Developing a Cyberattack Curriculum to Improve Emergency Response

A disgruntled city employee hacks into a public utility’s computer systems and over-chlorinates the local water supply. Area residents begin to complain about skin irritation and burning eyes, and the tap water becomes unsafe to drink.

This is only a theoretical scenario. It didn’t really happen.

But say it did. The city activates its emergency operations center. During disasters, and other emergency incidents, city- and state-run centers such as these act as central hubs for the information that gets shared between agencies and with the public, and for dispatching resources to aid response efforts. But, unlike a blizzard or an earthquake, the emergency with the water supply stems from a cyber-attack.

As a response unfolds, what role would the local government’s information technology staff have in the emergency operations center?

How will they work with emergency managers and representatives from other departments to resolve the situation? Do the IT staff know the center’s communications protocols, so they can forward the right information, to the right people, at the right time? Do emergency managers have a basic understanding of the language used to discuss cybersecurity and IT?

A newly developed course, which was piloted for the first time in Utah in late January, is designed to address these sorts of issues.

The course is meant to provide a better understanding of how traditional emergency operations staff, and their IT counterparts, can most effectively work together in the event that a cyber attack harms critical infrastructure, or has other physical consequences.

“What we’ve found across the U.S. is that the connection between the IT folks and the emergency operation center folks, or emergency management folks, doesn’t happen on a consistent basis,” Tony Crites, program director for preparedness programs at Texas A&M Engineering Extension Service, or TEEX, said during a recent phone interview.

TEEX is part of the National Cybersecurity Preparedness Consortium, a partnership among five universities. The consortium looks to provide research-based training, exercises and technical assistance, related to cybersecurity, to local governments, states and private industry.

In 2014, the Federal Emergency Management Agency awarded the group a grant to develop the recently-piloted course. TEEX took the lead putting together the curriculum.

Titled “Cybersecurity Incident Management and Response,” the course is 24 hours and is spread out over three days.

Day one is lecture-based. It’s intended to familiarize people that have emergency management backgrounds with IT and cybersecurity issues, and to expose IT professionals to the world of emergency management. Some of the topics that get covered include phishing scams, and emergency operations center management.

On the second and third days of the course, participants work through hands-on scenario exercises. In Utah, one of these exercises was the over-chlorinated water scenario. Another involved an employee who intentionally shuts down power utilities during an ice storm. Neither scenario had actually happened in the state.

“What we want to do is go out and say: ‘OK folks, if it does happen, here are some of the resources that you have in your communities to effectively manage this type of event,'” Crites said.

Incident simulation software known as the Emergency Management Exercise System is used for the scenario exercises.

Participants in the first pilot course were employees with the state of Utah.

The next pilot offering will be in Warwick, Rhode Island during March, according to Crites. The course will be conducted for Rhode Island’s state government and FEMA evaluators will be there to review the class and offer feedback.

TEEX will then work to incorporate the feedback from the evaluators into the course curriculum.

After that, the curriculum will have to get certified by FEMA. Once the certification is completed, the course can be offered nationwide. Roughly 32 to 40 participants are needed for the class, Crites said, and there are 10 instructors.

Christopher Bramwell is an IT security manager at the Utah Department of Human Services. He participated in the pilot course when it was held in the Beehive State last month.

“They educated us on the emergency operations center. How that operates. How communication should occur. Even how to set it up. What are the different EOC models,” Bramwell said. “I had never learned that before. I knew some of the basics, but not the details that they went into, or the theories and models behind it.”

As for specific takeaways, he said that learning the mechanics of how information gets shared in an emergency operations center was especially useful. “In security scenarios we’ve run into, information sharing and proper communication is by far the biggest hinderance of actually getting information to the proper people and making decisions,” Bramwell noted.

Mark Coon, an emergency planner with the Utah Division of Emergency Management, also attended the pilot course. “I think it was a really important class,” he said.

Utah’s Division of Emergency Management has had various cybersecurity-related efforts underway for a while now, according to Coon.

But when it comes to how the emergency operations center functions, he noted: “We’ve never operated it with the cyber folks, and taken those guys into consideration, and tried to learn about their concerns and where they fit into the whole process.”

“Everyone has a place inside that room,” Coon said. “Having the cyber table in there, and having the cyber folks in there… I thought really, probably broke down some barriers.”