plans normally executed by Cyber Security Incident Response Teams (CSIRT). However, these plans tend to be focused on in-house cyber hygiene issues; such as malicious code detection, virus outbreak, denial of service attacks, and unauthorized access, etc. Prescriptive cyber security standards (like CIP) are implemented to reduce overall technical risk, but may lack post- incident response and agency interfacing guidelines that enable information sharing between private and public sector entities. This is a gap that needs to be addressed. What is the ICS and why is it important? The Incident Command System (ICS)5 was cited as a cyber-incident response protocol in the Microsoft contribution of 4 42 U.S.C. § 15801 5 In this context ICS is not Industrial Control Systems, but the Incident Command System (ICS). To avoid this confusion with industrial controls ICS can also be thought of as the National Incident Management System (ICS/NIMS). industry responses to the Request for Information (RFI) issued by the U.S. National Institute of Standards and Technology (NIST to gather industry input on the proposed Cybersecurity Framework; quoted in relevant part, “Many companies are faced with two different types of response: to defend the enterprise itself, and to mitigate an impact to customers. As NIST considers what is needed to support the “response” portion of the risk management framework, Microsoft would strongly encourage NIST to consider the Incident Command System (ICS) as a foundation for any recommendations. ICS has an established history of success in the United States, and it is a well- recognized approach for incident response.”6 As an example of the private use of ICS, and to amplify Microsoft’s position, it is instructive to note that the Assistant Secretary for Preparedness and Response (ASPR), the U.S. Department of Health and Human Services (DHHS), has openly recommended medical care entities embrace ICS; quoted in relevant part: “..Increasingly, public health and medical entities are realizing the importance of organizing response according to ICS principles. Many hospitals have established response structures based on the Hospital 6 Docket No. 130208119-3119-01, Microsoft Response, 1/8/2013, page 23.
3 Incident Command System (HICS), formerly known as the Hospital Emergency Incident Command System (HEICS)…”7 The California Hospital Association agrees; “..HICS is an incident management system based on the principles of the Incident Command System (ICS), which assists hospitals in improving their emergency management planning, response, and recovery capabilities for unplanned and planned events. HICS is consistent with ICS and the National Incident Management System (NIMS) principles…”8 ICS/NIMS is relied upon by U.S. Coast Guard for use in spill response and clean-up efforts, as the ICS/NIMS protocols allow for expandable unified command that includes civilian private sector parties to participate in planning, coordination and operational activities. Therefore, there is strong evidence that ICS/NIMS provides the existing protocols necessary to create structure for private-sector organizations to respond to cyber-related incidents and reduce enterprise risk. Embedding ICS/NIMS functionality within the Cybersecurity Framework may represent one of the best low-cost and stable approaches available for 7 http://www.phe.gov/Preparedness/planning/mscc/ handbook/Pages/appendixb.aspx 8 http://www.calhospitalprepare.org/hics enhancing the goals of risk mitigation in E.O. 13636; quoted in relevant part: “..The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible..9 ” ICS/NIMS history As ICS/NIMS was forged in the hostile environment of the wildland fire service, it was designed to be used as a scalable command and control system to organize a wide array of responding personnel and equipment to an incident. For example, in the Oakland Hills, California fires of 1991 (prior to the practical adoption of ICS) a myriad of communication snarls, lack of clear lines of command, technical issues (different water hose couplings) divergent terminology, etc. worsened the fire response and led to a near out-of- control situation. Interestingly, during the World Trade Center recovery efforts post-911, it was the protocols of ICS Incident Management Teams (IMTs) that brought “order out of chaos”. Prior to the deployment of the IMT’s over-arching response framework, individual agencies were operating in a dangerous non-unified, non-coordinated fashion. 9 Federal Register /Vol. 78, No. 33 /Tuesday, February 19, 2013 / Presidential Documents, Page 11741
4 For example, a private industry operator may handle Hazardous Materials (HazMat) as part of a manufacturing process. In the case of a fire or spill, the manufacturing process is relegated to a secondary role as the chemical incident may require a public safety response, if there is (1) a life safety issue or a (2) protection of property issue. In theory, if the private-sector initial HazMat responders speak the same language and protocols as arriving public safety responders (a tenant of ICS/NIMS) the two groups (private/public) can work harmoniously together to achieve the common goal – to bring the incident under control. The private-sector responders may have a commercial agenda to protect the integrity of the manufacturing process which needs to be married to the public safety agenda to reduce loss of life and property damage. For these reasons (and many more) the U.S. Occupational Health and Safety Administration (OSHA) has mandated the use of ICS in addressing HazMat incidents10 . Indeed, Sector Specific Agencies (SSAs) have already developed Sector Specific Plans (SSPs) that call-out ICS/NIMS. See U.S. Department of Homeland Security and the Emergency Services Sector (ESS) Specific Plan; quoted in relevant part: 10 OSHA Emergency Response, 29 CFR 1910 “..National Incident Management System. NIMS is a system mandated by Homeland Security Presidential Directive 5 (HSPD-5) that provides a consistent, nationwide approach for Federal, State, local, and tribal governments; the private sector; and NGOs to work together effectively and efficiently to prepare for, respond to, and recover from domestic incidents, regardless of cause, size, or complexity…11 ” Bridging the culture clash (private cyber experts vs. public sector) The challenge of using ICS/NIMS in a cyber-incident response becomes one of moving scientific-technical experts operating in a slow time deliberative corporate environment into a quick time operational action-based response (for which ICS/NIMS was primarily designed to accommodate). Additionally, there are inherent conflicts from a private operator’s perspective that are unique to incident response. But, these conflicts can be addressed. The thorny obstacle that may be impeding widespread adoption of ICS/NIMS by scientific and technically driven cyber security experts is the tendency to focus on prescriptive cyber hygiene issues to the of neglect incident response. Focus on prescriptive cyber- specific technology creates saturation and immersion into technical issues not the operational impact of the cyber 11 An Annex to the National Infrastructure Protection Plan 2010, page 86, U.S. Department of Homeland Security
5 enterprise on downstream stakeholders. Most cyber security consensus standards are built around technology and do not address incident response. Training, Minimum Standards and Exercise Development In certain cyber-centric incidents cyber responders may have to perform a lead role in response management, not just the role of a technical specialist. Training in the structure, operation and proper use of ICS/NIMS may provide key skills and knowledge to cyber responders – especially in the initial phases of an incident. Timely, effective and efficient interfacing with various responders (public or private) could be significantly improved by personnel who have attended simulated incident exercises. Such exercises create the multi-disciplinary environment that requires interaction with multiple players. Familiarization with the tenants of ICS/NIMS prior to an incident will empower responding cyber security personnel to understand their important role as technical specialists in assisting other ICS/NIMS responders to accomplish common response and recovery goals. Open encouragement of ICS/NIMS training by employers, recognition of such training by credentialing boards, and incident- specific training and exercise programs for cyber responders would provide professional recognition in this space. Summary In sum, the lack of an organizational incident management structure (ICS/NIMS) embedded within numerous industry-specific cyber security standards is considered a gap. In order to achieve cross-domain and interdisciplinary cohesion in a response activity this gap needs to be addressed by the widespread general adoption of the ICS/NIMS doctrine into cyber- security incident response standards. ICS/NIMS vocabulary, protocols, organizational structure and processes should be embedded within the Cybersecurity Framework to encourage the use of an efficient incident response methodology to augment technical cyber response. Such an endorsement will provide appropriate visibility to the CIKR community of ICS/NIMS as a viable response framework that supports national recovery goals in the event of a major incident. About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. He is a practitioner of ICS/NIMS in his role as a volunteer Emergency Medical Technician and has attended more than 500 hours in ICS/NIMS related training. He specializes in assisting organizations in institutionalizing ICS into their cyber response plans.

More Related Content

Cybersecurity Framework for Executive Order 13636 -- Incident Command System

  • 1. 1 Moving toward a flexible, standards-based response protocol for CIKR cyber incidents June 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT The relevant features of the Incident Command System should be endorsed by operators of private-sector Critical Infrastructure and Key Resources and should be embedded within the Cybersecurity Framework as proposed by Executive Order 13636. Background Private sector incidents can have a major impact on the public, as the June, 2003 City of Commerce train derailment illustrates. The failure to engage hand brakes in a rail yard caused 31 rail cars to escape the yard near Los Angeles. These cares traveled 28 miles (reaching speeds of 95 M.P.H.) before derailing in a residential community destroying five homes. Fortunately, this occurred at the noon hour, so many residents and children were away from their homes at a new community pool grand opening. However, the public sector was never informed of this situation until 911 dispatch operators began receiving emergency calls from local residents1 post-derailment. The railroad never notified public safety of the situation. One wonders, if a private sector cyber security incident (hand brakes) can affect a key resource (railroad) and cause such a disaster, how will the 1 NTSB Report DCA-03-FR-005 private sector response activities and information sharing be appropriately coordinated in a cyber-centric disaster that affects critical infrastructure? Executive Order 136362 appears to address this problem as it (1) promulgates the need for a consensus sriven “Cybersecurity Framework” to strengthen the protection of Critical Infrastructure and Key Resources (CIKR)3 and (2) proposes a consensus- based national risk management framework (implemented via voluntary compliance as the vast majority of CIKR is owned by the private sector). 2 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure 3 Critical Infrastructure: Assets, systems and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems or networks would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters. Key resources: Publicly or privately controlled resources essential to the minimal operations of the economy and the government.
  • 2. 2 Limitations of cyber-centric prescriptive standards to address incident response Many industry specific cyber security standards-based frameworks are in place; but most fall short of addressing interdisciplinary response activities. As an example, the Critical Infrastructure Protection (CIP) program (created under the Energy Policy Act of 20054 for the power generation industry) requires response plans normally executed by Cyber Security Incident Response Teams (CSIRT). However, these plans tend to be focused on in-house cyber hygiene issues; such as malicious code detection, virus outbreak, denial of service attacks, and unauthorized access, etc. Prescriptive cyber security standards (like CIP) are implemented to reduce overall technical risk, but may lack post- incident response and agency interfacing guidelines that enable information sharing between private and public sector entities. This is a gap that needs to be addressed. What is the ICS and why is it important? The Incident Command System (ICS)5 was cited as a cyber-incident response protocol in the Microsoft contribution of 4 42 U.S.C. § 15801 5 In this context ICS is not Industrial Control Systems, but the Incident Command System (ICS). To avoid this confusion with industrial controls ICS can also be thought of as the National Incident Management System (ICS/NIMS). industry responses to the Request for Information (RFI) issued by the U.S. National Institute of Standards and Technology (NIST to gather industry input on the proposed Cybersecurity Framework; quoted in relevant part, “Many companies are faced with two different types of response: to defend the enterprise itself, and to mitigate an impact to customers. As NIST considers what is needed to support the “response” portion of the risk management framework, Microsoft would strongly encourage NIST to consider the Incident Command System (ICS) as a foundation for any recommendations. ICS has an established history of success in the United States, and it is a well- recognized approach for incident response.”6 As an example of the private use of ICS, and to amplify Microsoft’s position, it is instructive to note that the Assistant Secretary for Preparedness and Response (ASPR), the U.S. Department of Health and Human Services (DHHS), has openly recommended medical care entities embrace ICS; quoted in relevant part: “..Increasingly, public health and medical entities are realizing the importance of organizing response according to ICS principles. Many hospitals have established response structures based on the Hospital 6 Docket No. 130208119-3119-01, Microsoft Response, 1/8/2013, page 23.
  • 3. 3 Incident Command System (HICS), formerly known as the Hospital Emergency Incident Command System (HEICS)…”7 The California Hospital Association agrees; “..HICS is an incident management system based on the principles of the Incident Command System (ICS), which assists hospitals in improving their emergency management planning, response, and recovery capabilities for unplanned and planned events. HICS is consistent with ICS and the National Incident Management System (NIMS) principles…”8 ICS/NIMS is relied upon by U.S. Coast Guard for use in spill response and clean-up efforts, as the ICS/NIMS protocols allow for expandable unified command that includes civilian private sector parties to participate in planning, coordination and operational activities. Therefore, there is strong evidence that ICS/NIMS provides the existing protocols necessary to create structure for private-sector organizations to respond to cyber-related incidents and reduce enterprise risk. Embedding ICS/NIMS functionality within the Cybersecurity Framework may represent one of the best low-cost and stable approaches available for 7 http://www.phe.gov/Preparedness/planning/mscc/ handbook/Pages/appendixb.aspx 8 http://www.calhospitalprepare.org/hics enhancing the goals of risk mitigation in E.O. 13636; quoted in relevant part: “..The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible..9 ” ICS/NIMS history As ICS/NIMS was forged in the hostile environment of the wildland fire service, it was designed to be used as a scalable command and control system to organize a wide array of responding personnel and equipment to an incident. For example, in the Oakland Hills, California fires of 1991 (prior to the practical adoption of ICS) a myriad of communication snarls, lack of clear lines of command, technical issues (different water hose couplings) divergent terminology, etc. worsened the fire response and led to a near out-of- control situation. Interestingly, during the World Trade Center recovery efforts post-911, it was the protocols of ICS Incident Management Teams (IMTs) that brought “order out of chaos”. Prior to the deployment of the IMT’s over-arching response framework, individual agencies were operating in a dangerous non-unified, non-coordinated fashion. 9 Federal Register /Vol. 78, No. 33 /Tuesday, February 19, 2013 / Presidential Documents, Page 11741
  • 4. 4 For example, a private industry operator may handle Hazardous Materials (HazMat) as part of a manufacturing process. In the case of a fire or spill, the manufacturing process is relegated to a secondary role as the chemical incident may require a public safety response, if there is (1) a life safety issue or a (2) protection of property issue. In theory, if the private-sector initial HazMat responders speak the same language and protocols as arriving public safety responders (a tenant of ICS/NIMS) the two groups (private/public) can work harmoniously together to achieve the common goal – to bring the incident under control. The private-sector responders may have a commercial agenda to protect the integrity of the manufacturing process which needs to be married to the public safety agenda to reduce loss of life and property damage. For these reasons (and many more) the U.S. Occupational Health and Safety Administration (OSHA) has mandated the use of ICS in addressing HazMat incidents10 . Indeed, Sector Specific Agencies (SSAs) have already developed Sector Specific Plans (SSPs) that call-out ICS/NIMS. See U.S. Department of Homeland Security and the Emergency Services Sector (ESS) Specific Plan; quoted in relevant part: 10 OSHA Emergency Response, 29 CFR 1910 “..National Incident Management System. NIMS is a system mandated by Homeland Security Presidential Directive 5 (HSPD-5) that provides a consistent, nationwide approach for Federal, State, local, and tribal governments; the private sector; and NGOs to work together effectively and efficiently to prepare for, respond to, and recover from domestic incidents, regardless of cause, size, or complexity…11 ” Bridging the culture clash (private cyber experts vs. public sector) The challenge of using ICS/NIMS in a cyber-incident response becomes one of moving scientific-technical experts operating in a slow time deliberative corporate environment into a quick time operational action-based response (for which ICS/NIMS was primarily designed to accommodate). Additionally, there are inherent conflicts from a private operator’s perspective that are unique to incident response. But, these conflicts can be addressed. The thorny obstacle that may be impeding widespread adoption of ICS/NIMS by scientific and technically driven cyber security experts is the tendency to focus on prescriptive cyber hygiene issues to the of neglect incident response. Focus on prescriptive cyber- specific technology creates saturation and immersion into technical issues not the operational impact of the cyber 11 An Annex to the National Infrastructure Protection Plan 2010, page 86, U.S. Department of Homeland Security
  • 5. 5 enterprise on downstream stakeholders. Most cyber security consensus standards are built around technology and do not address incident response. Training, Minimum Standards and Exercise Development In certain cyber-centric incidents cyber responders may have to perform a lead role in response management, not just the role of a technical specialist. Training in the structure, operation and proper use of ICS/NIMS may provide key skills and knowledge to cyber responders – especially in the initial phases of an incident. Timely, effective and efficient interfacing with various responders (public or private) could be significantly improved by personnel who have attended simulated incident exercises. Such exercises create the multi-disciplinary environment that requires interaction with multiple players. Familiarization with the tenants of ICS/NIMS prior to an incident will empower responding cyber security personnel to understand their important role as technical specialists in assisting other ICS/NIMS responders to accomplish common response and recovery goals. Open encouragement of ICS/NIMS training by employers, recognition of such training by credentialing boards, and incident- specific training and exercise programs for cyber responders would provide professional recognition in this space. Summary In sum, the lack of an organizational incident management structure (ICS/NIMS) embedded within numerous industry-specific cyber security standards is considered a gap. In order to achieve cross-domain and interdisciplinary cohesion in a response activity this gap needs to be addressed by the widespread general adoption of the ICS/NIMS doctrine into cyber- security incident response standards. ICS/NIMS vocabulary, protocols, organizational structure and processes should be embedded within the Cybersecurity Framework to encourage the use of an efficient incident response methodology to augment technical cyber response. Such an endorsement will provide appropriate visibility to the CIKR community of ICS/NIMS as a viable response framework that supports national recovery goals in the event of a major incident. About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. He is a practitioner of ICS/NIMS in his role as a volunteer Emergency Medical Technician and has attended more than 500 hours in ICS/NIMS related training. He specializes in assisting organizations in institutionalizing ICS into their cyber response plans.