Integrating FEMA ICS into Cyber Incidents

Started by PhoenixRisen, February 16, 2021, 03:19:11 pm

0 Members and 1 Guest are viewing this topic.

PhoenixRisen

Posting here because it doesn't quite fit with CAP-related Operations discussions.....

I'm a new cyber incident responder with a major federal agency and one of the items I've been tasked with researching is the implementation of the FEMA Incident Command System within an organizational cyber incident response process.

For those in the cyber world, has anyone seen this in practice anywhere?

Does anyone have any resources or training specific to ICS for cyber incidents? (I see there used to be ICS 523 Resilient Accord, but that appears to be discontinued with no replacement.)

I have IS 100, 200, 700, and 800 done, and am also waiting to complete 300 and 400; so we're going to try and work from scratch to integrate these teachings into the cyber world, but any targeted training would be fantastic.

Any guidance would be appreciated! Thank you!

coudano

February 16, 2021, 04:00:59 pm #1 Last Edit: February 16, 2021, 04:04:57 pm by coudano
I started hearing talk about this circa 2019 or so.
It's a neat idea that might have some benefits.  Those parallels should be easy enough to draw.
I think there are a couple of sticking points that are going to probably run into...

-ICS stands for Incident Command System.  I don't think anyone would disagree that a cyber event is an 'incident'. The trouble comes in with the notion of 'command'.  The state of cyber response is, and always has been, disaggregated.  Nobody is 'in command'.  That might be part of the problem, but it's also a reality that needs to be acknowledged.  This is not likely to change anytime soon.

If an incident is of such a scale that multiple agencies are responding, and particularly if those responses are uncoordinated, or worse, counterproductive, then ICS might be a way to improve efficiency.  ...if you can get said agencies to willingly submit to the ICS.

-Yes, ICS was invented to make a way for multiple agencies to effectively collaborate together in response to an incident.  Unlike i.e. a natural disaster, where the propensity of responders are government agencies (police, fire, medical, etc) who carry public authorities to respond using public properties (and this is key...  public resources, personnel, equipment, and money), to protect the general public; the government based cyber agencies desire and legal authority to respond to a cyber incident outside of their own networks is...  somewhere between murky and non-existent...   The Internet doesn't have public roads, public fire hydrants, etc...  those networks and devices are all private property.  The federal government does not (has not thus far) dedicated 'presidential disaster' level dollars, equipment, and manpower, in response to cyber incidents.

-It's difficult enough to get professional (paid and unpaid) emergency responders who are government employees at some level or the other, trained, bought in, and actually willing to practice (and submit to) ICS.  The hump to get 'everybody else' on board, of their own free will, is going to be...  higher.  The value return on paying security ops people to get trained and experienced implementing ICS principles is going to be a tough sell to a company's board.

-In the case of 'a hack' on 'a company', it's unlikely that said company is going to want to want others involved in their mess.  Does the company need to apply ICS amongst its own internal auditing and recovery processes?  This suggests that there may be at least some minimum threshold of cyber incident that would call for application of ICS (large scale incidents that span across multiple sectors).

-Consider a small fire that breaks out in a restaurant kitchen...  If the restaurant can contain the fire and limit its damages internal, does the fire department get called?  If the fire has traumatically injured people, grows out of control, and threatens to burn down the entire strip mall that the restaurant is inside, and disrupts traffic on the street out front, now we are talking about EMS, fire,  and police response.  What's the cyber equivalent?

Eclipse




Paul Creed III

To the OP, I would recommend that you reach out to the National Cyber Mission Team via cyber.cap.gov to discuss this further with the staff who are working on implementing operational cyber as we speak.
Lt Col Paul Creed III, CAP
National Cyber Mission Deputy for Education & Awareness
National Headquarters Photography Working Group
Akron-Canton Senior Flying Squadron Commander

PhoenixRisen

Thanks for the input, everyone!  Very much appreciated.  This is great food for my thoughts.

Spaceman3750

Phoenix,

Google has published an incident response system which takes cues from ICS. It's the closest thing I've seen. I think there's merit to the idea but only in response to an actual problem, not a good idea. Reach out to me directly if you'd like to bounce ideas, I'm a security incident response analyst at a Fortune 100.

PhoenixRisen

Quote from: Spaceman3750 on February 20, 2021, 09:21:44 pmPhoenix,

Google has published an incident response system which takes cues from ICS. It's the closest thing I've seen. I think there's merit to the idea but only in response to an actual problem, not a good idea. Reach out to me directly if you'd like to bounce ideas, I'm a security incident response analyst at a Fortune 100.

Awesome - thank you!  PM sent.