Cybersecurity Framework for Executive Order 13636 -- Incident Command System


Published on

The relevant features of the Incident Command System should be endorsed by operators of private-sector Critical Infrastructure and Key Resources and should be embedded within the Cybersecurity Framework as proposed by Executive Order 13636.

Dave Sweigert CIP 009 Disaster Recovery Plan Incident Command System CIP 008 FERC NERC Power Grid CISSP CISA PMP DHS NRF NIPP US-CERT COOP

Published in: Technology, Business
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cybersecurity Framework for Executive Order 13636 -- Incident Command System

  1. 1. 1Moving toward a flexible, standards-basedresponse protocol for CIKR cyber incidentsJune 2013Author: Dave Sweigert, M.Sci., CISSP, CISA, PMPABSTRACTThe relevant features of the Incident Command System should be endorsed byoperators of private-sector Critical Infrastructure and Key Resources and shouldbe embedded within the Cybersecurity Framework as proposed by ExecutiveOrder 13636.BackgroundPrivate sector incidents can have amajor impact on the public, as the June,2003 City of Commerce train derailmentillustrates. The failure to engage handbrakes in a rail yard caused 31 rail carsto escape the yard near Los Angeles.These cares traveled 28 miles (reachingspeeds of 95 M.P.H.) before derailing ina residential community destroying fivehomes. Fortunately, this occurred at thenoon hour, so many residents andchildren were away from their homes ata new community pool grand opening.However, the public sector was neverinformed of this situation until 911dispatch operators began receivingemergency calls from local residents1post-derailment. The railroad nevernotified public safety of the situation.One wonders, if a private sector cybersecurity incident (hand brakes) canaffect a key resource (railroad) andcause such a disaster, how will the1NTSB Report DCA-03-FR-005private sector response activities andinformation sharing be appropriatelycoordinated in a cyber-centric disasterthat affects critical infrastructure?Executive Order 136362appears toaddress this problem as it (1)promulgates the need for a consensussriven “Cybersecurity Framework” tostrengthen the protection of CriticalInfrastructure and Key Resources(CIKR)3and (2) proposes a consensus-based national risk managementframework (implemented via voluntarycompliance as the vast majority of CIKRis owned by the private sector).2Executive Order -- Improving Critical InfrastructureCybersecurity, 2/12/2013. See: Sec. 7. BaselineFramework to Reduce Cyber Risk to CriticalInfrastructure3Critical Infrastructure: Assets, systems andnetworks, whether physical or virtual, so vital to theUnited States that the incapacity or destruction ofsuch assets, systems or networks would have adebilitating impact on security, national economicsecurity, public health or safety, or any combinationof those matters.Key resources: Publicly or privately controlledresources essential to the minimal operations of theeconomy and the government.
  2. 2. 2Limitations of cyber-centricprescriptive standards to addressincident responseMany industry specific cyber securitystandards-based frameworks are inplace; but most fall short of addressinginterdisciplinary response activities. Asan example, the Critical InfrastructureProtection (CIP) program (created underthe Energy Policy Act of 20054for thepower generation industry) requiresresponse plans normally executed byCyber Security Incident ResponseTeams (CSIRT). However, these planstend to be focused on in-house cyberhygiene issues; such as malicious codedetection, virus outbreak, denial ofservice attacks, and unauthorizedaccess, etc.Prescriptive cyber security standards(like CIP) are implemented to reduceoverall technical risk, but may lack post-incident response and agencyinterfacing guidelines that enableinformation sharing between private andpublic sector entities. This is a gap thatneeds to be addressed.What is the ICS and why is itimportant?The Incident Command System (ICS)5was cited as a cyber-incident responseprotocol in the Microsoft contribution of442 U.S.C. § 158015In this context ICS is not Industrial Control Systems, butthe Incident Command System (ICS). To avoid thisconfusion with industrial controls ICS can also be thoughtof as the National Incident Management System(ICS/NIMS).industry responses to the Request forInformation (RFI) issued by the U.S.National Institute of Standards andTechnology (NIST to gather industryinput on the proposed CybersecurityFramework; quoted in relevant part,“Many companies are faced with twodifferent types of response: to defendthe enterprise itself, and to mitigate animpact to customers. As NIST considerswhat is needed to support the“response” portion of the riskmanagement framework, Microsoftwould strongly encourage NIST toconsider the Incident Command System(ICS) as a foundation for anyrecommendations. ICS has anestablished history of success in theUnited States, and it is a well-recognized approach for incidentresponse.”6As an example of the private use of ICS,and to amplify Microsoft’s position, it isinstructive to note that the AssistantSecretary for Preparedness andResponse (ASPR), the U.S. Departmentof Health and Human Services (DHHS),has openly recommended medical careentities embrace ICS; quoted in relevantpart:“..Increasingly, public health andmedical entities are realizing theimportance of organizing responseaccording to ICS principles. Manyhospitals have established responsestructures based on the Hospital6 Docket No. 130208119-3119-01, Microsoft Response,1/8/2013, page 23.
  3. 3. 3Incident Command System (HICS),formerly known as the HospitalEmergency Incident Command System(HEICS)…”7The California Hospital Associationagrees;“..HICS is an incident managementsystem based on the principles of theIncident Command System (ICS), whichassists hospitals in improving theiremergency management planning,response, and recovery capabilities forunplanned and planned events. HICS isconsistent with ICS and the NationalIncident Management System (NIMS)principles…”8ICS/NIMS is relied upon by U.S. CoastGuard for use in spill response andclean-up efforts, as the ICS/NIMSprotocols allow for expandable unifiedcommand that includes civilian privatesector parties to participate in planning,coordination and operational activities.Therefore, there is strong evidence thatICS/NIMS provides the existingprotocols necessary to create structurefor private-sector organizations torespond to cyber-related incidents andreduce enterprise risk.Embedding ICS/NIMS functionalitywithin the Cybersecurity Frameworkmay represent one of the best low-costand stable approaches available for7 the goals of risk mitigation inE.O. 13636; quoted in relevant part:“..The Cybersecurity Framework shallinclude a set of standards,methodologies, procedures, andprocesses that align policy, business,and technological approaches toaddress cyber risks. The CybersecurityFramework shall incorporate voluntaryconsensus standards and industry bestpractices to the fullest extent possible..9”ICS/NIMS historyAs ICS/NIMS was forged in the hostileenvironment of the wildland fire service,it was designed to be used as a scalablecommand and control system toorganize a wide array of respondingpersonnel and equipment to an incident.For example, in the Oakland Hills,California fires of 1991 (prior to thepractical adoption of ICS) a myriad ofcommunication snarls, lack of clear linesof command, technical issues (differentwater hose couplings) divergentterminology, etc. worsened the fireresponse and led to a near out-of-control situation.Interestingly, during the World TradeCenter recovery efforts post-911, it wasthe protocols of ICS IncidentManagement Teams (IMTs) that brought“order out of chaos”. Prior to thedeployment of the IMT’s over-archingresponse framework, individualagencies were operating in a dangerousnon-unified, non-coordinated fashion.9Federal Register /Vol. 78, No. 33 /Tuesday,February 19, 2013 / Presidential Documents, Page11741
  4. 4. 4For example, a private industry operatormay handle Hazardous Materials(HazMat) as part of a manufacturingprocess. In the case of a fire or spill, themanufacturing process is relegated to asecondary role as the chemical incidentmay require a public safety response, ifthere is (1) a life safety issue or a (2)protection of property issue.In theory, if the private-sector initialHazMat responders speak the samelanguage and protocols as arrivingpublic safety responders (a tenant ofICS/NIMS) the two groups(private/public) can work harmoniouslytogether to achieve the common goal –to bring the incident under control. Theprivate-sector responders may have acommercial agenda to protect theintegrity of the manufacturing processwhich needs to be married to the publicsafety agenda to reduce loss of life andproperty damage.For these reasons (and many more) theU.S. Occupational Health and SafetyAdministration (OSHA) has mandatedthe use of ICS in addressing HazMatincidents10.Indeed, Sector Specific Agencies(SSAs) have already developed SectorSpecific Plans (SSPs) that call-outICS/NIMS. See U.S. Department ofHomeland Security and the EmergencyServices Sector (ESS) Specific Plan;quoted in relevant part:10OSHA Emergency Response, 29 CFR 1910“..National Incident ManagementSystem. NIMS is a system mandated byHomeland Security PresidentialDirective 5 (HSPD-5) that provides aconsistent, nationwide approach forFederal, State, local, and tribalgovernments; the private sector; andNGOs to work together effectively andefficiently to prepare for, respond to, andrecover from domestic incidents,regardless of cause, size, orcomplexity…11”Bridging the culture clash (privatecyber experts vs. public sector)The challenge of using ICS/NIMS in acyber-incident response becomes oneof moving scientific-technical expertsoperating in a slow time deliberativecorporate environment into a quick timeoperational action-based response (forwhich ICS/NIMS was primarily designedto accommodate). Additionally, thereare inherent conflicts from a privateoperator’s perspective that are unique toincident response. But, these conflictscan be addressed.The thorny obstacle that may beimpeding widespread adoption ofICS/NIMS by scientific and technicallydriven cyber security experts is thetendency to focus on prescriptive cyberhygiene issues to the of neglect incidentresponse. Focus on prescriptive cyber-specific technology creates saturationand immersion into technical issues notthe operational impact of the cyber11An Annex to the National Infrastructure Protection Plan2010, page 86, U.S. Department of Homeland Security
  5. 5. 5enterprise on downstream stakeholders.Most cyber security consensusstandards are built around technologyand do not address incident response.Training, Minimum Standards andExercise DevelopmentIn certain cyber-centric incidents cyberresponders may have to perform a leadrole in response management, not justthe role of a technical specialist.Training in the structure, operation andproper use of ICS/NIMS may providekey skills and knowledge to cyberresponders – especially in the initialphases of an incident.Timely, effective and efficient interfacingwith various responders (public orprivate) could be significantly improvedby personnel who have attendedsimulated incident exercises. Suchexercises create the multi-disciplinaryenvironment that requires interactionwith multiple players.Familiarization with the tenants ofICS/NIMS prior to an incident willempower responding cyber securitypersonnel to understand their importantrole as technical specialists in assistingother ICS/NIMS responders toaccomplish common response andrecovery goals. Open encouragementof ICS/NIMS training by employers,recognition of such training bycredentialing boards, and incident-specific training and exercise programsfor cyber responders would provideprofessional recognition in this space.SummaryIn sum, the lack of an organizationalincident management structure(ICS/NIMS) embedded within numerousindustry-specific cyber securitystandards is considered a gap. In orderto achieve cross-domain andinterdisciplinary cohesion in a responseactivity this gap needs to be addressedby the widespread general adoption ofthe ICS/NIMS doctrine into cyber-security incident response standards.ICS/NIMS vocabulary, protocols,organizational structure and processesshould be embedded within theCybersecurity Framework to encouragethe use of an efficient incident responsemethodology to augment technical cyberresponse. Such an endorsement willprovide appropriate visibility to the CIKRcommunity of ICS/NIMS as a viableresponse framework that supportsnational recovery goals in the event of amajor incident.About the author: Dave Sweigert is aCertified Information Systems SecurityProfessional, Certified InformationSystems Auditor, Project ManagementProfessional and holds Master’sdegrees in Information Security andProject Management. He is apractitioner of ICS/NIMS in his role as avolunteer Emergency MedicalTechnician and has attended more than500 hours in ICS/NIMS related training.He specializes in assisting organizationsin institutionalizing ICS into their cyberresponse plans.