When a cyber incident occurs, quickly discovering it — and shutting it down — is crucial. Having an incident response plan in place can help position state and local governments to swiftly react and gauge an attack’s effect.
A survey from the International City/County Management Association released in July found that 57 percent of governments fully adopted incident response plans, disaster recovery or business continuity plans, while 35.7 percent had partially adopted them and 7.1 percent had not adopted one.
“There was a time when local governments didn’t even know if they were attacked and their system was shut down. Who do we even call? Is it the FBI, the National Guard, a local sheriff’s department?” says Tad McGalliard, director of research and development at ICMA.
“Whether or not there’s been an increased number of developed plans in response to previous or pending attacks, or just doing some mitigation work, certainly many local governments have a much higher awareness they’re likely to get attacked by a bad cyber actor at some point,” he says.
COMPLIMENTARY RESOURCES FROM CDW: Find out how to craft an effective cybersecurity incident response.
What Is Incident Response Planning in Government Cybersecurity?
The National Institute of Standards and Technology’s Computer Security Incident Handling Guide notes that large entities with major computing resources in distant locations may benefit from having incident response teams that are responsible for particular segments, while a central response team can be an effective model for smaller organizations.
Some municipalities, however, may not have the infrastructure to support either.
In recent years, several states have launched efforts to share cyber incident response resources between regions. In 2018, for instance, the North Carolina Joint Cyber Security Task Force, involving the state’s Department of Information Technology, the North Carolina National Guard’s cybersecurity team and other government agencies, was established — which Rob Main, interim state chief risk officer for North Carolina, says has created an “all-hazards framework around cybersecurity incidents.”
“We’re not looking at these as isolated incidents that are outside the scope of the established emergency management structures in North Carolina,” Main says. “We can bring the full breadth of emergency management resources to the effected entity — communication protocols, everything that you might imagine that would be brought to bear in a hurricane.”
EXPLORE: Diver deeper into incident response tools for state and local agencies.
What Are the 5 Steps of Incident Response?
NIST has suggested organizations use several cybersecurity incident response stages: creating a response team; incident detection and analysis; containment, eradication and recovery; and post-incident activity, such as issuing a follow-up report on the recovery progress.
The specific response to a cyber incident, however, can vary based on a number of factors, according to Shaun Rahmeyer, administrator for the Nevada Department of Public Safety’s Office of Cyber Defense Coordination, which was founded in 2017 to help Nevada counties and incorporated cities, school districts and other entities develop strategies to prepare for and mitigate cyberthreat risks.
“The type of threat and the level of attack is going to dictate the response,” Rahmeyer says. “There are just so many unknown factors that no one can really pin down exactly how we’re going to respond every single time.”
However, factoring in the need for flexibility, numerous agencies rely on a predetermined framework to address unfolding cyber concerns.
The North Carolina Joint Cyber Security Task Force, for instance, begins its incident response process after receiving a notification about anomalous behavior via email, phone or an online form submission. The task force then contacts the affected local government agency and typically can begin assessing the impact of the incident the same day, according to Main.
RELATED: Ransomware and phishing are still agencies’ top cybersecurity concerns.
The next step involves a scoping call, which brings together leadership from the affected local government, parties such as its IT director or CIO and county manager, members of the task force and potentially representatives from federal agencies such as the FBI. If any health and human services-related activities might be affected, the North Carolina Department of Health and Human Services’ Privacy and Security Office is also brought into the conversation.
The call is followed by threat hunting and forensics work and communicating the compromise indicator information to other state and local government partners so they can take steps to ensure that they’re not also targeted.
Once those efforts are complete, the task force begins rebuilding the network, the reimaging of endpoints and hardening the infrastructure — which, according to Main, can potentially take weeks or months, depending on the depth of the impact.
“We try to communicate to impacted local governments that slow is actually fast,” he says. “A slow, methodical, measured and thoughtful incident response and recovery model will lead to a lower likelihood of reinfection down the road than if you try to rush to get services back to operational, only to have the entity be reinfected or re-encrypted through a ransomware incident.”
KEEP READING: Check out these complimentary resources from CDW for guidance on building an incident response plan.
How to Implement an Incident Response Plan for Government
If municipalities don’t have a formal cyber incident response plan, figuring out where to begin building one can be a challenge.
To help Massachusetts cities and towns determine what elements their plans should include, in 2020, the MassCyberCenter — created as part of the Massachusetts Technology Collaborative public agency in 2017, in part to foster cybersecurity resiliency within the commonwealth — hired a consultant to host structured incident response planning workshops for different regions, says Stephanie Helm, the center’s director.
The virtual programs covered basic planning points, such as who’s typically involved in incident response plans and what they contain, and provided a plan template and checklist.
“We did five of those workshops, so everybody had the same basic materials,” Helm says. “Then, we took a pause for a couple of weeks and came back and said, ‘So what are your questions? How far along have you gotten? Is there anything we can do? Let’s do a quick tabletop: Think about what would happen if you came in this morning and you didn’t have access to your system. What would you do? Is your plan helping you?’”
With numerous groups contributing to a cyber incident response, the North Carolina Joint Cyber Security Task Force has found that using a responsibility assignment diagram clarifying the involved parties’ roles helps keep incident response efforts organized, Main says.
“The chart identifies who’s accountable and who should be made aware of particular activities,” he says. “That is the most valuable component, because it helps keep parallel lines of effort trying to achieve the same goal from conflicting with each other.”
If a state or local government outsources its incident response plan to a consultant, Helm strongly suggests they take ownership of the plan once they receive it.
“You don’t want to just write a check and let somebody deliver a plan, then put it on the shelf,” she says. “Because when these incidents happen, they’re so devastating to the operation of a town. There’s the concern about employees, what public safety and security services might be compromised . You don’t want to be opening up somebody else’s report and reading it. You want to know what the expectation is, who’s going to make those decisions, what the priority is.”
A similar approach can apply, she says, if a municipality is relying on its cyber insurance provider to help it react to a cyberattack.
“If you have an incident, it may require you to use their preapproved vendor,” Helm says. “Find out if that’s the case with your policy, because I’ve heard horror stories where it took 48 hours before they could even get somebody approved to come look at their system. You want to be knowledgeable that this is the person you can call immediately if you’ve got a problem.”
EXPLORE: Get five questions a cybersecurity assessment must answer.
Best Practices for Maintaining a Cybersecurity Incident Response Plan
Once a plan has been put in place, conducting related hands-on activities, such as tabletop exercises, at least once a year can help build familiarity with the involved steps and ensure the approach is practical.
Main recommends involving all stakeholders in the organization, such as the county manager when working with a county, among others.
“You would want all of the administrative staff — a representative from HR, the legal team and your operations folks — because an entire organization can be affected,” Rahmeyer says. “So, you’re going to want all those key players and influencers to be involved. Even if it’s just in an awareness role. They’re not necessarily going to be the ones punching the buttons on the keyboard, but it’s great to have people who can message back to their individual departments or offices so everybody knows what to do.”
Communication can be critical during an attack, yet the typical methods organizations rely on, such as email, may not be available. This is why Rahmeyer says it’s important to include a provision in the plan to keep in touch.
“If you’re locked out of the system, is something in place to be able to let everyone know what’s going on?” he says.
Once an attack has occurred — or ideally, long before — thoroughly examining a government’s security controls and monitoring capacity can also be beneficial.
NIST’s guidelines suggest holding a meeting with all involved parties after a major incident to discuss what lessons have been learned, which can enable state and local governments to improve security measures and their incident response processes. Organizations that provide assistance during cyberattacks, like the North Carolina Joint Cyber Security Task Force, may also be able to help.
“There are a lot of well-intended, skilled IT professionals in counties, but the resources may not be available to stand up next-generation capabilities that will provide the greatest amount of protection,” Main says. “The task force doesn’t just have reactive capabilities; we also have capabilities in the identify and protect areas within the cybersecurity framework — educating local jurisdictions, providing assessment services, helping them identify where their gaps are and providing a corrective action plan for that local government to close those gaps.”