It’s never been more important to have cybersecurity programs in place to enable quick, effective resolutions when incidents happen.
But what exactly should Emergency Managers know?
That’s what the latest guidance from FEMA clarifies. So, read on to learn more about the role of emergency managers during a cyber incident.
What has FEMA published about the role of Emergency Managers during a cyber incident?
As you may know, this isn’t exactly FEMA’s (Federal Emergency Management Agency) first foray into the subject. Back in 2021, the agency published a Comprehensive Preparedness Guide to Developing and Maintaining Emergency Operations Plans (EOP), which included some guidance on cyber incident preparedness.
Such is the cyber threat level, however, that far more was needed. As a result, FEMA teamed up with CISA (Cybersecurity and Infrastructure Agency) to put out comprehensive guidance on the planning considerations for cyber incidents.
The purpose of this guidance, which acknowledges that Emergency Managers don’t need to be technical experts on the matter, is to prepare the public safety community to engage effectively during an incident and have plans in place to address potential impacts.
This, of course, is a core emergency management responsibility. But what specific responsibilities pertain to Emergency Managers before, during, and after cyber incidents?
Emergency management roles and responsibilities during cyber incidents
The short answer is it depends. An emergency manager’s role is likely to be different in preparing for and responding to a cyber incident than it is for any other type of incident. It’s also likely to vary across agencies and jurisdictions.
Nevertheless, FEMA’s guidance does direct emergency management teams to develop a plan or annex focused on cyber incident response as well as factor cyber considerations into other EOPs.
To make these plans practicable, however, emergency managers should understand all stages of a cyber incident. What are they?
Cyber Incident Response Lifecycle
The four-phase cyber incident response lifecycle includes:
1. Preparation
Development of a clearly articulated cyber incident response plan with established points of contact.
2. Detection and analysis
Figuring out an incident has occurred and determining its severity and type.
3. Containment, eradication, and recovery
Addressing the identified incident through containment, preventing its spread and limiting its impact, eradication, removing its cause, and recovery, restoring normal operations and recovering lost or damaged data.
4. Post-incident activity
Identifying lessons learned and opportunities for improvement.
What about specific emergency management responsibilities during the incident itself? Well, cyber incidents have high spill-over potential.
As a result, one emergency management responsibility might be activating other incident plans based on the asset affected by the cyber incident, e.g., power outage plan.
From there, emergency managers will have to prioritize the resources they dispense to respond to the cyber incident, with the most likely resource being personnel.
Preparing to perform emergency management roles and responsibilities
Since cyber security might be out of an emergency manager’s technical wheelhouse, the team will have to prepare diligently.
Emergency managers should rehearse the roles and responsibilities laid out in their cyber incident response plans in highly customized scenarios and exercises.
As with other incidents, these exercises will aid the planning team in exploring contingencies, identifying gaps, validating existing plans, and ultimately determining the appropriate courses of action.
Example Emergency Manager role during a cyber incident
What might the Emergency Manager role look like in practice during a cyber incident? Again, it will depend on the nature of the disruption.
In the case of a suspected cyber attack on a water system, the Emergency Manager lead role is likely to consist of the following activities:
- Coordinating communication to identify the scope of the incident
- Activating the emergency operations center
- Developing Incident Action Plans (IAPs)
- Coordinating with cyber authorities to maintain situational awareness and reporting
- Managing coordination of resource and support requests from responding agencies
- Organizing hazardous materials support to identify and secure contaminated areas
- Identifying the potential for cascading impacts or additional hazards following the incident
- Tracking capability gaps and strengths for improvement planning following the incident
To get through the cyber incident lifecycle efficiently, Emergency Managers should ensure their organization has an effective emergency management software platform in place.
The right tool will keep your whole incident management team, from the Emergency Manager to untrained field staff, following the same plans, communicating on the same platform, and viewing the same operating picture.
Not sure which software capabilities to consider, though? Check out our Buyer’s Guide to Emergency Management Software to find out.
.svg)
.svg)
.svg)