NCC : FEMA and CISA’s new cyber incident emergency guide a positive step towards improving incident readiness

As the cyber threat landscape continually evolves, emergency management personnel are critical in preparing for and responding to cyber security incidents in their jurisdictions.

While they aren't required to uphold a significant level of technical expertise, they must have an awareness and incident response plan- including knowing who to engage with and how to address the issue for potential cyber-attacks.

Last week, the Federal Emergency Management Agency (FEMA), in collaboration with the Cyber Security and Infrastructure Security Agency (CISA), released a new guide, "Planning Considerations for Cyber Incidents: Guidance for Emergency Managers. " This resource provides state, local, tribal, and territorial emergency managers with a foundational knowledge of cyber incidents to increase cyber preparedness efforts in their jurisdiction.

These past months, CISA has issued an increasing number of advisories related to Industrial Controls Systems (ICS), highlighting vulnerabilities- often with available exploits- across different types of devices and sectors.

FEMA's "Planning Considerations for Cyber Incidents" emphasizes the importance of incident response planning, an area often overlooked as cyber security investment tends to skew towards prevention. In an interconnected digital world, news about Poland's railway system or Ukraine's power grid reinforces the perennial message that cyber incidents are not about "if" but "when".

The release by FEMA, in collaboration with CISA, of the "Planning Considerations for Cyber Incidents" document is a positive step towards improving incident readiness. It is also an important call to action for Asset Owners and Operators to reassess their position as the cyber threat landscape evolves.

The non-technical nature of the guidance and inclusion of incident examples caters to a wider audience, and this should be welcomed by a security community that faces challenges elevating cyber risks to decision-makers. That said, the guidance needs to include considerations for cost analysis and adequate budgeting for incident response.

The guidance covers the full spectrum of issues, from potential scenarios to interdependencies, roles, and responsibilities.

The "communication considerations" section tacitly stresses an important legal challenge organizations face with numerous requirements before, during, and after an incident. Asset Owners and Operators will likely seek more clarity on this as the security community is closely following the developments concerning charges against SolarWinds and its CISO.

There is useful information and steps to help create an incident response plan. Special attention should be given to training and exercising. Asset Owners and Operators should not underestimate the recurring effort and costs required to help maintain these plans effectively.