DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Wednesday, 14 June 2017 08:54

Integrating Cybersecurity into the Incident Command System in an Evolving Emergency Environment

Written by  MATTHEW R. ZISKA

The American threat landscape is changing with the emergence of the cyber threats in the form of malicious software or malware. The United States government is struggling with ways to ensure the nation is prepared to respond to a cyber-related attack that disrupts critical lifeline infrastructure and related systems. New grant opportunities for local and state governments are up-and-coming to assess how cyber-related events should be managed and how cyber response might fit into the National Incident Management System's (NIMS) response framework. NIMS was adopted in response to the Sept. 11, 2001, attacks and has been primarily used for emergencies that impact the physical world. The introduction of malicious software that can cause computer network disruptions can cause real physical consequences to life and property. The Incident Command System (ICS) responds effectively to the physical aspect of the emergency it may have to evolve to be inclusive of the information technology and cybersecurity professions to manage, investigate, and respond to the cyber threat. This article examines the integration of the cybersecurity function into the ICS providing a blueprint for its inclusivity.  


Imagine it is the end of the work day and residents of a busy city are going home for the day. The city's power company is in the middle of a shift change, and a control operator employee notices his computer cursor is moving on its own across the screen. The cursor starts to move toward the on-screen breaker controls for substations, and load frequency data begins to show tolerance ranges approaching concerning levels. Substation breakers start to open, and equipment starts to come off line, causing a total system failure and mass power outages across the electric distribution network.

This scenario, unfortunately, is not a hypothetical in the technologically dependent world that we live. This scenario is taken directly from what occurred on Dec. 23, 2016, in the Western Ukraine region, leaving 230,000 residents without power and heat. What would have happened if bad actors successfully attacked the industrial control systems of a United States power plant, refinery, or local controls such as traffic lights, bridges, or water supplies? How would have employees in these sectors organized and managed the response? This article explores the United States’ response plan using the National Incident Management System’s Incident Command System Framework and possible solutions to integrate cybersecurity into the response plan.

National Incident Management System

The World Trade Center attacks on Sept. 11, 2001, drove the United States government to improve coordination of multiple agencies during crisis events initiating NIMS while adopting the ICS as the national framework for emergency management. NIMS is an “all hazards” governing approach to crisis management with the expectation that each local, state, federal, and nongovernmental organization use this framework to manage emergency events to ensure common response goals are achieved.

NIMS is comprised of seven components including indoctrination, training, resource management, implementation and reporting, alerts, Federal Emergency Management Agency (FEMA) regional contacts, and the ICS. As previously stated, this article will focus on the ICS, which is a framework that promotes government and nongovernmental organization interoperability when working on small- to large-scale incidents.

Incident Command System

ICS first emerged following the 1970 California wildfire season. The wildfire season was devastating to the California landscape and government resources to the extent that communication and support coordination were troubling. In 1972, two years after the devastating wildfires in California, the Congress chartered the Firefighting Resources of Southern California Organized for Potential Emergencies (FIRESCOPE) coalition to develop a multi-agency response process to address complex emergencies. The FIRESCOPE coalition adjourned providing the nation with a modern emergency management approach and framework.

ICS is a management structure that simply organizes the response to emergencies. The ICS is structured providing the ability to be fluidly scalable at any point during the lifecycle of an emergency. ICS is made up a command staff and general staff. The command staff consists of the incident commander, public information officer, and safety officer. The incident commander is the individual responsible for every aspect of the emergency response. The incident commander has an overarching operational authority and is responsible for developing response strategies, operational tactics, resources, and financial tracking. The public information officer is responsible for incident communications to the outward facing public, media, and community stakeholders. The safety officer supports the incident commander to assist with the mitigation of situational threats and is responsible for the wellbeing of the emergency responders and the public.

The general staff of the ICS is comprised of four primary sections: operations, logistics, administration, and finance. These areas are led by section leaders known as “chiefs” who report directly to the incident leader. The four sections can be scaled up or down, adding or removing resources given the complexity of a situation.

Figure 1

The section chiefs are responsible for executing the tactical operations designated to each section by the incident commander. The operations chief focuses on actions that support life safety, incident stabilization, and protection of property. The logistics chief organizes resources that support the overall incident response operation. The administrative chief conducts managerial duties that support tracking and monitoring of personnel time, payment, and schedules while the finance chief manages fiduciary responsibility and concerns.

ICS is a versatile management structure that organizes incident response no matter how many individuals respond or how many different response agencies participate.

Maturing the Incident Command System

Can the ICS be matured to accommodate a changing threat environment? The short answer is yes. The ICS is structured to be flexible for accommodating an addition to the general staff for a specific tactical function. In 2013, the federal government developed guidance to include an intelligence and investigation function into NIMS’ ICS. The intelligence and investigation function was identified as a critical component to collect information surrounding a set of emergency circumstances and therefore was added to the ICS’s general staff as seen in figure 2.

Figure 2

The maturation of the ICS to include the intelligence and investigation section was a result of each emergency need to gather critical information to explain the cause, contributing factors, and identify lessons learned. The National Preparedness System must continue to adapt to changing emergency environments to ensure maturation and consistent response goals continue to be attained.

Cybersecurity Function of the Incident Command System

NIMS's scalability and flexibility allow for a cybersecurity function to be integrated into the ICS. The cybersecurity function permits for the investigation, information collection, analysis, and sharing of data that could identify the origin of a cyber incident or attack. If the emergency or incident was determined to be the result of a cyber-attack, the cybersecurity function would lead the investigation and operational response. If the cyberattack was determined to be a criminal act, the cybersecurity function would share the information with the proper operational enforcement authorities.

In today's cyber threat environment, emergency response personnel should consider a potential cyber incident as a potential cause of an incident and take necessary action to determine causality while upholding the response objectives to protect life, stabilize the incident, and protect property. The cybersecurity function should be integrated into the ICS to efficiently detect and respond to cybersecurity threats that potentially cause emergencies that have real physical consequences such as the disruption of industrial control systems, network systems, energy systems, transportation systems, or any disruption of lifeline critical infrastructure.

The cybersecurity function should be installed in the general staff section of the ICS when a critical infrastructure system is associated with an incident as shown in figure 3. The function may be combined with other general staff sections to form task force operations to understand the nature of the incident further, share information and ensure primary response objectives are completed.

Figure 3

How would Cybersecurity Participate in Preparedness Activities?

The cybersecurity function, before the beginning of an incident, could be used to attain system data, conduct penetration testing, and address identified system vulnerabilities. The cybersecurity function could establish a centralized information monitoring center to identify system threats that could potentially affect Internet dependent systems such as supervisory control and data acquisition (SCADA) systems and industrial control systems. Preparedness activities could include planning for a cyber-related response, information sharing, coordination with intelligence agencies, and transferring information evidence for criminal investigation by enforcement authorities.

Cybersecurity Function Organization

NIMS is organized into branches, groups, and divisions to ensure proper incident scalability. The cybersecurity function could be organized into groups that represent various mission areas. The cybersecurity function section chief would be responsible for increasing the span of control activating groups when necessary. The groups’ activation would be based on the needs and scope of the incident and could include the following:

  • Analyst group: Provide tactical and strategic level analysis of cyber threats, vectors, and actors supporting the defense of computer network operations.
  • Forensic group: Provide forensic analysis of computer network operations to investigate data, preserve malicious data as evidence, and determine routes of the system or network entry.
  • Intelligence group: Monitor computer network systems and other data sources to predict nefarious cyber actor behaviors, determine if threats are credible, share information with other organizations, and develop situation reports.
  • Data evidence group: Manage preserved data evidence and share it with agencies or organizations for future criminal prosecution.
Figure 4

The cybersecurity function as an addition to the ICS aligns with NIMS’s mission to provide a flexible and scalable framework for incident response. The integration of a cybersecurity function could provide enhanced situational awareness, information sharing, and tactical cyber defense operations during an incident where a cyber-attack is suspected. The function is necessary when a critical infrastructure fails and should be activated by the incident commander to contribute to the situational awareness and investigation of the event.

Ziska MattMatthew Ryan Ziska, CSP, CBCP, is a senior program manager who contributes to the successful emergency preparedness and safety programs at Xcel Energy. He is an award-winning professional with a proven record of accomplishment in the safety, environmental, and emergency management professions. Ziska is currently earning his doctoral degree in public policy and administration from Walden University and holds professional certifications in safety and business continuity.