Incident Command System for Industrial Control Systems (ICS 4 ICS)

Main Stage

Since the 1970s federal, state, and local emergency managers and first responders have utilized a nationwide system called National Incident Management System (NIMS) which follows a common structure called Incident Command System (ICS). Within this structure first responders from one locality or state are able to be deployed to support mutual aid agreements, seemingly falling in line with new team members and leadership based on common response structures, roles, and training requirements there within. Right now, national coordination of this system is led by Department of Homeland Security, the same department over protection of Industrial Control Systems (ie.,NCCIC).

Imagine if a similar structure were in place for cyber? Especially ICS-cyber where lives and safety could be at stake? Imagine such roles as a cyber incident commander that had support staff consisting of Operations, Planning, Logistics, and Finance Sections. Under that structure would include individuals whose training was continually assessed to be at a certain level, say for example, an Incident Responder Type III (which would signify a person at the highest category training) or a Reverse Malware Engineer Type I (signifies a person at the basic level of training). Within these team structures you could have mixed teams of assets called in to perform a specific task, called a, you guessed it, Task Force. Similarly, a group of like assets designed to do one type of task at a large scale would be called a strike force.

The goal of ICS is scalability and common leadership and org structures. It is not rocket science but does work to ensure standardization, effective use of limited resources, and a bit of common sense when it comes to developing action plans to respond to complex incidents. Once trained, individuals can be brought in to support responses from across organizations, government, and even nations. Could we do the same for cyber? ICS Cyber? Is typing of the resources a good place to start?

It might just make sense for the private sector to be able to speak the language of response as our government counterparts if either side ended up in a position needing surge capacity.

Detection & Response Strategy