Abstract
Incident response is a key component in safeguarding the integrity and security of the
nation’s critical infrastructures. Critical infrastructures are crucial components in
maintaining the prosperity and security that this nation provides its citizens. The growing
reliance on technology, in conjunction with the increasing interdependency of each
infrastructure on one another, requires the ability to prevent, protect against, respond to,
recover from, and mitigate the effects of various types of incidents. Any disruption to one
or more of these critical infrastructures can have a devastating effect on the security and
economic stability of this nation. Current incident response plans have been put to the test
by various naturally occurring events that have underlined both the strengths and the
weaknesses of existing response frameworks. The research findings indicate that some of
the same vulnerabilities may exist in newly developed response frameworks targeting
cyber incidents. Evidence also indicates that these infrastructures will face a new
vulnerability. The increase reliance on technology has now unlocked new weaknesses,
primarily the vulnerability to a cyber-attack. Continued evaluation and training of key
entities and personnel in cyber response tactics is a necessary step to ensuring the
effectiveness of these response frameworks. The research findings suggest that a more
proactive approach to cyber incident response is required to sustain an effective response
capability equivalent to the rapid innovations in technology. Partnerships among all
entities involved in a response need to be strengthened and continually amended to
ensure the preparedness of all response personnel in protecting the security of this
nation’s critical infrastructures.
CRITICAL INCIDENT COMMAND AND RESPONSE:
AN EXAMINATION OF CURRENT POLICIES, PROCEDURES AND THE
NECESSITY FOR A NATIONAL CYBER EVENT RESPONSE PLAN
By
Andrew C. Hotton
A Capstone Project Submitted to the Faculty of
Utica College
April 16, 2012
In Partial Fulfillment of the Requirements for the Degree
Master of Science in Cybersecurity – Intelligence and Forensics
Copyright by Andrew C. Hotton, 2012
Table of Contents
Abstract
ii
Table of Contents
v
List of Illustrative Figures
vi
Acknowledgment
vii
Literature Review………………………………...……………………………………....09
Discussion of the Findings……………………………………………………………… 27
Recommendations and Conclusions…………………………………………………….. 39
Appendix - Acronyms and Definitions…………………………………………………..48
References………………………………………………………………………………. 49
v
List of Illustrative Materials
Structure of the ICS (Figure 1)……………………………...…………………………...12
NCCIC and Partners (Figure 2)………………………………...………………………..35
Cyber Incident Management Lanes (Figure 3)…………………………………………..36
vi
Acknowledgements
I would like to thank my entire project committee, Professor Daniel Draz and
Austen Givens, for their guidance and support throughout this entire project. I would like
to give a special thanks to Professor Draz for his relentless encouragement, always
making me believe that I could accomplish my goal. I would also like to thank my fellow
students of Cohort 1 for the support that they provided throughout this entire program. I
would also like to express my gratitude to all my friends who stood by my side and
understood the sacrifices that I had to make while embarking on this scholarly journey.
Finally, I would like to thank my mother Janet, my sister Catherine, and my son Joshua.
Without the love and support of these three people, I would never have been able to
successfully reach my goal of attaining a Master’s degree.
vii
Critical Incident Command and Response: An Examination of Current Policies,
Procedures, and the Necessity for a National Cyber Event Response Plan
The ability to respond to incidents, whether natural disasters or man-made, is one
of the key elements of protecting and maintaining the strength of this nation. Our critical
infrastructures are the backbone of our nation, and any disruption to these infrastructures
can have a devastating effect on our nation’s economy and the prosperity provided to all
of its citizens. Incidents such as the terrorist attacks of September 11, 2001 and Hurricane
Katrina demonstrate the devastating impact that events like these can have on critical
infrastructures. Currently, there are numerous frameworks already implemented that
provide guidelines, components, and principles that are used to prevent, protect against,
respond to, recover from, and mitigate the effects of a wide range of incidents. These
frameworks have their basis in real-world events. However, the global shift to cyberspace
requires that frameworks also be developed and implemented specifically for this
domain. Cyberspace is positioned to be the next domain for a potential global
confrontation, making it critical to establish, develop, and implement the necessary
mechanisms to prevent, mitigate, and respond to such an event.
The world finds itself in the infancy of a technological revolution. The United
States, along with other countries across the globe, is heavily tied to technology which is
used to operate and manage day-to-day operations. Entities ranging from government,
financial institutions, and public and private sector companies, rely heavily on technology
to maintain the financial stability of the United States as well as providing security
measures protecting it from attacks. The increasing trend of using technology to provide
security and financial stability requires the ability to prevent, mitigate, and respond to an
attack or incident of any magnitude to preserve the security and financial independence
1
of the entire nation.
The increased use of technology by the critical infrastructures of this country
continually opens new vectors and opportunities for cyber-attacks. According to a report
issued by the Office of Management and Budget:
There were 41,776 reported cyber incidents of malicious intent in the federal
network in 2010 out of a total 107,439 reported to the United States Computer
Emergency Readiness Team (US-CERT), which represented a 39% increase over
2009, when 30,000 incidents were reported by the feds, of 108,710 attacks overall
(Montalbano, 2011).
With cyber-attacks rapidly becoming a major issue due to technological innovations,
developing and implementing a framework to respond to these incidents is critical.
The purpose of this paper is to examine the necessity for an incident response
framework to prevent, mitigate and respond to cyber-attacks and incidents that affect the
technology used to operate the nation’s critical infrastructures. This paper will first
examine the existing frameworks that are currently being used to respond to incidents
that can affect this nation’s critical infrastructures. While these current frameworks have
their basis in real-world events, the foundations of these frameworks will be examined for
their strengths and deficiencies. This paper will then examine the types of risks that this
nation faces on the cyber front and the impact these risks have on critical infrastructures.
This paper will also discuss the need for a response framework designed to prevent,
mitigate and respond to cyber events. With technology being a major component within
critical infrastructures, it is essential to have a framework designed to address the
growing need for such a plan. Finally, this paper will propose some recommendations
2
that can potentially be implemented to strengthen existing cyber incident response
frameworks that could potentially make them more effective during an actual response.
The reality of a major cyber incident is a serious issue that must be addressed.
With rapid innovations being made in the technology field, more vectors are created for
attacks, as well as more mechanisms and mediums for cyber-attacks to be carried out.
The areas of cyber-attacks that have seen an increased level of frequency and
sophistication include, but are not limited to: Internet social engineering attacks, stealth
and other advanced scanning techniques, techniques to analyze code to identify
vulnerabilities, and distributed attack tools (Coleman, n.d.). The continuous innovations
and increased frequency of cyber-attacks requires a robust and flexible framework to
implement effective responses to accommodate this trend. Any disruption to one of the
numerous critical infrastructures could deal a devastating blow to the country’s economy
and national security.
Currently, there are frameworks in place to prevent, mitigate and respond to
incidents. However, these frameworks have their basis in real-world events. The National
Response Framework (NRF) and the National Incident Management System (NIMS) are
two such frameworks. The NRF is a direct result of the terrorist attack of September 11,
2011, and has its origin based upon the National Response Plan (NRP), while the origin
of NIMS can be traced back to the destructive California wildfires of the 1970s and the
Firefighting Resources of California Organized for Potential Emergencies (FIRESCOPE)
Incident Command System (ICS) (Department of Homeland Security [DHS], 2004).
While the core components and principles may be potentially applied to a framework for
cyber incident response, the need for a framework specifically designed to incorporate
3
the nuances of a cyber-attack, or a hybrid framework that blends the principles contained
in the NRF and NIMS with that of a cyber specific framework, is critical.
There are also frameworks that have been initially developed to directly address
the need for a response framework that is directly related to cyber incident response. One
such framework is the National Strategy to Secure Cyberspace from DHS. First published
in 2003, The National Strategy to Secure Cyberspace’s purpose is to engage and
empower Americans to secure the portions of cyberspace that they own, operate, control,
or with which they interact (DHS, 2003). The concept behind this document is to provide
an initial framework to provide direction for government agencies that have roles in
cyber security and identify steps that state and local governments, private companies and
organizations, and individual Americans can take to improve our collective cyber security
(DHS, 2003).
Another framework that has been developed is the National Cyber Incident
Response Plan (NCIRP). The NCIRP was developed based upon the guiding principles of
the NRF and describes how the nation will respond to significant cyber incidents (DHS,
2010). While NIMS and the NRF are response frameworks primarily used for real-world
events, the NCIRP is specifically designed for and intended to facilitate coordination with
NRF mechanisms during cyber incidents with physical consequences (DHS, 2010).
Because cyber incidents often cross the jurisdictional borders of federal, state, local,
tribal, territorial, and private sector systems, it provides a strategy for rapidly
coordinating the operational response activities of these particular entities (DHS, 2010).
Although the NRF and NIMS have been successfully applied to actual incidents
such as Hurricane Katrina and the British Petroleum (BP) oil rig explosion and spill,
labeled Deepwater Horizon, the application of these frameworks are not without their
4
deficiencies. As an example, during the response to Hurricane Katrina, the
communications were so severely affected by the storm, that according to Louisiana State
Senator Robert Barham, “People could not communicate. It got to the point that people
were literally writing messages on paper, putting them in bottles and dropping them from
helicopters to other people on the ground” (Baker, 2006). The lack of a communication
infrastructure made in nearly impossible for emergency communication centers to
effectively communicate with response personnel to coordinate the required emergency
response operations. This is an issue that needs to be clearly addressed during a response
to a cyber incident. The result of a cyber incident can involve agencies and personnel
from numerous arenas, making precise and clear communication a critical aspect of an
effective response.
Hurricane Katrina also underscores the impact than an incident can have on
critical infrastructures, demonstrating the need for an effective incident response plan.
While Hurricane Katrina was a natural disaster and not a cyber-attack, the impact on
critical infrastructures can be equally devastating. Incidents of this magnitude can
potentially attenuate critical infrastructures. The reliance of one critical infrastructure on
another, combined with the technological interconnectivity that exists which is constantly
expanding, requires that incident response plans have the flexibility to operate and
function under extreme circumstances. As one government commission stated:
The U.S. has developed more than most other nations as a modern society heavily
dependent on electronics, telecommunications, energy, information networks, and
a rich set of financial and transportation systems that leverage modern technology.
This asymmetry is a source of substantial economic, industrial and societal
5
advantages, but it creates vulnerabilities and critical interdependencies that are
potentially disastrous to the United States (Miller, n.d.).
As Dr. Robert Miller ([Miller], n.d.) states, “During Katrina, these infrastructure
collapses occurred rapidly, almost simultaneously, and over a very wide area. The multistate nature of the collapse inhibited effective response—as it is likely to do in any future
incident” (p. 193). This underlines the need for more robust incident response plans that
can adapt to extreme conditions.
Another example of deficiencies that exist in current frameworks pertains to the
Deepwater Horizon oil spill response. One of the key components of existing response
frameworks is the assignment of roles and responsibilities during the course of a
response. One of the major issues that became evident during Deepwater Horizon was the
role that BP had during the response. In order for a response to be executed efficiently, roles
and responsibilities must be clearly defined so that response personnel are acutely aware of
their roles and responsibilities during a response. During the Deepwater Horizon oil spill
response, deficiencies in role and responsibility assignment and understanding created an
environment where divided responsibility, role duplicity, divided leadership, and unclear
lines of authority which created a potentially ineffective environment (Epperson, 2011).
As responses pertain to the cyber arena, there is very little evidence to base the
effectiveness of initial response plans due to the lack of actual responses to tangible
cyber-attacks. Frameworks such as the NCIRP and the National Strategy to Secure
Cyberspace have not been fully implemented and tested during a real cyber incident. The
only true test for these initial frameworks has been the biennial Cyber Storm exercises
that began in February 2006 (DHS, n.d.). While these exercises integrated some entities
from the public and private sector, government, and critical infrastructures, they have not
6
incorporated every critical infrastructure that can be affected by a cyber-attack. While
this is understandable considering the exercises have only been taking place over the last
six years, a more rigorous and thorough scheduling of these events may be warranted due
to the increased cyber-attacks on federal agencies.
The need for a comprehensive and robust cyber incident response plan is
emphasized by the recent attack on several industrial sites which affected several
countries, most notably Iran. The attack was the result of a computer worm named
Stuxnet. This computer worm targeted Siemens WinCC SCADA (supervisory control
and data acquisition) Step 7 Programming Software and Simatic PLCs (programmable
logic controller) (Piggin, 2010). Stuxnet specifically targets computer systems that
control electricity, water treatment, nuclear and chemical plants, pipelines,
communications networks, transportation systems and other critical infrastructure, and it
is unique in its complexity, flexibility, and resilience (Lieberman, 2010). By
demonstrating the ability to successfully attack and disrupt critical infrastructures through
a cyber-attack, Stuxnet validates the immediate need for the development and
implementation of an incident response plan that can effectively prevent, mitigate, and
respond to attacks that are conducted through the cyber medium.
Another example supporting the need for a cyber incident response plan is the
torrent of alleged cyber-attacks that have been carried out by China against defense
industries of Western governments, most notably the United States (Wortzel, 2009).
According to Major General William Lord, a senior Air Force officer, China has
downloaded 10 to 20 terabytes of information from United States defense and
government computer networks (Wortzel, 2009). While stronger defense protocols are
7
necessary to prevent and mitigate these intrusions, an incident response plan that will
enable the United States to effectively respond to any successful intrusion as a result of
these attacks is equally necessary. These intrusions are not limited to government and
defense industries. Successful intrusions have also affected the public sector with Chinese
government’s successful intrusion of Google and Gmail (Glenny, 2011). The fact that
these alleged intrusions have infiltrated government, defense, and public sector industries
reinforces the necessity for a cyber incident response plan that provides enough flexibility
in its application that it can accommodate industries from a variety of sectors.
By evaluating NIMS and the NRF and the core components and principles
contained in these frameworks in conjunction with assessing risks of past cyber incidents,
a robust and effective response framework can be developed and implemented to prevent,
mitigate, and respond to cyber-attacks and incidents of all magnitudes. This framework
can be leveraged by government entities at the federal, state, local, tribal, and territorial
levels. The framework should provide the flexibility and standardization required so that
entities and personnel at all levels of government can execute a coordinated response to a
cyber event regardless of magnitude. Existing frameworks provide guidelines to
implement a tiered response, beginning with the lowest level capable of responding to an
incident. Therefore, personnel in leadership roles in each of the entities should be able to
leverage the framework to its full extent without compromising the integrity of the
response.
A cyber response framework should also apply to public and private sectors that
may be involved in a cyber incident response. Partnership between the public and private
sectors and government agencies is essential, in part because the private sector owns and
8
operates approximately 85% of the nation's critical infrastructure, government agencies
have access to critical threat information, and each controls security programs, research
and development, and other resources that may be more effective if discussed and shared,
as appropriate, in a partnership setting (DHS, n.d.). Developing a framework that
establishes standardized communication methods and terms, accompanied by clear
guidelines on the division of roles and responsibilities among these entities is a key factor
in the success of an incident response.
The goal of a cyber incident response framework is to provide entities, from the
smallest town to the Department of Defense (DoD), with the capability to respond to a
cyber incident of any magnitude. This framework must also provide personnel, from a
company’s Information Technology (IT) department to a local firefighter, with the ability
to respond, communicate, and understand their roles and responsibilities during the
course of a response to a local or multi-jurisdictional incident. Each member of a
potential response team should be able to leverage the components and principles
contained in the response framework and effectively apply these tools to decisively
respond to a cyber incident. Because a cyber incident can affect critical infrastructures,
which in turn can affect both technology and the physical world, a clear and decisive
framework that can be implemented by individuals holding a multitude of roles is vital in
preserving the security and economic vitality of this nation.
Literature Review
Background and Significance
The basic function of incident response plans, such as NIMS, the NRF, and the
NCIRP, is to provide frameworks that contain flexible guidelines and principles that can
9
be applied during a response to an incident. As stated in NIMS:
NIMS provides a systematic, proactive approach to guide departments and
agencies at all levels of government, nongovernmental organizations, and the
private sector to work seamlessly to prevent, protect against, respond to, recover
from, and mitigate the effects of incidents, regardless of cause, size, location, or
complexity, in order to reduce the loss of life and property and harm to the
environment. NIMS works hand in hand with the NRF. NIMS provides the
template for the management of incidents, while the NRF provides the structure
and mechanisms for national-level policy for incident management (DHS, 2008).
NIMS and the NRF are primarily used for responses to incidents that occur in the
physical world. The primary function of the NCIRP is “…to establish the strategic
framework for organizational roles, responsibilities, and actions to prepare for, respond
to, and begin to coordinate recovery from a cyber incident” (DHS, 2010).
The necessity for critical incident response frameworks is continually reinforced
when there is an occurrence of an incident, regardless if the incident takes place in the
physical or cyber realm. Incidents, such as the terrorist attacks of September 11, 2001,
Hurricanes Katrina, and the BP oil rig explosion and spill, are just a few examples that
show the necessity and importance of response frameworks. Historically, existing
frameworks have been developed and implemented to address events that primarily occur
in the physical world, but this landscape is evolving.
The new trend in damaging incidents and attacks is the transition to cyberspace as
the medium for which these attacks can be deployed. Technology plays an enormous role
in how our nation’s critical infrastructures are connected and how they interact with
10
government, public, and private sector industries. This push toward technology has
created a variety of new vectors that can be exploited for attacks on critical
infrastructures. Recent cyber-attacks, such as Stuxnet and the alleged siphoning of
information from government agencies by China, only emphasizes the need to develop
robust response frameworks that can be implemented to prevent, mitigate, and respond to
these types of incidents.
National Incident Management System
The literature relating to existing frameworks was examined for insight into the
core principles and components used in incident responses that act as a foundation for
future incident response plans. NIMS origin can be traced back to the destructive
California wildfires of the 1970s. In response to the wildfire, the FIRESCOPE ICS was
established (DHS, 2004). Although the FIRESCOPE ICS was developed for wild-land
fire response, many in the incident management community recognized that it could be
used by other public safety responders for a wide range of situations including hurricanes,
earthquakes, floods and other natural disasters as well as hazardous materials accidents
(DHS, 2004).
In 1982, as a result of collaboration between FIRESCOPE and the National
Wildfire Coordinating Group to establish a national application for ICS, all FIRESCOPE
ICS documentation was revised and adopted as NIIMS (DHS, 2004). According to
Michael D. Brown, Under Secretary for Homeland Security for Emergency Preparedness
and Response, “The National Incident Management System incorporates best practices
that have been developed over the years and one of the most valuable of these practices is
the Incident Command System” (DHS, 2004). Figure 1 outlines the structure of the ICS.
11
Figure 1: Structure of the ICS
The core concept behind NIMS is to provide a comprehensive national approach,
applicable at all jurisdictional levels and across functional disciplines, that improves the
effectiveness of emergency management/response personnel, across the full spectrum of
potential incidents and hazard scenarios (including but not limited to natural hazards,
terrorist activities, and other manmade disasters) (DHS, 2008). While incident response
requires the cooperation of agencies at all levels of government and the public and private
sector, NIMS provides a framework that allows for incidents of all magnitudes to begin
and end at the local level.
NIMS contains two core principles: flexibility and standardization. The flexibility
of the NIMS framework provides a mechanism where the core components of NIMS can
be applied during responses to incidents regardless of scope and magnitude. This
flexibility also provides personnel and organizations from different sectors the ability to
interact with each other to provide a more effective response during an incident.
12
Standardization provides a common working model for individuals and organizations that
are part of an incident response. Standardization of organizational structures can improve
integration and connectivity among jurisdictions and disciplines, while also providing
and promoting common terminology, which fosters more effective communication
among agencies and organizations responding together to an incident (DHS, 2008).
NIMS is also comprised of five key components. Each of these components is
critical in fostering an effective response to an incident. The five components contained
in the NIMS framework are Preparedness, Communications and Information
Management, Resource Management, Command and Management, and Ongoing
Management and Maintenance (DHS, 2008). Each of these components plays a critical
role in responding effectively to a response and must be used to provide the most
effective response to an incident of any magnitude.
Preparedness involves an integrated combination of assessment; planning;
procedures and protocols; training and exercises; personnel qualifications, licensure, and
certification; equipment certification; and evaluation and revision (DHS, 2008).
Communication and Information Management is based on the concepts of
interoperability, reliability, scalability, and portability, as well as the resiliency and
redundancy of communications and information systems (DHS, 2008).
Resource Management contains standardized mechanisms and establishes the
resource management process to identify requirements, order and acquire, mobilize, track
and report, recover and demobilize, reimburse, and inventory resources (DHS, 2008).
Command and Management is designed to enable effective and efficient incident
management and coordination by providing a flexible, standardized incident management
13
structure (DHS, 2008). The Command and Management component of NIMS is made up
of three components: Incident Command System, Multiagency Coordination System, and
Public information.
Ongoing Management and Maintenance is made up of two components: the
National Integration Center and Supporting Technologies. The National Integration
Center (NIC) is a product of Homeland Security Presidential Directive 5 and serves to
enhance the ability of the United States to manage domestic incidents by establishing a
single, comprehensive incident management system (DHS, 2003). Supporting
Technologies relates to the rapidly changing technologies that are used by response
personnel and their reliance on these technologies during a response. The NIC, in
partnership with the DHS Science and Technology Directorate, oversees and coordinates
the ongoing development of incident management-related technology, including strategic
research and development (DHS, 2008).
National Response Framework
The NRF is another framework that is used for incident response and
management. After the terrorist attacks of September 11, 2011, Congress and the
President moved to consolidate numerous federal emergency plans into a single, unified
national response plan. The end product of these efforts was the NRP, which established
broad lines of authority for agencies responding to emergencies and major disasters
(Lindsay, 2008). Perceived problems with the implementation of the NRP during
Hurricane Katrina led Congress to enact the Post-Katrina Management Reform Act (P.L.
109-295) to integrate preparedness and response authorities, which resulted in the
issuance of a successor plan to the NRP entitled the NRF which was implemented in
14
March 2008 (Lindsay, 2008).
Much like NIMS, the NRF is a framework that provides the doctrine and guiding
principles for a unified response from all levels of government, and all sectors of
communities, to all types of hazards regardless of their origin (Lindsay, 2008). Although
the primary focus of the NRF is on response and short-term recovery, the document also
defines the roles and responsibilities of the various actors involved in all phases of
emergency management (Lindsay, 2008). Similar to NIMS, the NRF recognizes the
importance of local authority during a response effort and that local authorities will have
the lead role in the response and recovery efforts (DHS, 2008).
The NRF is comprised of five key sections that present the key response
principles, participants, roles, and structures that guide the Nation’s response operations
(DHS, 2008). The key sections of the NRF are: Roles and Responsibilities, Response
Actions, Response Organization, Planning, and Additional Resources.
Roles and Responsibilities focuses on the individuals involved in the response
effort and the key roles and responsibilities they have. This section of the NRF provides
an overview of the roles and responsibilities of key partners at the local, tribal, State, and
Federal levels, including an important role for the private sector and nongovernmental
organizations (NGOs) such as The American Red Cross (DHS, 2008).
Response Actions include guidelines to implement a tiered response, beginning
with the lowest level capable of responding to an incident. The three critical phases
outlined in the NRF are: prepare, respond, and recover. Response Organization outlines
the organizational structures that have been developed, tested, and refined over time and
how these structures are applied at all levels to support an effective response (DHS,
15
2008).
The Planning section of the NRF stresses the importance of planning across all
levels of government to foster unity of effort for emergency operations planning by
providing common doctrine and purpose (DHS, 2008). As stated in the NRF (DHS,
2008), planning provides three principle benefits:
(1) it allows jurisdictions to influence the course of events in an emergency by
determining in advance the actions, policies, and processes that will be followed;
(2) it guides other preparedness activities; and
(3) it contributes to unity of effort by providing a common blueprint for activity in
the event of an emergency.
Planning is a foundational element of both preparedness and response and thus is
an essential homeland security activity.
Finally, the Additional Resources section describes how additional resources and
operational information will be made available, especially to emergency management
practitioners, in support of the NRF (DHS, 2008).
National Strategy to Secure Cyberspace
Literature pertaining to existing cyber response frameworks was reviewed to
evaluate its main components, compare them to existing frameworks for real-world
incidents, and examine their specificity to cyber incident response.
The National Strategy to Secure Cyberspace is a framework that directly
addresses the need for a response plan for cyber incidents. First published in 2003, The
National Strategy to Secure Cyberspace’s purpose is to engage and empower Americans
to secure the portions of cyberspace that they own, operate, control, or with which they
16
interact (DHS, 2003). The concept behind this document is to provide an initial
framework to provide direction for government agencies that have roles in cyber security
and identify steps that state and local governments, private companies and organizations, and
individual Americans can take to improve our collective cyber security (DHS, 2003).
The National Strategy to Secure Cyberspace contains five key national priorities to
improve cyber security. These priorities are: a National Cyberspace Security Response
System, a National Cyberspace Security Threat and Vulnerability Reduction Program, a
National Cyberspace Security Awareness and Training Program, Securing Governments’
Cyberspace, and National Security and International Cyberspace Security Cooperation
(DHS, 2003). The first priority, a National Cyberspace Security Response System, is aligned
with other frameworks, such as NIMS and the NRF, in that it focuses on the response aspect
of a cyber-attack. The priority pertaining to the response to a cyber-attack stresses the
necessity for collaboration between government agencies and public/private sector
organizations.
The National Strategy to Secure Cyberspace also contains eight core actions that
need to be addressed to form an effective response. These actions are:
establish a public/private architecture for responding to national-level cyber incidents,
provide for the development of tactical and strategic analysis of cyber-attacks and
vulnerability assessments, encourage the development of a private sector capability to
share a synoptic view of the health of cyberspace, expand the Cyber Warning and
Information Network to support the role of DHS in coordinating crisis management
for cyberspace security, improve national incident management, coordinate processes
for voluntary participation in the development of national public-private continuity
and contingency plans, exercise cyber security continuity plans for federal systems,
17
and improve national incident management (DHS, 2003).
The first key action mentioned in the National Strategy to Secure Cyberspace refers
to the establishment of a public/private architecture for responding to national-level cyber
incidents. This is a critical aspect of cyber incident response. Partnership between the public
and private sectors is essential, in part because the private sector owns and operates
approximately 85% of the nation's critical infrastructure, government agencies have
access to critical threat information, and each controls security programs, research and
development, and other resources that may be more effective if discussed and shared, as
appropriate, in a partnership setting (DHS, n.d.).
National Cyber Incident Response Plan
The NCIRP was developed based upon the guiding principles of the NRF and
describes how the nation will respond to significant cyber incidents (DHS, 2010). While
NIMS and the NRF are response frameworks primarily used for real-world events, the
NCIRP is specifically designed for and intended to facilitate coordination with NRF
mechanisms during cyber incidents with physical consequences (DHS, 2010). Because
cyber incidents often blur the jurisdictional borders of federal, state, local, tribal,
territorial, and private sector systems, it provides a strategy for rapidly coordinating the
operational response activities of these particular entities (DHS, 2010).
The NCIRP and the NRF share similar core principles. These principles, however,
have some specificity to accommodate a response to a cyber incident. As an example, the
NRF outlines guiding principles on roles and responsibilities as a key component during
a response. The NCIRP contains the same component, but pre-assigns certain roles and
responsibilities during a response. In response to a Significant Cyber Incident, DHS,
through its National Cybersecurity and Communications Integration Center (NCCIC),
18
coordinates national response efforts and works directly with federal, state, local, tribal,
and territorial governments and private sector partners (DHS, 2010). The NCIRP also
lists other federal agencies, individuals, and their roles during a response to a cyber
incident. This differs from other response frameworks in that certain roles and
responsibilities are pre-defined and in place prior to an incident and do not have to be
established during the course of an incident response.
Cyber Threats
Cyber threats are a growing concern with the advancement of technologies and
the increasing dependency of critical infrastructures and businesses on these
technologies. The question is not whether a cyber-attack of significant magnitude will
impact this country, but when. The inevitability of such a cyber-attack is only reinforced
by recent events such as the Stuxnet attack and the continuous alleged siphoning of
information from critical infrastructures by China. The need for a comprehensive and
robust cyber incident response plan is only emphasized by theses recent attacks on
several industrial sites which affected several countries, as well as the constant threat of
foreign countries and terrorist groups attempting to devastate this country’s critical
infrastructures via cyber-attacks.
Stuxnet
Stuxnet was a sophisticated computer program designed to penetrate and establish
control over remote systems (Farwell & Rohozinski, 2011). This computer worm targeted
Siemens WinCC SCADA Step 7 Programming Software and Simatic PLCs (Piggin,
2010). Using four ‘zero-day vulnerabilities’ (vulnerabilities previously unknown, so that
there has been no time to develop and distribute patches), the Stuxnet worm employs
19
Siemens’ default passwords to access Windows operating systems that run the WinCC
and PCS 7 programs (Farwell & Rohozinski, 2011). Stuxnet specifically targeted
computer systems that control electricity, water treatment, nuclear and chemical plants,
pipelines, communications networks, transportation systems and other critical
infrastructure, and it is unique in its complexity, flexibility, and resilience (Lieberman,
2010).
Stuxnet is an example of the evolution of warfare. This type of attack is
completely different from the type of warfare that has been typically carried out
throughout the course of history. First, the availability of methods and means for a cyberattack is readily available. The production and delivery of such weapons does not require
large, expensive systems and they are accessible to small groups or individuals that have
the ability to hide under the radar (Hoffman, 2011). Also, the aspects of deterrence and
attribution with this type of attack are unique. With modern warfare tactics, the enemy is
known and any retaliation for an attack is directed toward a known enemy. Cyber-attacks,
such as the Stuxnet worm, are difficult to attribute to a specific perpetrator (Hoffman,
2011). If the perpetrator cannot be found, then the certainty of retaliation dissolves, and
deterrence might not be possible (Hoffman, 2011).
China
The alleged siphoning of sensitive information from critical infrastructures,
government and defense industries by China is a growing concern to this country and
other nations around the world. China’s alleged cyber intrusions of western governments
has become more pervasive over the last couple of years. According to Wortzel (2009)
20
In 2000, the Chinese military established a strategic information warfare unit to
wage combat through computer networks to manipulate enemy information
systems spanning spare parts deliveries to fire control and guidance systems.
China continues to equip and staff its military to carry out such electronic warfare.
The Third Department of the General Staff Department of the People’s Liberation
Army is responsible for technology reconnaissance and intelligence officers are
trained for various forms of electronic warfare and electronic espionage.
Past cyber incidents attributed to China only further supports the threat that China
poses to our critical infrastructures and security as well as allies of the United States. In
March 2009, Canadian researchers revealed how a cyber spy network, based mainly in
China, hacked into classified documents from government and private organizations in
103 countries, including the Dalai Lama and Tibetan exiles (Hughes, 2010). Almost a
year earlier, in May 2008, U.S. officials had investigated whether Chinese officials
secretly copied the contents of a laptop computer used by Secretary of Commerce Carlos
Gutierrez, who left it unattended during a trip to Beijing, and then used the data to hack
into computers at the Commerce Department (Hughes, 2010). In October 2009, the U.S.China Economic and Security Review Commission found cases that suggested China's
elite hacker community is tied to its government (Hughes, 2010). These continuous
cyber-attacks against the United States and other countries fully substantiates the
requirement for a cyber incident response plan capable of protecting and responding to
cyber incidents targeting critical infrastructures and sensitive information.
Cyber Incident Preparation
Preparedness is just one of the critical components of any existing and future
21
framework that addresses the need to respond to incidents, whether these incidents occur
in the physical or cyber realm. NIMS, the NRF, the National Strategy to Secure
Cyberspace, and the NCIRP all contain principles and guidelines pertaining to
preparation for incidents of all magnitudes. Directly related to cyber incidents, the United
States government has conducted training exercises to examine the functionality and
effectiveness of the response frameworks directly related to cyber incidents (DHS, 2006).
These exercises continually examine the level of preparedness of all parties involved in a
response and build upon past exercises to constantly improve the effectiveness of the
implemented frameworks.
Cyber Storm Exercises
Cyber Storm is a series of exercises that are used to evaluate the frameworks that
have been developed to prepare for, protect, mitigate, and respond to cyber incidents.
These exercises were examined in this review to emphasize the steps being taken to
assess current incident response plans. According to DHS (n.d.), these exercises were
conducted to allow participants to:

Examine organizations’ capability to prepare for, protect from, and respond to
cyber attacks’ potential effects;

Exercise strategic decision making and interagency coordination of incident
response(s) in accordance with national level policy and procedures;

Validate information sharing relationships and communications paths for
collecting and disseminating cyber incident situational awareness, response and
recovery information; and

Examine means and processes through which to share sensitive information
22
across boundaries and sectors without compromising proprietary or national
security interests.
The first Cyber Storm exercise was conducted in February 2006. Cyber Storm
provided participants with a controlled environment in which to exercise a coordinated
cyber incident response, including information sharing mechanisms, procedures for
establishing situational awareness, public and private organizational decision making,
and public communications during a cyber-related Incident of National Significance
(DHS, 2006). Over 100 public and private agencies, associations, and corporations
participated in the exercise from over 60 locations and 5 countries (DHS, 2006). The
exercise scenario simulated a large-scale cyber campaign affecting or disrupting multiple
critical infrastructure elements primarily within the Energy, Information Technology,
Transportation, and Telecommunications Sectors (DHS, 2006).
Cyber Storm II was executed in March of 2008. While building on the successes
and failures of the first Cyber Storm exercise, Cyber Storm II simulated cyber-attacks
that were focused on critical infrastructure in the Information Technology,
Communications, Chemical, and Transportation (specifically Rail and Pipe) sectors and
required action from foreign and domestic partners in the cyber response community
(DHS, 2008). One of the key objectives of Cyber Storm II was to validate information
sharing relationships and communications paths for the collection and dissemination of
cyber incident situational awareness, response, and recovery information (DHS, 2008).
Cyber Storm III was executed in September 2010. This was the primary vehicle to
exercise the newly-developed NCIRP - a blueprint for cybersecurity incident response to examine the roles, responsibilities, authorities, and other key elements of the nation's
23
cyber incident response and management capabilities and use those findings to refine the
plan (DHS, n.d.). One of the key findings in Cyber Storm III was:
Cyber response collaboration among private-sector companies has advanced
because of targeted initiatives and understanding of mutual benefit. Although
public–private interaction around cyber response is continually evolving and
improving, it can be complicated by the lack of timely and meaningful shared
situational awareness; uncertainties regarding roles and responsibilities; and legal,
customer, and/or security concerns (DHS, 2011).
These biennial exercises are a critical aspect of response plans, allowing key participants
to evaluate the incident response framework for strengths and weaknesses during a
simulated cyber incident.
Incident Response Deficiencies
Response frameworks have been applied to numerous incidents. Real world
incidents of a large magnitude, such as Hurricane Katrina, quickly highlight the strengths
and weaknesses of frameworks that are used during these responses. Assessing the
deficiencies during an actual response is a necessary step of a framework’s lifecycle in
order to apply corrective measures that are learned throughout the course of an incident
response.
According to Dr. Robert Miller ([Miller], n.d.), “One way to think about Katrina
is to see it as a comprehensive critical infrastructure collapse—perhaps the most
widespread critical infrastructure collapse that any advanced country has experienced
since World War II.” During Hurricane Katrina, the communication infrastructure was
dealt the most damaging blow. According to the White House report on Hurricane
24
Katrina, “The complete devastation of the communications infrastructure left responders
without a reliable network to use for coordinating emergency response operations” (The
White House, 2006). The sheer magnitude of this event and its devastating impact on critical
infrastructures points out the weaknesses of the response framework and, based upon the
lessons learned during the response, allow for re-evaluation and modifications to further
strengthen the response framework.
Although there has not been an actual cyber event that can be compared to
Hurricane Katrina, the potential for an event of this magnitude is on the horizon. Critical
infrastructures rely on technology and are becoming more dependent on this technology.
Because critical infrastructures rely so heavily on technology, it is crucial for all parties at
all levels of government to be equipped and prepared to respond effectively during a
cyber event. While response plans such as the NCIRP and the National Strategy to Secure
Cyberspace are in place, there are those that do not believe that individuals and agencies
at the local level are sufficiently prepared.
According to Rahul Bhaskar ([Bhaskar], 2006), there are simply not enough law
enforcement officers at the state level with appropriate computer forensics and computer
crime investigative skills to protect their part of the infrastructure. While Bhaskar
concedes that the National Strategy to Secure Cyberspace plan makes improvements to
the nation’s response to cyber incidents and makes reducing potential damage the top
priority, he stresses that responses to such incidents at the state level are handled by
different agencies that do not necessarily coordinate (Bhaskar, 2006). With the creation
of the NCIRP, a concerted effort was made to more effectively coordinate with state,
local, tribal, or territorial governments. The NCIRP leverages the Multi-State Information
Sharing and Analysis Center (MS-ISAC). According to the NCIRP (DHS, 2010), MS25
ISAC is a key resource for state, local, tribal, and territorial government information
sharing, early warnings and alerts, mitigation strategies, training, and exercises and for
maintenance of overall cyber situational awareness.
Summary
Existing response frameworks were reviewed to examine key components and
principles that have been implemented in real world incidents. The core principles
contained in NIMS and the NRF have been used in real life situations, and have acted as
the blueprint for other response frameworks. The effectiveness of these frameworks have
proved successful, but have also come under some scrutiny when applied to events of a
large magnitude, such as Hurricane Katrina. Key insights and lessons learned are a
critical part of the evolution of these response plans in order to make them more effective
and efficient for future incident responses.
Although there have been no actual cyber incidents of the magnitude of Hurricane
Katrina, examining the current frameworks in place to respond to a cyber incident lends
insight into the organizational structure and the defined roles and responsibilities of
federal, state, local, tribal, and territorial governments. To further examine the
effectiveness of the NCIRP, the Cyber Storm exercises are a method to test the overall
functionality of the response framework by applying the framework to various scenarios
simulating actual cyber events. These simulated cyber exercises are a critical step in
evaluating the frameworks that will be applied in the event of a real cyber incident.
The need for cyber incident response frameworks was substantiated by examining
real threats that can directly impact critical infrastructures. The Stuxnet worm attack and
the alleged siphoning of sensitive data from government agencies by China only
26
reinforces the need for robust response frameworks that can be leveraged to prevent,
protect against, respond to, recover from, and mitigate cyber-attacks of all magnitudes.
The occurrence of a major cyber incident is inevitable and potentially could
happen in the not so distant future. Due to the conceivable threat of a cyber-attack with
the potential of catastrophic damage being inflicted on the country’s critical
infrastructures, the continued assessment, testing, training of personnel, and amending of
current cyber incident response frameworks is critical to the uninterrupted security and
prosperity of the United States.
Discussion of the Findings
The capability to respond to incidents, whether the incidents occur in the physical
world or the cyber domain, is an essential component to securing the critical
infrastructures and the economic independence of this nation. Critical infrastructures play
an enormous role in the day-to-day operations of this country. The critical infrastructures
of this nation rely heavily on technology and are dependent on this technology to function
at a level necessary to maintain government, public, and private sector industries that
make the United States one of the most powerful nations in the world.
The interdependency of these infrastructures and the technology that each one
uses presents potential vectors for attacks of both physical and cyber origins. The ability
to prevent, mitigate, and respond to an attack or incident of any magnitude or origin is
crucial to the continued security and prosperity of this nation. The ongoing threat of
cyber-attacks, combined with the continuous threat of physical events such as natural
disasters, reinforces the need for robust response frameworks that can be implemented to
minimize the damage caused by these events and reduce the affects these events have on
27
this nation’s critical infrastructures and economic stability.
Resources
The primary resources reviewed in this paper were existing response frameworks
that are currently being implemented when a response to an event is required. The
response frameworks reviewed for this paper, the NIMS, the NRF, the National Strategy
to Secure Cyberspace, and the NCIRP, are all intended to provide agencies and personnel
with components, principles, and guidelines that can be applied and leveraged during a
response to a crisis. While each of these response frameworks is organized and structured
differently, they all contain some of the same basic principles regarding the methods that
can be used to respond to an event. As stated in the National Infrastructure Protection
Plan (NIPP),
Protecting and ensuring the resiliency of the critical infrastructure and key
resources (CIKR) of the United States is essential to the Nation’s security, public
health and safety, economic vitality, and way of life. Attacks on CIKR could
significantly disrupt the functioning of government and business alike and
produce cascading effects far beyond the targeted sector and physical location of
the incident. Direct terrorist attacks and natural, manmade, or technological
hazards could produce catastrophic losses in terms of human casualties, property
destruction, and economic effects, as well as profound damage to public morale
and confidence. Attacks using components of the Nation’s CIKR as weapons of
mass destruction could have even more devastating physical and psychological
consequences (DHS, 2009).
The examination of ongoing and potential cyber threats was also necessary to
28
provide sufficient evidence that response frameworks are required for not only physical
threats, but cyber threats as well. Threats such as the continuous attack on government
and public/private sector industries indicates the need for a proactive response plan that
can be implemented to protect the critical infrastructures and highly sensitive information
this country relies on. Also, attacks such as the Stuxnet cyber-attack that affected several
nations across the world, most notably Iran, further supports the need for cyber incident
response plans. The increased dependency on technology, in conjunction with cyberattacks such as Stuxnet, provide further evidence that attacks like these are likely to
continue in the future and the ability to effectively respond to these incidents is essential.
Response Plan Components
Each incident response plan framework contains components, principles, and
guidelines that act as the basis for any incident response. Although each individual
response framework is an entity unto its own, they share common components,
principles, and guidelines that allow for flexibility in their application to different types
of situations. The commonality shared by these frameworks accentuates the importance
of the key components and guidelines that each of these frameworks has in common.
These core principles and components are a necessity during the course of a response in
order to maximize the effectiveness of response to an incident of any magnitude. Of the
core components that these frameworks share, the two components that are of critical
importance for an effective response are preparedness and the designation of roles and
responsibilities.
Preparedness
Preparedness for an event of any magnitude, regardless of origin, is one of the
29
first steps of a response framework in order to adequately respond to an incident. Each
framework stresses the importance of preparedness. As an example, according to NIMS,
Effective emergency management and incident response activities begin with a
host of preparedness activities conducted on an ongoing basis, in advance of any
potential incident. Preparedness involves an integrated combination of
assessment; planning; procedures and protocols; training and exercises; personnel
qualifications, licensure, and certification; equipment certification; and evaluation
and revision (DHS, 2008).
Like NIMS, the NCIRP states,
Preparedness activities, including establishing common situational awareness in a
common operational picture, are shared responsibilities across Federal, State,
Local, Tribal, and Territorial governments and the private sector. By the time
coordinated response actions are needed during a Significant Cyber Incident, the
cybersecurity community must be prepared and maintain a shared situational
awareness to help identify, respond to, and recover from an incident (DHS, 2010).
The emphasis on preparedness is a theme that is at the core of each and every response
framework. Without the necessary preparation at all levels of government, public and
private sector organizations, and other agencies, an effective response can potentially be
hindered due to lack of awareness and knowledge of preparation methods required prior
to an incident.
A perceived lack of preparedness came to light in the response to Hurricane
Katrina. According to Moynihan (2010)
After September 11, the Federal Emergency Management Agency (FEMA) was
30
swallowed up by the new DHS, whose most pressing concern was dealing with
terrorist activities. FEMA lost direct access to the White House and some key
responsibilities, and in doing so, lost a key function in the transition. The loss of
the preparedness function limited FEMA’s ability to influence state preparation
and weakened relationships with state responders.
Another aspect of the response where the preparedness was perceived to be weak
was at the local level of the response. One of the key aspects of any incident response is
the response from local government agencies and authorities. According to Moynihan
(2010),
the Louisiana Office of Homeland Security and Emergency Preparedness
(LOSHEP), had a staff of between 43-45 people, which was about 60% of the
staffing capacity of peer organizations in other states, with only about 15
employees having emergency management experience.
This reinforces the need for adequate preparation at all levels of government, especially
at the state and local levels where most incident responses begin.
For cyber incident response, the responsibility of state and local governments and
other agencies being prepared is equally important, if not more so. Cyber incidents are a
relatively new form of attack, and will soon become the norm as more agencies and
infrastructures place more of their day-to-day operations in the hands of technology. It is
imperative that state and local government agencies, along with NGOs, be fully prepared
to interact with federal authorities and be fully prepared to assist and undertake multiple
roles during an incident response that affects their respective local community.
The federal government has taken steps to better prepare state and local
31
government personnel for incident responses. One such action was the Homeland
Security Presidential Directive HSPD-8. This directive put an emphasis on National
Preparedness. The main goal of HPSD-8, as stated in NIMS (2008), was to “strengthen
the preparedness of the United States to prevent and respond to threatened or actual
domestic terrorist attacks, major disasters, and other emergencies.” It also required DHS
to develop mechanisms for the improved delivery of federal preparedness assistance to
state, tribal, and local governments and to strengthen the nation’s preparedness
capabilities (DHS, 2008).
For cyber incident responses, the federal government took steps to bolster
preparedness on a federal, state, local, and tribal level by conducting training exercises on
fact-based scenarios to simulate a cyber event. The lack of an occurrence of a major
cyber incident in this country further stresses the need for training exercises to determine
the strengths and weaknesses of the NCIRP framework that would be implemented
during an actual cyber incident. The series of Cyber Storm exercises was the method
employed by the federal government to help train and review the preparedness
capabilities of government agencies on the federal, state, local, and tribal levels of
government as well as public and private sector agencies and NGOs. Through this series
of exercises, lacking a real incident for assessment, scenarios based upon real, potential
threats were conducted to assess how well each participant was prepared to respond to
various cyber incident scenarios.
Roles and Responsibilities
The roles and responsibilities that key participants take on during an incident
response is another key factor in the success of the response. The fact that many different
32
organizations, ranging from all levels of government to NGOs and public/private sector
businesses participate in an incident response makes it critical that each participant
understand their role during a response. Determining and understanding the role and the
responsibilities that each participant will be assigned and expected to carry out during an
incident response can potentially determine the success or failure of a response.
Roles and responsibilities are such critical factors during an incident response that
the concept can be found in all phases of the NIMS framework. Roles and responsibilities
is a key component of the Ongoing Management and Maintenance, Planning, Area
Command, and Planning sections of NIMS (DHS, 2008). Each of these sections contains
guidelines on the roles and responsibilities that key participants will assume during a
response. The lack of preparedness to handle these roles and the responsibilities that are
assigned to each role can adversely affect the effectiveness of an incident response.
With NIMS being so closely tied to the NRF, a similar theme is contained in each
framework. The NRF considers roles and responsibilities to be of such importance that it
is the first section discussed in the framework’s key components. The NRF (2008) states:
The responsibility for responding to incidents, both natural and manmade, begins
at the local level – with individuals and public officials in the county, city, or
town affected by the incident. Significant incidents require a coordinated response
across agencies and jurisdictions, political boundaries, sectors of society,
organizations, etc. These incidents will require that publicly elected and appointed
officials, as well as business owners and community leaders, make difficult
decisions for the benefit of the community as a whole.
The NRF stresses the importance of incident responses beginning at the local level. For
33
this reason, it is imperative that all agencies at the local and tribal levels be prepared to
participate in an incident response and understand the roles they will undertake. The fact
that incidents can affect numerous infrastructures makes it critical for every local agency
and business to be prepared and capable of performing the necessary tasks to execute an
effective response. Depending on the nature of the incident, a different local authority can
be placed in a lead role during a response, making it crucial for personnel at every level
to be prepared to accept and carry out the responsibilities associated with that role.
The concept of roles and responsibilities during a cyber event is similar to that of
a real-world event. However, during a Significant Cyber Incident, a slightly different
approach has been implemented through the use of the NCIRP. Key roles and
relationships have been pre-established for a response to a Significant Cyber Incident
instead of establishing certain roles at key local agencies in response to an incident.
According to the NCIRP (2010), during a Significant Cyber Incident, DHS, through its
NCCIC, coordinates national response efforts and works directly with federal, state,
local, tribal, and territorial governments and private sector partners. The following figure
depicts the structure of the NCCIC.
34
Figure 2: NCCIC and Partners
The NCCIC will provide the facility and mechanisms to coordinate national response
efforts, with certain key roles and responsibilities having been pre-determined.
The pre-determination of key roles and responsibilities and how these roles
interact with each other is a step toward better preparedness for an incident response. By
pre-defining certain roles and responsibilities, personnel in these roles can be better
prepared to effectively lead and respond to a Significant Cyber Incident. The following
figure represents the coordination and organizational structure of Cyber Incident
Management as designed through the NCIRP framework.
35
Figure 3: Cyber Incident Management Lanes
The NCIRP framework maximizes preparedness by designating specific, key roles to
federal, state, local, and tribal government agencies, as well as public and private sector
organizations and NGOs.
Ongoing Cyber Threats
Cyber threats are now a fixture in the world’s landscape. The continued
progression of technology and the ease with which technology is made available opens
36
up a variety of vectors and opportunities for cyber-attacks, changing the face of warfare.
The use of technology as a weapon introduces new players into the warfare arena,
requiring little funding to attain these cyber weapons and making attribution extremely
difficult. The inability to attribute a cyber-attack to an individual, group, or nation makes
responding to a cyber-attack much more difficult as opposed to historic warfare tactics.
As Herbert Lin, chief scientist at the Computer Science and Telecommunications Board
of the U.S. National Research Council, points out,
…you may have only an IP address, not a physical location that you can attack in
response. Assume a computer controls an adversary’s air defense network and
you cannot physically locate it. If you go after it with a cyber-attack, what if it’s
located in a neutral nation? Or on your own territory? Cyber war complicates
matters and challenges traditional notions of neutrality and sovereignty (Farwell
& Rohozinski, 2011).
Cyber-attacks against this nation are already a reality. Attacks, such as Stuxnet,
are likely to increase in number in the very near future. The success of the Stuxnet attack,
combined with the lack of preparedness for such an attack, only encourages comparable
attacks in the future. Ralph Langer, one of the first security experts to analyze the Stuxnet
worm, indicates that the attacks like Stuxnet are unlikely to disappear. When speaking of
the Stuxnet attack, Langer states:
You want to create a set of reusable tools. I mean, reusability is a big thing in
software development, and certainly also applies to sophisticated cyber attackers.
So these guys are pros, and they are just using the latest technology and
architecture. So this didn’t surprise me at all. And it would also not surprise me if
37
it would see an attack executed by the very same group, just targeting completely
different product base. So, for example, doing something against Rockwell, PLCs,
or doing something against Areva safety controllers that are used in the nuclear
industry (Roberts, 2012).
Langer also points out the lack of preparedness and training of personnel on how
to manage a cyber incident. He states,
So look at major installations and critical infrastructure. The point is, I haven’t
seen really solid contingency plans for cyber-attacks. So point is that the operators
and maintenance staff, management, et cetera, would pretty much have to
improvise on how to handle the sophisticated attack” (Roberts, 2012).
The lack of preparedness of personnel holding key positions within critical infrastructures
and prominent industries can severely hinder an effective and timely response to a cyberattack. Preparedness for such an event, in conjunction with clearly defined roles and
responsibilities, are two vital factors when attempting to prevent, mitigate, prepare for,
respond to, and recover from incidents of this nature.
Limitations
The focal point of the research conducted for this examination was limited in
scope due to the primary source for existing response frameworks limited to DHS. DHS
is the driving force behind the NCIRP and plays a major role in each of the response
frameworks that has been examined. The drawback to only examining frameworks
originating from one source is the lack of variation in concepts, components, guidelines,
and the approach to incident response. The lack of varying approaches to incident
response, regardless of whether these incidents are of a real-world or cyber origin,
38
narrowed the scope of the research for this paper. The inability to examine other
frameworks from different sources made comparisons of distinct approaches to incident
response problematic.
Another limitation in the examination of this topic was the inability to research a
Significant Cyber Incident that has occurred in the United States. While there have been
several security breaches and alleged cyber-attacks against this country, the only true
examination of the NCIRP has been the Cyber Storm exercises conducted by the federal
government. These exercises were conducted in a controlled environment using predefined scenarios. Although numerous agencies from all levels of government, public and
private sector organizations, and different associations participated in the exercise, it was
difficult to measure the exact effectiveness of the NCIRP. The effectiveness of a cyber
response framework will only truly be tested when an actual response is required to a
Significant Cyber Incident.
Recommendations and Conclusions
The extent of the damage that can be caused by a cyber-attack of significant
magnitude is still widely unknown. The effectiveness of a cyber incident response plan,
such as the NCIRP, still has yet to be tested in response to a significant cyber incident
directly aimed at a critical infrastructure. Due to the absence of a real-world application
of the NCIRP, a more proactive approach is needed in training and awareness when it
comes to applying the components, guidelines, and principles of a cyber response
framework. The reality is the number of cyber incidents that are occurring is increasing in
frequency and, regardless of the magnitude and the damage inflicted, requires the need
for government agencies, public and private sector organizations, and other affiliated
39
response agencies to have a more complete understanding of what is required to execute
an effective response plan.
Cybersecurity training and certification programs are currently being offered by
numerous government agencies and public and private organizations. However, the
number of cyber incident response training programs is limited. DHS, one of the driving
forces behind cyber incident response plans such as the National Strategy to Secure
Cyberspace and the NCIRP, offers a limited number of incident response training
programs and exercises that include the Cyber Storm exercises mentioned in this paper.
The findings in this paper suggest that a more proactive schedule of cyber
incident response training programs and events to combat the increase in the frequency of
cyber-attacks that are occurring. This finding is also supported by the fact that the
technology used to execute cyber-attacks is varying with the introduction of new
technology and the widespread availability of technology that can be implemented to
carry out cyber-attacks against this nation.
The Cyber Storm training exercises are held on a biennial basis. Although time to
evaluate previous Cyber Storm exercises is necessary to perform an accurate assessment
of the training exercise, instituting a more vigorous schedule of events like these could
potentially strengthen and solidify the response effort. Preparedness is one of the key
concepts that makes up each response framework discussed in this paper. Key personnel,
government agencies, and other organizations that have critical roles during a response to
a cyber incident could benefit from more frequent training exercises. The introduction of
more frequent training exercises, using scenarios that leverage recent cyber events and
the technology that was used to execute these attacks, can provide response personnel and
40
entities with the most current snapshot of the cyber-attack landscape that they will face
during a response.
The findings also suggest that training programs and exercises could put more
focus on the involvement of local governments and their subsequent roles and
responsibilities during a response to a cyber incident. As previously stated in this paper,
during the response to Hurricane Katrina, LOSHEP only had about 15 employees with
emergency management experience (Moynihan, 2010). Because technology has flattened
out the landscape by enhancing the interconnectivity among federal, state, local, tribal,
and territorial governments, the participants in the most recent Cyber Storm exercise
were made up of mostly federal and state government agencies, private sector companies,
international partners, and other coordinating agencies (DHS, 2011).
A resolute commitment to the implementation of training programs specifically
directed toward local government agencies could potentially strengthen the response
effort carried out by these entities. According to the NCIRP (2010),
When prevention and protection efforts are unsuccessful, federal, state, local, tribal,
territorial and private sector owners and operators of critical networks are likely to be
the first to detect malicious or unauthorized activity on their networks. These owners
and operators work individually within their incident response processes and, when
appropriate, in partnership with others to identify and contain malicious and
unauthorized activity on critical networks.
If personnel at the local level are not adequately trained in proper cyber incident response
protocols, the effectiveness of the overall response could potentially be hindered. Adequate
training programs, drills, and constant assessment of response protocols at the local level are
a critical component to the success of a cyber incident response.
41
Through the application of the NCIRP framework, local government agencies are
provided a support system that can be leveraged during a cyber incident response. DHS acts
as the coordinating agency during a cyber incident, with the NCCIC acting as the point of
integration for all information from federal departments and agencies, state, local, tribal, and
territorial governments, and the private sector related to situational awareness, vulnerabilities,
intrusions, incidents, and mitigation activities (DHS, 2010).
The NCIRP (2010) states:
Preparedness is a basic responsibility of all federal, state, local, tribal, territorial, and
private sector organizations. Each organization plays a unique role in preparing for a
cyber incident with respect to its distinct mission and authorities. All organizations
are responsible for the following preparedness activities: engage, plan, organize,
equip, train, exercise, and evaluate and improve.
Because the onus of preparedness is placed on each individual entity, each local, tribal, and
territorial government agency needs to be proactive to ensure personnel are familiar with
cyber response frameworks and the mechanisms that can be leveraged to be as prepared for a
cyber-attack and subsequent response action as possible.
Steps to improve cyber incident response training are already underway. The
upcoming Cyber Storm exercise, Cyber Storm IV, will have a different structure than the
previous three Cyber Storm exercises. According to Brett Lambo, director of the
Cybersecurity Exercise Program with DHS’s National Cyber Security Division, “for the
fourth Cyber Storm, the format will feature an ongoing series of events, not just one main
event, and the series of events will be broken up by different constituency groups.”
Lambo further explains that this could be a building-block event, where the initial event
would shape the nature and prosecution of subsequent events in the middle and latter
42
stages of Cyber Storm IV. The building blocks, he says, will be based on specific
cybersecurity topics and the interests of the varied constituencies represented by the
diverse roster of participants in Cyber Storm (Cacas, 2012).
By breaking up the exercise into different constituency groups, the new format
could potentially provide a more detailed assessment of specific groups, helping to
identify specific strengths and weaknesses among the participants, including local
government agencies. Focusing on smaller groups and their respective roles during a
cyber incident response could detect potential weaknesses at the local levels of
government and reinforce the need for more vigorous training programs implemented at
that level.
Other recommendations to create a more robust cyber incident response
framework and response cycle are constantly being proposed. One recommendation from
the United States federal government proposes to enhance the information sharing
process among public and private sector agencies and the federal government. The
Strengthening and Enhancing Cybersecurity by Using Research, Education, Information
and Technology Act of 2012, or SECURE IT Act (S.2151), introduced by Sen. John
McCain (R-Ariz.) on March 1, 2012, notes that public and private-sector information
sharing is critical to strong cybersecurity (Bernhart Walker, 2012). S.2151 states:
An entity providing electronic communication services, remote computing
services, or cybersecurity services under contract to a federal agency or
department shall immediately provide to such agency or department, and may
provide to a cybersecurity center, any cyber threat information directly related to
such contract that is obtained, identified, or otherwise possessed by such entity
43
(S.2151, 2012).
The legislation would encourage industry to voluntarily share threat information through
antitrust exemptions and create liability protections so companies can more easily secure
their networks in the event of a cyber-attack (Bernhart Walker, 2012). The Strengthening
and Enhancing Cybersecurity by Using Research, Education, Information and
Technology, is the latest effort by lawmakers to confront the question of how best to
defend the vital Internet backbones on which the nation’s military, commerce and
industry all rely (Waterman, 2012).
Public and private sector agencies play a critical role in the execution of cyber
incident response plans. Overall, the majority of critical infrastructures are operated
and/or owned by private sector companies (DHS, n.d.). Further research could be
conducted to determine what mechanisms and methods could be implemented to enhance
and improve the interaction among public and private sector agencies and the federal
government agencies that hold key roles within the cyber incident response framework.
Information sharing, key roles and responsibilities, and the ability of public and private
sector companies to leverage the NCCIC are key areas that could be researched to
discover techniques that could be implemented to improve these areas to create a more
effective response plan.
Further research could also be conducted at the lower levels of government to
accurately assess the preparedness of local, tribal, and territorial government agencies to
participate in a cyber incident response. The research conducted for this paper primarily
focused on existing response frameworks, their overall structure, and the core concepts
and components that they contain. Additional research that focused on how well the
44
agencies at the lower levels of government are prepared for their involvement in a cyber
incident response could be used to implement new training programs, amend existing
frameworks to better develop and leverage the strengths of local government agencies,
and provide key personnel with a better understanding of their roles and responsibilities
during a response to a cyber-attack. Local government agencies may potentially be at the
forefront of a response to a cyber-attack. However, these agencies may not have the
resources that the federal government has and may be the least prepared when responding
to a cyber incident.
Another area of research that could be explored is the examination of other
response frameworks or response plans that do not have their origins at the federal level.
Private sector agencies that are heavily invested in technology, or operate a critical
national infrastructure, may have internal response frameworks that are leveraged when
responding to a cyber-attack. These internal frameworks could potentially reveal different
methods of approach when faced with a cyber-attack. The organizational structures, key
components and guidelines, roles and responsibilities, and methods of communication
could be examined to discover new approaches that could be integrated into existing
federal response frameworks, or provide key amendments that could possibly strengthen
existing cyber response plans.
This paper examined existing response frameworks and their key components,
guidelines, and principles to determine the requirement for a national response
framework specifically addressing cyber incidents. Historically, response frameworks,
such as the NRF and NIMS, have been used for real-world catastrophes. The
development of the National Strategy to Secure Cyberspace and the NCIRP emphasizes
45
the need to have frameworks in place to prevent, protect against, respond to, recover
from, and mitigate the damage that can be inflicted to critical infrastructures through a
cyber-attack.
Response frameworks have been implemented for real-world events such as
Hurricane Katrina and the BP oil rig explosion and spill. The lessons learned from these
events, both the successes and failures, can be applied to newly developed frameworks
like the NCIRP. Because these frameworks share similar concepts and components, the
failures of one can be turned into the strengths of another. Although the frameworks
differ in the types of incidents that they address, the response plans themselves have been
developed with enough flexibility and standardization that any weaknesses identified in
one framework can be addressed in another.
Cyber-attacks have become more frequent, more devastating, and are poised to
affect a wider range of infrastructures due to the increased dependency on technology.
Technology has not only enabled critical infrastructures, government agencies, and other
organizations to become more interconnected, but has also increased the interdependency
of each of these entities on one another. Due to the increased interconnectivity of critical
infrastructures, the effects of a cyber-attack on one infrastructure can have damaging
effects on another. The ability to prevent, protect against, respond to, recover from, and
mitigate the effects from a cyber-attack is critical to protecting the security and economic
prosperity of this nation.
This findings related to this paper also showed a direct effort to address the need
for a cyber incident response plan. The NCIRP provides agencies and personnel at all
levels of government and within the private sector with a robust framework that can be
46
leveraged when confronted with a cyber incident. The core components and concepts
contained within the NCIRP, in conjunction with the NCCIC, provide a robust and
flexible organizational structure that will equip agencies with the tools necessary to
execute an effective incident response.
Technology has enabled the enemies of this nation to carry out stealth attacks on
the critical infrastructures that citizens of this country rely upon every day. Any
disruption to these infrastructures can have a devastating effect on this nation’s ability to
provide economic stability and security for its citizens. The inability to effectively
respond to a significant cyber incident could potentially encourage more attacks that
could cripple this nation. A new brand of warfare now confronts this nation. Cyberattacks can be carried out from anywhere in the world and they do not require substantial
financial backing or a large army to execute a devastating attack. It is vital that this nation
is adequately prepared to respond to cyber-attacks of any magnitude in order to protect
the way of life that all citizens of this country have come to depend on.
47
Appendix
Acronyms and Definitions
Acronym
BP
CIKR
DHS
DOD
FEMA
FIRESCOPE
ICS
IT
LOSHEP
MS-ISAC
NCCIC
NCIRP
NGO
NIC
NIMS
NIPP
NRF
NRP
PLC
SCADA
US-CERT
Definition
British Petroleum
Critical Infrastructure and Key Resources
Department of Homeland Security
Department of Defense
Federal Emergency Management Agency
Firefighting Resources of Southern California Organized for
Potential Emergencies
Incident Command System
Information Technology
Louisiana Office of Homeland Security and Preparedness
Multi-State Information Sharing and Analysis Center
National Cybersecurity and Communication Integration Center
National Cyber Incident Response Plan
Nongovernmental Organization
National Integration Center
National Incident Management System
National Infrastructure Protection Plan
National Response Framework
National Response Plan
Programmable Logic Controller
Supervisory Control and Data Acquisition
United States Computer Emergency Readiness Team
48
References
Baker, S. (2006). The Federal Response To Hurricane Katrina: Lessons Learned.
Retrieved January 6, 2012, from library.stmarytx.edu/acadlib/edocs/katrinawh.pdf
Bernhart Walker, M. (2012, March 5). McCain cybersecurity bill aims for legal
frameworks, updates, not structural changes. Retrieved from http://www.fierce
governmentit.com/story/mccain-cybersecurity-bill-aims-legal-frameworksupdates-not-structural-chan/2012-03-05
Bhaskar, R. (2006, February). State and local law enforcement is not ready for a cyber
Katrina. Association for Computing Machinery. Communications of the ACM,
49(2), 81.
Cacas, M. (2012, March). An Approaching Cyber Storm Includes New Threats. Retrieved
from http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp
?articleid=2895&zoneid=342
Coleman, K. (n.d.). The Cyber Attack Danger. Retrieved January 9, 2012, from http://
defensetech.org/2008/10/20/the-cyber-attack-danger/
Department of Defense (2011, July). Department of Defense Strategy for Operating in
Cyberspace. Washington, D.C. : Department of Defense.
Department of Homeland Security. (2003, February). National Strategy to Secure
Cyberspace. Retrieved January 6, 2012, from http://www.dhs.gov/files/
publications/editorial_0329.shtm
Department of Homeland Security. (2003, February 28). Homeland Security Presidential
Directive 5: Management of Domestic Incidents. Retrieved January 10, 2012,
from http://www.dhs.gov/xabout/laws/gc_1214592333605.shtm
49
Department of Homeland Security. (2004, December 2). NIMS Integration Center
Discusses NIMS Incident Command System (ICS) In New Paper Online At
(fema.gov/nims). Retrieved January 4, 2012, from http://www.fema.gov/news
/newsrelease.fema?id=15556
Department of Homeland Security. (2006). Cyber Storm Exercise Report. Washington,
D.C.: Department of Homeland Security.
Department of Homeland Security. (2008). Cyber Storm II Final Report. Washington,
D.C.: Department of Homeland Security.
Department of Homeland Security. (2008, January). NRF Resource Center. Retrieved
January 3, 2012, from http://www.fema.gov/pdf/emergency/nrf/nrf-core.pdf
Department of Homeland Security. (2008, December). NIMS Resource Center. Retrieved
January 11, 2012, from http://www.fema.gov/pdf/emergency/nims/nims_core.pdf
Department of Homeland Security. (2009). National Infrastructure Protection Plan.
Washington, D.C.: Department of Homeland Security.
Department of Homeland Security. (2010). National Cyber Incident Response Plan.
Washington, D.C.: Department of Homeland Security.
Department of Homeland Security. (2011). Cyber Storm III Final Report. Washington,
D.C.: Department of Homeland Security.
Department of Homeland Security. (n.d.). Critical Infrastructure Protection. Retrieved
February 28, 2012, from http://www.dhs.gov/files/programs/critical.shtm
Department of Homeland Security. (n.d.). Critical Infrastructure Sector Partnerships.
Retrieved from http://www.dhs.gov/files/partnerships/editorial_0206.shtm
50
Department of Homeland Security. (n.d.). Cybersecurity. Retrieved February 28, 2012,
from http://www.dhs.gov/files/cybersecurity.shtm
Department of Homeland Security. (n.d.). Cyber Storm: Securing Cyber Space. Retrieved
from http://www.dhs.gov/files/training/gc_1204738275985.shtm
Epperson, R. C. (2011, January). A Perspective from Within Deepwater Horizon’s
Unified Command Post Houma. Retrieved January 12, 2012, from
http://www.ccrm.berkeley.edu/pdfs_papers/DHSGWorkingPapersFeb162011/PerspectiveFromWithinDeepwaterHorizon_s-UnifiedCommandPost_
Houma-RCE_DHSG-Jan2011.pdf
Farwell, J., & Rohozinski, R. (2011, February/March). Stuxnet and the Future of Cyber
War. Survival, 53(1), 23.
Glenny, M. (2011, October 31). The Cyber Arms Race Has Begun. Nation, 293(18), 1720.
Hoffman, D. E. (2011). The New Virology. Foreign Policy(185), 77-80.
Hughes, J. (2010). China's Place in Today's World. The Journal of Social, Political, and
Economic Studies, 35(2), 167-233.
Lieberman, J. (2010, November 17). Public, Private Sectors Must Partner On Cyber
Security To Defeat "Game Changer". FDCH Press Releases.
Lindsay, B. R. (2008, November 20). Federation of American Scientists. Retrieved
January 12, 2012, from http://www.fas.org/sgp/crs/homesec/RL34758.pdf
51
Lutz, L., & Lindell, M. (2008, September). Incident Command System as a Response
Model Within Emergency Operation Centers during Hurricane Rita. Journal of
Contingencies & Crisis Management, 16(3), 122-134. Retrieved February 1, 2012
Miller, R. (n.d.). Hurricane Katrina: Communications & Infrastructure Impacts.
Retrieved from http://www.carlisle.army.mil/DIME/documents/Hurricane%20
Katrina%20Communications%20&%20Infrastructure%20Impacts.pdf
Montalbano, E. (2011, March 23). Federal Cyber Attacks Rose 39% In 2010. Retrieved
January 12, 2012, from http://www. informationweek.com/news/government/
security/229400156
Montalbano, E. (2012, January 4). Federal Cybersecurity Incidents Rocket 650% In 5
Years. Retrieved December 12, 2011 from http://www.informationweek.com/
news/government/security/231700231
Moynihan, D. (2010, March 18). The Response To Hurricane Katrina. Retrieved from
http://www.irgc.org/IMG/pdf/Hurricane_Katrina_full_case_study_web.pdf
Piggin, R. (2010, November 13). The Reality of Cyber Terrorism. Engineering &
Technology, 5(17), 36-38.
Roberts, P. (2012, January 29). UPDATE: Why Stuxnet-Like Attacks Aren't Going Away.
Retrieved January 30, 2012, from https://threatpost.com/en_us/blogs/why-stuxnetattacks-arent-going-away-012912
Strengthening and Enhancing Cybersecurity by Using Research, Education, Information,
and Technology Act of 2012, S. 2151, 112th Cong., 2d. Sess. (2012)
The White House. (2006). The Federal Response to Hurricane Katrina: Lessons
Learned. Washington, D.C.: The White House.
52
Waterman, S. (2012, March 1). GOP senators present cybersecurity bill. Retrieved from
http://www.washingtontimes.com/news/2012/mar/1/gop-senators-presentcybersecurity-bill/
Wortzel, L. M. (2009, January/February). China Goes on the Cyber-Offensive. Far
Eastern Economic Review, 172(1), pp. 56-59.
53