The Texas National Guard dispatched six-person teams in fully equipped vans to the 23 locations struck by the ransomware to assist in recovery from the attack. Texas CISO Nancy Rainosek does not have the authority to call upon these specialized teams to assist, Kimbriel added. The only way to activate the state military cybersecurity response units is through the state operations center.
“If you don’t have the disaster declaration and if you don’t have that state operations center function in place, you cannot get that organization dispatched,” Kimbriel said.
Within 24 hours, the state identified all but one of the ransomware victim organizations. Within 72 hours, responders eradicated all ransomware and were in the process of recovery. Within a week, the recovery was complete, Kimbriel said.
BECOME AN INSIDER: Gain exclusive video coverage of the NASCIO 2019 when you subscribe to StateTech.
Cybersecurity Response Plan Depended on Tested Partnerships
Once the governor activated the state operations center, officials activated the state cybersecurity incident response plan, Kimbriel said. Rainosek led an update of that plan only a few years ago.
The state operations center was activated within eight hours of the first report of an incident, Kimbriel recounted. Rainosek was among the officials who went to the state operations center to coordinate the cybersecurity response.
“We did exercises with [the military] and spent a week on contracting and with the lawyers,” Rainosek said, speaking at the NASCIO 2019 conference.
The state participated in a cybersecurity exercise last year in Houston. “We worked with them for about a year to plan this tabletop exercise. It was three days, and we learned a lot from that,” Kimbriel said.
The exercise simulated a cyberattack at the Port of Houston during a hurricane. An attack on the port would cripple the state’s defensive posture and its ability to resupply, Kimbriel said.
At the county level during the exercise, federal and state officials witnessed local leaders mount an effective response because of their personal relationships and agreements to commit resources. At the federal level, such an effort may have required a memorandum of understanding drawn up by lawyers, he added.
“We learned at the county level that it’s who you know, the personal network of these people who are so passionate about first response, that allows things to happen,” Kimbriel said.
The Texas Department of Information Resources met with the Texas Military Department over two years to finalize plans and agreements, which proved vital in the recent ransomware response, Rainosek said. An established managed security services contract also provided strong incident response services, she said.
In addition, Dell stepped in after the attack to offer local Texas governments the opportunity to replace their hardware at a significant savings, Rainosek noted.
Check out more articles and videos from StateTech’s coverage of NASCIO 2019 conference here.