1. Houston Regional Cyber Disruption Planning Workshop II September 10, 2014 Harris County Department of Education

2. Agenda 8:30 AM – 9:00 AMRegistration 9:00 AM – 9:15 AMWelcome and Opening Remarks 9:15 AM – 10:00 AMIntroduction and Review of the Cyber Disruption Response Planning Tool 10:00 AM – 12:00 PMJurisdictional Cyber Disruption Response Plan Workshop 12:00 PMMeeting Adjourned 1:00 PM – 3:00 PMPlanning Staff Available for Technical Assistance in Plan Writing

3. Welcome and Opening Remarks

4. Cyber Disruption Readiness Assessment Tool

5.  Designed to: –Help your organization recognize areas where sufficient cyber capabilities exist –Provide information to improve capabilities in less developed areas  Tool includes a checklist report of to-do items organized by the effects of a disruption

6. https://www.cyberdisruptionplanning.com /

7. Jurisdictional Cyber Disruption Response Plan Building Kevin O’Shea

8. Cyber Disruption Planning  Cyber Disruption Teams (CDTs) serve as a panel of experts that can advise the IC and/or executive management during a disruption event where the cyber infrastructure is affected  CDTs can coordinate preparedness, response, and recovery activities for disruptions of cyber networks and systems  Each jurisdiction should consider developing a CDT and associated plan 8

9. Cyber Disruption Teams The CDT is a key resource for understanding: –The nature and potential durations of cyber disruptions –The effects of cyber disruptions on life safety, critical cyber assets, and other key response activities –The potential resource needs of IT personnel and agencies to maintain, protect, and re-establish operations 9

10. Putting Together a Cyber Disruption Plan  A Jurisdictional Cyber Disruption Plan provides a framework to assist the CDTs in planning and response activities  The exact makeup of the CDT will be determined by each jurisdiction –“Core Members” of the CDT should be composed of key representatives from the Emergency Management, Information Technology, and Law Enforcement communities –“Associate Members” are subject matter experts and have knowledge of critical cyber infrastructure. They should be drawn from other government agencies, healthcare, education and the private sector. 10

11. JCDRP: Purpose The Jurisdictional Cyber Disruption Revision Plan (JCDRP):  Provides a management framework to coordinate activities related to a large-scale or long-duration cyber disruption –Preparedness –Response –Recovery  Establishes a Jurisdictional Cyber Disruption Team

12. JCDRP: Scope  JCDRP provides a framework to: –Coordinate intra-jurisdictional cyber preparedness, response, and recovery activities –Coordinate with other CDTs locally and regionally  Works in conjunctions with established IT security policies and procedures  Provides an expanded description of EM’s role with respect to large-scale cyber disruptions

13. Breakout Session  What is your vision of the CDT right now?  How do you see the CDT working in your jurisdiction/agency? Use Worksheet #1 to help craft your JCDRP

14. JCDRP: Role of the CDT  A CDT is a specialized group composed of representatives and subject matter experts who: –Help executive management/Incident Command understand the nature and potential duration of a cyber disruptions –Help EM staff determine the effects of cyber disruptions –Help IT staff identify the potential resource needs to maintain, protect, and re-establish operations following a cyber disruption

15. JCDRP: Role of the CDT  Preparedness activities may include: –Identify threats and vulnerabilities to IT networks –Identify actions (plans, procedures, hardening measures, etc.) for mitigating threats and vulnerabilities –Communicate with other jurisdictional CDT representatives to exchange best practices and information pertinent to preparing for cyber- related incidents

16. JCDRP: Role of the CDT  Response activities may include: –Monitor events and share information among other CDTs that may indicate a regional catastrophic cyber incident –Provide other CDTs with situational awareness and assistance as necessary and possible –Provide situational awareness, subject matter expertise, and potential solutions for an Incident/Unified Commander & general staff

17. JCDRP: Role of the CDT  Recovery activities may include: –Work with affected system to determine resources needed to restore operations to a normal state –Track restoration efforts and provide the IC/UC’s operations staff with estimated and actual times to full restoration –Conduct internal and external CDT after-action reviews following an incident

18. Breakout Session  What role will your CDT play in the event of a cyber disruption?  Where does your CDT fit into any response structures already in place? Use Worksheet #2 to help craft your JCDRP

19. BREAK

20. JCDRP: Cyber Disruption Teams CDT Membership  Membership of each jurisdictional CDT is determined by each individual jurisdiction  CDT membership should include representatives from: –Emergency management –Key IT agencies within the jurisdiction –Other key public and private organizations, as necessary

21. JCDRP: CDT Membership CDT Membership  A chairperson & vice chair will be appointed to oversee activities and communications of the CDT  “Core Members” of the CDT should be composed of representatives from EM, IT, and law enforcement  “Associate Members” should be drawn from other local, state, and federal government agencies, as well as the private sector –Provide additional subject matter expertise & knowledge to the CDT

22. JCDRP: CDT Membership CDT Membership OrganizationExamples Emergency Management Organizations EM Coordinator, Operations Section Chief, Communications Lead Information Technology Organizations DoIT Management, CIO, Chief Information Security Officer Law Enforcement Agencies Cyber Crimes Unit members, Joint Terrorism Task Force members, Intelligence Center representatives Federal Entities U.S. Dept. of Justice, FBI, NSA, Dept. of Homeland Security, FEMA Regional and National Entities State fusion centers, U.S. Computer Emergency Readiness Team, Multi-State Information Sharing and Analysis Center Private Sector Verizon, Comcast, AT&T; oil-gas industry representatives; power sector representatives

23. Breakout Session  Who should be a part of your CDT?  Who should lead the Team?  Core vs. Associate members Use Worksheet #3 to help craft your JCDRP

24. JCDRP: Cyber Disruption Teams CDT Organization  Each CDT must have an internal structure and responsibility hierarchy to be successful  It is recommended that the CDT organizes itself into an ICS-compatible structure –The chair/vice chair will appoint a CDT Lead to act in the Incident Commander role –CDT members will fill Planning, Operations, Logistics, and Finance roles, as needed and as appointed by the CDT Lead

25. JCDRP: CDT Organization

26. Breakout Session  How should your CDT be organized?  Where does your CDT fit into established response structures? Use Worksheet #4 to help craft your JCDRP

27. JCDRP: CDT Activation CDT Activation Triggers  It is recommended that hardline thresholds NOT be established for CDT activation –If activation is delayed because a prescribed threshold has not been met, the event may get out of control before critical information is shared across CDT memberships and between CDTs

28. JCDRP: CDT Activation CDT Activation Triggers  The following are examples of events that would likely cause a CDT activation: –Major disruptions of power grids in the region –Threat to or widespread loss of communications and data networks (e.g., Internet, mobile/cellular) –Significant cyber incidents –Physical damage to a critical cyber asset

29. JCDRP: CDT Activation The chairperson will send notifications to the appropriate CDT members in accordance with the developed CDT Communications Plan Cyber Disruption Incident Reporting Form will be completed by the agency that initiates the meeting/call and distributed prior to the meeting/call The CDT will discuss the topics in the Cyber Disruption Team Standard Meeting/Call Agenda as well as other pertinent questions The chairperson initiating the call will appoint a scribe to record the issues discussed at the meeting using the Standard Meeting/Call Note-taking Template

30. JCDRP: CDT Operations  The CDT chairperson will be the primary decision- maker on behalf of the CDT and direct CDT efforts by: –Identifying and communicating the role of the CDT within the larger response effort –Developing objectives, goals, and mitigation strategies –Setting operational periods to organize resources and measure effectiveness –Assigning staff to consultation, mitigation, or corrective response and recovery roles

31. Breakout Session  What events will trigger CDT activation? –High threshold vs. low threshold  What will your CDT activation look like?  How will the Team make decisions? Use Worksheet #5 to help craft your JCDRP

32. JCDRP: CDT Communications  Internal Communications –CDT Activation Notification Primary: SendWordNow Secondary: Direct phone/text Tertiary: Alternate phone Quaternary: Physical notification –Post-Activation Communications Each CDT meeting should conclude with the date, time, location, and primary, secondary and alternate communication provisions for the next meeting

33. JCDRP: CDT Communications  External CDT Communications –Multi-Jurisdictional CDT Communications If an incident exceeds the resources of a single CDT, multi-jurisdictional coordination between CDTs may be required Multi-jurisdictional CDT communication systems will likely be used for obtaining situational awareness of potential incipient circumstances

34. JCDRP: CDT Communications  External CDT Communications cont. –Multi-Jurisdictional CDT Communications Any chairperson of a CDT, or their designee, may initiate communication between multiple CDTs The initiating chairperson will send notifications to the appropriate CDT members and/or chairpersons of other CDTs to participate in a conference call by means of email, telephone, radio, satellite phone, or physical runner

35. JCDRP: CDT Communications  External CDT Communications cont. –Multi-Jurisdictional CDT Communications The initiating chairperson will be the communications facilitator The initiating chairperson will provide a scribe to record the details of the meeting. The scribe should provide notes within one hour via email or fax.

36. Breakout Session  How will your CDT communicate internally?  How will your CDT communicate externally? Use Worksheet #6 to help craft your JCDRP

37. JCDRP  Section 5: Training & Exercises  Section 6: Plan Maintenance  Section 7: Authorities and References  Section 8: Contact List for Participating Agencies/Orgs  Section 9: CDT Incident Action Plan  Section 10: Cyber Disruption Incident Reporting Form  Section 11: Standard Meeting/Call Agenda  Section 12: Standard Meeting/Call Note-taking Template

38. Breakout Session  Has your vision of the CDT changed?  Ultimately, what do you see as the CDT’s role? Use Worksheet #7 to help craft your JCDRP

39. Closing Remarks Kevin O’Shea

40. Closing Remarks  Cyber Disruption Readiness Assessment Tool: www.cyberdisruptionplanning.com www.cyberdisruptionplanning.com  Next Workshop: November 18 th  Planning staff available for technical assistance in JCDRP writing until 3 PM  Final Questions?

41. THANK YOU