The relevant features of the Incident Command System should be endorsed by operators of private-sector Critical Infrastructure and Key Resources and should be embedded within the Cybersecurity Framework as proposed by Executive Order 13636. Dave Sweigert CIP 009 Disaster Recovery Plan Incident Command System CIP 008 FERC NERC Power Grid CISSP CISA PMP DHS NRF NIPP US-CERT COOP CIP Reliability Standards DRP BCP HSPD RMF NIST 800 NARUC SERCAT CIPAC NASEO PPD 21

1. 1
Moving toward a flexible, standards-based
response protocol for CIKR cyber incidents
June 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
ABSTRACT
The relevant features of the Incident Command System should be endorsed by
operators of private-sector Critical Infrastructure and Key Resources and should
be embedded within the Cybersecurity Framework as proposed by Executive
Order 13636.
Background
Private sector incidents can have a
major impact on the public, as the June,
2003 City of Commerce train derailment
illustrates. The failure to engage hand
brakes in a rail yard caused 31 rail cars
to escape the yard near Los Angeles.
These cares traveled 28 miles (reaching
speeds of 95 M.P.H.) before derailing in
a residential community destroying five
homes. Fortunately, this occurred at the
noon hour, so many residents and
children were away from their homes at
a new community pool grand opening.
However, the public sector was never
informed of this situation until 911
dispatch operators began receiving
emergency calls from local residents1
post-derailment. The railroad never
notified public safety of the situation.
One wonders, if a private sector cyber
security incident (hand brakes) can
affect a key resource (railroad) and
cause such a disaster, how will the
1
NTSB Report DCA-03-FR-005
private sector response activities and
information sharing be appropriately
coordinated in a cyber-centric disaster
that affects critical infrastructure?
Executive Order 136362
appears to
address this problem as it (1)
promulgates the need for a consensus
sriven “Cybersecurity Framework” to
strengthen the protection of Critical
Infrastructure and Key Resources
(CIKR)3
and (2) proposes a consensus-
based national risk management
framework (implemented via voluntary
compliance as the vast majority of CIKR
is owned by the private sector).
2
Executive Order -- Improving Critical Infrastructure
Cybersecurity, 2/12/2013. See: Sec. 7. Baseline
Framework to Reduce Cyber Risk to Critical
Infrastructure
3
Critical Infrastructure: Assets, systems and
networks, whether physical or virtual, so vital to the
United States that the incapacity or destruction of
such assets, systems or networks would have a
debilitating impact on security, national economic
security, public health or safety, or any combination
of those matters.
Key resources: Publicly or privately controlled
resources essential to the minimal operations of the
economy and the government.

2. 2
Limitations of cyber-centric
prescriptive standards to address
incident response
Many industry specific cyber security
standards-based frameworks are in
place; but most fall short of addressing
interdisciplinary response activities. As
an example, the Critical Infrastructure
Protection (CIP) program (created under
the Energy Policy Act of 20054
for the
power generation industry) requires
response plans normally executed by
Cyber Security Incident Response
Teams (CSIRT). However, these plans
tend to be focused on in-house cyber
hygiene issues; such as malicious code
detection, virus outbreak, denial of
service attacks, and unauthorized
access, etc.
Prescriptive cyber security standards
(like CIP) are implemented to reduce
overall technical risk, but may lack post-
incident response and agency
interfacing guidelines that enable
information sharing between private and
public sector entities. This is a gap that
needs to be addressed.
What is the ICS and why is it
important?
The Incident Command System (ICS)5
was cited as a cyber-incident response
protocol in the Microsoft contribution of
4
42 U.S.C. § 15801
5
In this context ICS is not Industrial Control Systems, but
the Incident Command System (ICS). To avoid this
confusion with industrial controls ICS can also be thought
of as the National Incident Management System
(ICS/NIMS).
industry responses to the Request for
Information (RFI) issued by the U.S.
National Institute of Standards and
Technology (NIST to gather industry
input on the proposed Cybersecurity
Framework; quoted in relevant part,
“Many companies are faced with two
different types of response: to defend
the enterprise itself, and to mitigate an
impact to customers. As NIST considers
what is needed to support the
“response” portion of the risk
management framework, Microsoft
would strongly encourage NIST to
consider the Incident Command System
(ICS) as a foundation for any
recommendations. ICS has an
established history of success in the
United States, and it is a well-
recognized approach for incident
response.”6
As an example of the private use of ICS,
and to amplify Microsoft’s position, it is
instructive to note that the Assistant
Secretary for Preparedness and
Response (ASPR), the U.S. Department
of Health and Human Services (DHHS),
has openly recommended medical care
entities embrace ICS; quoted in relevant
part:
“..Increasingly, public health and
medical entities are realizing the
importance of organizing response
according to ICS principles. Many
hospitals have established response
structures based on the Hospital
6 Docket No. 130208119-3119-01, Microsoft Response,
1/8/2013, page 23.

3. 3
Incident Command System (HICS),
formerly known as the Hospital
Emergency Incident Command System
(HEICS)…”7
The California Hospital Association
agrees;
“..HICS is an incident management
system based on the principles of the
Incident Command System (ICS), which
assists hospitals in improving their
emergency management planning,
response, and recovery capabilities for
unplanned and planned events. HICS is
consistent with ICS and the National
Incident Management System (NIMS)
principles…”8
ICS/NIMS is relied upon by U.S. Coast
Guard for use in spill response and
clean-up efforts, as the ICS/NIMS
protocols allow for expandable unified
command that includes civilian private
sector parties to participate in planning,
coordination and operational activities.
Therefore, there is strong evidence that
ICS/NIMS provides the existing
protocols necessary to create structure
for private-sector organizations to
respond to cyber-related incidents and
reduce enterprise risk.
Embedding ICS/NIMS functionality
within the Cybersecurity Framework
may represent one of the best low-cost
and stable approaches available for
7
http://www.phe.gov/Preparedness/planning/mscc/
handbook/Pages/appendixb.aspx
8
http://www.calhospitalprepare.org/hics
enhancing the goals of risk mitigation in
E.O. 13636; quoted in relevant part:
“..The Cybersecurity Framework shall
include a set of standards,
methodologies, procedures, and
processes that align policy, business,
and technological approaches to
address cyber risks. The Cybersecurity
Framework shall incorporate voluntary
consensus standards and industry best
practices to the fullest extent possible..9
”
ICS/NIMS history
As ICS/NIMS was forged in the hostile
environment of the wildland fire service,
it was designed to be used as a scalable
command and control system to
organize a wide array of responding
personnel and equipment to an incident.
For example, in the Oakland Hills,
California fires of 1991 (prior to the
practical adoption of ICS) a myriad of
communication snarls, lack of clear lines
of command, technical issues (different
water hose couplings) divergent
terminology, etc. worsened the fire
response and led to a near out-of-
control situation.
Interestingly, during the World Trade
Center recovery efforts post-911, it was
the protocols of ICS Incident
Management Teams (IMTs) that brought
“order out of chaos”. Prior to the
deployment of the IMT’s over-arching
response framework, individual
agencies were operating in a dangerous
non-unified, non-coordinated fashion.
9
Federal Register /Vol. 78, No. 33 /Tuesday,
February 19, 2013 / Presidential Documents, Page
11741

4. 4
For example, a private industry operator
may handle Hazardous Materials
(HazMat) as part of a manufacturing
process. In the case of a fire or spill, the
manufacturing process is relegated to a
secondary role as the chemical incident
may require a public safety response, if
there is (1) a life safety issue or a (2)
protection of property issue.
In theory, if the private-sector initial
HazMat responders speak the same
language and protocols as arriving
public safety responders (a tenant of
ICS/NIMS) the two groups
(private/public) can work harmoniously
together to achieve the common goal –
to bring the incident under control. The
private-sector responders may have a
commercial agenda to protect the
integrity of the manufacturing process
which needs to be married to the public
safety agenda to reduce loss of life and
property damage.
For these reasons (and many more) the
U.S. Occupational Health and Safety
Administration (OSHA) has mandated
the use of ICS in addressing HazMat
incidents10
.
Indeed, Sector Specific Agencies
(SSAs) have already developed Sector
Specific Plans (SSPs) that call-out
ICS/NIMS. See U.S. Department of
Homeland Security and the Emergency
Services Sector (ESS) Specific Plan;
quoted in relevant part:
10
OSHA Emergency Response, 29 CFR 1910
“..National Incident Management
System. NIMS is a system mandated by
Homeland Security Presidential
Directive 5 (HSPD-5) that provides a
consistent, nationwide approach for
Federal, State, local, and tribal
governments; the private sector; and
NGOs to work together effectively and
efficiently to prepare for, respond to, and
recover from domestic incidents,
regardless of cause, size, or
complexity…11
”
Bridging the culture clash (private
cyber experts vs. public sector)
The challenge of using ICS/NIMS in a
cyber-incident response becomes one
of moving scientific-technical experts
operating in a slow time deliberative
corporate environment into a quick time
operational action-based response (for
which ICS/NIMS was primarily designed
to accommodate). Additionally, there
are inherent conflicts from a private
operator’s perspective that are unique to
incident response. But, these conflicts
can be addressed.
The thorny obstacle that may be
impeding widespread adoption of
ICS/NIMS by scientific and technically
driven cyber security experts is the
tendency to focus on prescriptive cyber
hygiene issues to the of neglect incident
response. Focus on prescriptive cyber-
specific technology creates saturation
and immersion into technical issues not
the operational impact of the cyber
11
An Annex to the National Infrastructure Protection Plan
2010, page 86, U.S. Department of Homeland Security

5. 5
enterprise on downstream stakeholders.
Most cyber security consensus
standards are built around technology
and do not address incident response.
Training, Minimum Standards and
Exercise Development
In certain cyber-centric incidents cyber
responders may have to perform a lead
role in response management, not just
the role of a technical specialist.
Training in the structure, operation and
proper use of ICS/NIMS may provide
key skills and knowledge to cyber
responders – especially in the initial
phases of an incident.
Timely, effective and efficient interfacing
with various responders (public or
private) could be significantly improved
by personnel who have attended
simulated incident exercises. Such
exercises create the multi-disciplinary
environment that requires interaction
with multiple players.
Familiarization with the tenants of
ICS/NIMS prior to an incident will
empower responding cyber security
personnel to understand their important
role as technical specialists in assisting
other ICS/NIMS responders to
accomplish common response and
recovery goals. Open encouragement
of ICS/NIMS training by employers,
recognition of such training by
credentialing boards, and incident-
specific training and exercise programs
for cyber responders would provide
professional recognition in this space.
Summary
In sum, the lack of an organizational
incident management structure
(ICS/NIMS) embedded within numerous
industry-specific cyber security
standards is considered a gap. In order
to achieve cross-domain and
interdisciplinary cohesion in a response
activity this gap needs to be addressed
by the widespread general adoption of
the ICS/NIMS doctrine into cyber-
security incident response standards.
ICS/NIMS vocabulary, protocols,
organizational structure and processes
should be embedded within the
Cybersecurity Framework to encourage
the use of an efficient incident response
methodology to augment technical cyber
response. Such an endorsement will
provide appropriate visibility to the CIKR
community of ICS/NIMS as a viable
response framework that supports
national recovery goals in the event of a
major incident.
About the author: Dave Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. He is a
practitioner of ICS/NIMS in his role as a
volunteer Emergency Medical
Technician and has attended more than
500 hours in ICS/NIMS related training.
He specializes in assisting organizations
in institutionalizing ICS into their cyber
response plans.