Cyber Security - Readiness and Emergency Management for ...

Cyber Security - Readiness and Emergency Management for ...

U.S. Department of EducationOffice of Safe and Drug-Free SchoolsEmergency Management for Higher EducationFY 2009 Final Grantee Meeting • Philadelphia, PA • August 5 – 6, 2010Cyber SecurityJames A. McGee, MSSecurity ConsultantThe University of Southern MississippiNational Center for Spectator Sport Safety and Security (NCS4)118 College Drive #5193, Hattiesburg, MS 39406Phone: (601) 266-6734 Email: James.A.McGee@usm.eduJames A. McGee, MS has twenty-five combined years of law enforcement experience, twenty-one years as aSpecial Agent with the Federal Bureau of Investigation (FBI) and a Master of Science in Criminal Justice fromVirginia Commonwealth University, Richmond, Virginia. His experience includes ten years in criminal justiceadministration and project management as an FBI Supervisor. In addition, Mr. McGee has sixteen years ofexperience addressing international security issues, counterterrorism investigations, crisis management, criticalinfrastructure protection/risk assessments, and homeland security initiatives. He is currently employed as aSecurity Consultant with The University of Southern Mississippi National Center for Spectator Sport Safety andSecurity and as an Adjunct Professor with the Tulane University Department of Homeland Security Studies.Mr. McGee frequently teaches for the United States Department of State Anti-Terrorism Assistance Program.Further, he has been designated as an expert witness in security issues regarding critical infrastructureprotection, specifically venues of mass gatherings of people.

Cyber SecurityFY 2009 EMHE Final Grantee MeetingPhiladelphia, PennsylvaniaAugust 5-6, 2010Presented by:James A. McGee – National Center forSpectator Sport Safety and Security (NCS4)1

OVERALL GOAL• To review, improve, and fully integratecampus-based emergency plans at TheUniversity of Southern Mississippi into aseamless, all hazards emergencymanagement plan that is communicated to,and practiced by its faculty, staff, andstudents.2

Planning• Identify and understand all threats, risks, andhazards to the USM campus communities.• Develop an integrated, all-hazards emergencymanagement plan that is NIMS compliant andcomprehensive.• The emergency management plan and personnelwill meet the emergency management-relatedneeds of persons with disabilities and specialneeds.3

Taskings• Organize Working Groups based onsubject matter expertise.• Each Working Group will gather relevantplans from the USM and local EmergencyResponse community.• The plans will be reviewed and improvedas needed.4

Training• An informed, practiced, NIMS-compliantstaff that is well-prepared to handleemergency management duties.• The campus community will understand itsrole and responsibilities in emergencymanagement.6

Exercises• Tabletop (TTX) – Scenario driven to test plansand enhance campus awareness of roles andresponsibilities during an emergency.Conducted in a round table setting.• Three TTXs beginning Fall 2009. Variety ofscenarios targeting different communities oncampus.7

Exercise Challenges• Select and confirm a proposed date for theTTXs to be delivered at USM.• Who will be invited to attend?• Does a USM Plan currently exist?• The need for a USM Plan to be in place so thatit can be tested during the TTX.8

Table Top ExercisesDelivery dates:• TTX I – Pandemic Scenario (01/31/2010)• TTX II – Cyber Security (03/09/2010)• TTX III – Severe Weather/Special NeedsCommunity (08/11/2010)9

TTX Content/Logistics• Exercise Scenario Development• Situation Manual (SITMAN);Facilitator/Participant Guides• Exercise Rules• Exercise Objectives• Exercise Schedule/3 hour duration• 3 Modules/Scenario Injects• Power Point Delivery10

Cyber Security Exercise Rules• Scenario depicts a plausible cyber security event• No trick questions or “hidden” agendas• Players have no previous knowledge of the scenario, and willreceive information at the same time• Players will respond using existing plans, procedures and otherresponse resources• Decisions are not precedent-setting and may not reflect yourorganization’s final position on a given issue11

Exercise Objectives• Examine the capabilities of USM to prepare for, protect from,and respond to the effects of cyber attacks.• Exercise senior leadership decision making and interagencycoordination of incident responses in accordance with the USMCyber Response Plan.• Validate information sharing relationships and communicationspaths for the collection and dissemination of cyber incidentsituational awareness, response, and recovery information.• Exercise intra-governmental (Federal-State) coordination andincident response.• Identify policies/issues that hinder or support cyber securityrequirements.12

Exercise Objectives (Cont'd.)• Identify public/private interface communications and thresholdsof coordination to improve cyber incident response andrecovery, as well as identify critical information sharing paths andmechanisms.• Identify, improve, and promote public and private sectorinteraction in processes and procedures for communicatingappropriate information to key stakeholders and the public.• Identify cyber physical interdependence of infrastructure of realworld economic and political impact.• Raise awareness of the economic and national security impactsassociated with a significant cyber incident.• Highlight available tools and technology with analytical cyberincident response and recovery capability.13

Cyber Security ScenarioThe exercise simulates a sophisticated cyber attackcampaign through a series of modules directedagainst critical infrastructures. The intent of thesemodules is to highlight the interconnectedness ofcyber systems with the physical infrastructure andto exercise coordination and communicationbetween the public and private sectors.14

Cyber Security Scenario (Cont'd.)The exercise is a simulated event with no real world effects on,tampering with, or damage to any critical infrastructure. Whilethe scenario is based on hypothetical but possible situations, theyare not intended as a forecast of future terrorist-related events.The collective modules have three major adversarial objectives:• To disrupt specifically targeted critical infrastructures through cyberattacks• To hinder the University’s ability to respond to the cyber attacks• To undermine public confidence in the University’s ability toprovide/protect services15

Sample Scenario Injects (Cont'd.)• Coordinated attacks on domain name servers and telecommunications routerinfrastructure resulted in a distributed denial of service and unreliabletelephony. Users were intermittently unable to access websites, send email,and make phone calls. Victims of the attack were forced to explore alternativemethods of communication during the disruptions.• The USM Chief Security Officer (CSO) has received e-mail threats and falseAmber Alerts have been broadcast. The series of suspicious events compelledthe USM CSO to request activation of the State’s Emergency OperationsCenter.17

Key Discussion Questions (Cont'd.)• Does the university have firewalls and countermeasures inplace to protect the cyber system?• Does the university plan to maintain educational operations inthe case of a large scale cyber attack? If so, what plan is inplace for maintaining continuity of instruction/business?• Does the university have established communication protocolswith community and emergency response partners during amassive cyber attack?• What is the university’s plan to communicate with media forlatest information dissemination?• What is the university’s plan to communicate with emergencyresponse partners during a cyber attack of this nature?19

Exercise Debriefing Questions• Does the USM emergency management plan adequatelyaddress key issues, such as faculty and staff training in theevent of a cyber attack?• What problems did you identify in the emergencymanagement procedures that could hinder emergencymanagement efforts associated with a cyber attack?• Does the USM emergency management plan adequatelyaddress key issues faced during a cyber attack, includingcontinuity of business operations (e.g., payroll) and studentaccounts?20

Exercise Debriefing Questions(Cont'd.)• Does the USM emergency management procedures properlycoordinate communication as an emergency response activityamong colleges, students, faculty, staff and community andemergency response partners during a cyber attack? In youropinion, what can be done to improve communication duringan emergency situation such as the cyber attack scenariopresented in the exercise?• Does the emergency management plan include partnershipswith local and regional partners ensuring service and supportduring a cyber attack?• In what ways were/will parents be engaged as stakeholdersduring the response to cyber attack?21

Exercise Debriefing Questions(Cont'd.)• Is there adequate support for students, faculty, and staffbefore, during, and after a mass cyber attack? If not, whatactivities and partnerships did the team identify to enhanceassistance to faculty, staff, and students?• Overall, what activities hastened recovery of the USM cybersystem? What strategies prevented a greater prevalence ofdisruption? What are lessons learned for responding to futurecyber attacks? What activities were the most helpful forrecovering from the cyber attack?• What activities or processes were identified as gaps orweaknesses and will be addressed in future efforts?22

Lessons Learned• Identify a critical time period after which data loss and malfunction ofspecific systems would be catastrophic, and develop a contingency planthat addresses continuing university academics and business operationsin the event of a cyber outage.• Recognize if there is no formal communication plan with otheruniversities for this type of scenario, and work to develop one.• Conduct an informational campaign so students and staff know whereto go to get information during an emergency, and establish emergencycommunication procedures and back-ups in the event of an outage,including:• An off-campus web site that is updated by a third party.• A phone line that can be called for up-to-date information.23

Lessons Learned (Cont'd.)• Conduct training across campus for students, faculty, and staffaround the following topics:• The dangers of a cyber outage, especially considering the extent ofdependency on computers and networks, and the widespread effectsone would cause.• How cyber breaches can be prevented (e.g. antivirus software) andawareness that any machine can be compromised, not just servers,to create a system-wide attack.• Conduct a vulnerability assessment for the existence andlocation of classified research data on campus.• Develop standard policies and procedures for servers acrosscampus, especially those outside the IT department’s control.• Consider developing a university working group to addresscyber outage issues.24

Cyber Security TTX• Available via the Readiness and EmergencyManagement for Schools (REMS) TechnicalAssistance (TA) Center• Facilitator/Participant Manuals• TTX Power Point25


More magazines by this user
Similar magazines