New England States Coordinate Cyber-Security Response Planning
Rhode Island is establishing a cyber-disruption response team to help restore critical IT systems following a disaster.
In an increasingly interconnected world that’s reliant on technology for critical services, a number of states are tightening the coordination between IT professionals in government and industry to minimize the potential impact of a disruption to computerized systems.
Rhode Island, Massachusetts and New Hampshire are coordinating plans for responding to interruptions in services due to cyber-attacks or natural disasters that disrupt computer systems that facilitate critical services.
Government IT departments in the region have traditionally done a good job of maintaining, securing and restoring their cyber-infrastructure, according to Adam Wehrenberg, project director of the New England Regional Catastrophic Preparedness Initiative. But there was a coordination gap between IT and emergency management. “As our world increasingly hinges on technology, we have to shift thinking so that we begin to view cyber-disruptions as potentially significant events, rather than just inconveniences,” Wehrenberg wrote in an e-mail. “Cyber-disruption may not result in a simple e-mail outage, but may be the cause (or effect) of a much greater emergency.”
In 2008, when stakeholders in the region converged to plan for catastrophic events, cyber-security was identified as a high priority event because of the prominence of medical, higher education and financial institutions. “We think the basics under emergency management are hurricanes and snowstorms or floods, which are critical,” said Ed Johnson, deputy director of the Rhode Island Emergency Management Agency. “But there’s a whole other nexus out there that’s a concern, probably even a greater concern, of the cyber piece.”
In 2009, Rhode Island officials met with representatives from hospitals, financial institutions, colleges, universities, the military, cable and communications industries, and utilities to identify who the stakeholders were and who could contribute resources to a cyber-disruption response team (CDT).
The plan describes a fairly straightforward implementation of Emergency Support Function (ESF) 2 under the National Response Framework. The response team, which is still being formed, will likely be made up of eight to 12 members, organized under the Rhode Island State Police, who will be responsible for restoring critical IT systems.
The plan is nearly complete, according to Theresa Murray, a regional catastrophic planner with the Rhode Island Emergency Management Agency. The state has yet to establish standard operating procedures for the team, but Murray said it would likely be deployed following any significant disruption that affects critical infrastructure and impacts operations, whether it’s a cyber-attack, widespread virus or hurricane that knocks down power and telephone lines across the state.
“The key is to get the state back up and running,” Murray said. “When the local communities are unable to do it on their own, the private companies need some extra hands; that’s when they [the CDT] kick in.”
About one-third of Rhode Island hospitals lost access to their computer systems in 2010 due to an update to a virus definition file that flagged a harmless Windows file as a virus. As a result of the outage, staff lost access to their computers for about eight hours, according to Rhode Island TV station WPRI. The issue prompted Rhode Island Hospital personnel to divert some emergency room visitors to other hospitals and postpone some elective surgeries. Patient care continued uninterrupted using backup procedures, a spokeswoman for the hospital told the TV station. Murray cited the incident as an example of an instance when the state CDT could be deployed.
“In that instance, in fact, the State Police Computer Crimes Unit was called,” Murray said. “But [the hospitals] were able to recover with their own IT staff.”
In 2010, the Boston urban area was awarded nearly $1 million from a Regional Catastrophic Preparedness Grant to coordinate planning between the three states. The states developed a Regional Cyber Disruption Plan Annex to their Regional Catastrophic Coordination Plan. They began by organizing a Cyber Working Group of IT and emergency management professionals from the three states as well as the Providence and Boston Urban Areas Security Initiative (UASI) regions.
“The workgroup identified critical cyber-assets within the region using a scoring and filtering mechanism based on Homeland Security Directive 7,” Wehrenberg commented via e-mail . “Many were public-sector assets, some were private. We conducted capability assessments and risk assessments at each of these identified assets.”
Cyber-disruption teams are also being established in Massachusetts and New Hampshire as well as the Providence and Boston UASI regions. The teams will have personnel from IT, emergency management, public safety and service providers who can advise an incident commander about restoring or maintaining critical infrastructure under ESF-2. “The CDT is intended at the regional level to be able to coordinate resources to respond to an incident of catastrophic proportions,” Wehrenberg wrote. “However, like other ICS structures, the CDTs are scalable so that they can be utilized in an incident of any size.”
While the teams and planning may not be at identical stages in each state, he said, the groundwork has been laid, and the plans have been trained and exercised individually and regionally.
Officials hope to expand the planning collaboration to the other states. Officials from the Rhode Island Emergency Management Agency, along with Rhode Island and New Hampshire National Guard representatives, recently presented to generals from the six New England states, New York and New Jersey about the development of the cyber-disruption coordination teams and how they could be integrated into the National Guard.
Another part of the cyber-disruption planning includes increased outreach to businesses and local governments to encourage them to back up and secure their data, make sure their security software is up-to-date and implement continuity of operation plans. Murray is reaching out to partner with larger businesses — including banks, local hospitals and universities — to enlist their help in spreading the cyber-security preparedness message.
The state is also working on establishing a facility where small businesses and community members can learn about cyber-security. The facility would also be where members of the state’s CDT would be trained, a function currently performed at a state police facility in Scituate, R.I.