State of Michigan Cyber Disruption Response Plan

Chris Christensen, J.D.

Director, Infrastructure Protection

A Comprehensive Shared Cybersecurity Plan for the State of Michigan

The Need – Why is the plan important?

The approach: Key drivers for the methodology adopted

Key outputs

Challenges encountered

Lessons learned

Looking forwards

State of the Union – 2013“... our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”

“... executive order... will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security...”

President Barack Obama

February 12, 2013

The Need… Federal Mandates

Approach: Key Drivers for the Plan

Presidential Policy Directive-21: Critical Infrastructure Security and Resilience

Department of Homeland Security National Infrastructure Protection Plan 2013 (NIPP): Partnering for Critical Infrastructure Security and Resilience

Homeland Security Presidential Directive-5 (HSPD-5): Management of Domestic Incidents

Homeland Security Presidential Directive-7 (HSPD-7): Critical Infrastructure Identification, Prioritization and Protection

Homeland Security Exercise and Evaluation Program (HSEEP)

NIST Publication 800-55 Rev. 1, Security Measurement Plan

National Governor’s Association – 2013

“Attacks on our personal safety and economic security through the Internet continue to grow and expand. Michigan is taking a leadership role with regard to protecting the vulnerable ecosystem in the cyber world, and in accelerating the economic development and growth of the cybersecurity industry.”

Governor Rick Snyder

September 26, 2013

The Need… State Mandates

The Need… Being Prepared for the Worst

Proverb:

“By the time you hear thunder, its too late to build the Ark.”

“There are two kinds of big companies in the United States. There are those who have been hacked… and those who don’t know they’ve been hacked.”-James Comey, FBI Director

According to a report released by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year's $145. In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.

May 27, 2015Ponemon: Data breach costs now average $154 per record...

www.csoonline.com/.../ponemon-data-breach-costs-now-average-154-per-r...

CDRT MembershipThe CDRT internal structure follows ICS principles, with the Chair and Co-Chairs appointing a CDRT lead to act in the incident commander role. CDRT membership will fill Planning, Operations, Logistics, and Finance roles, as needed and as appointed by the CDRT Lead.

The Need… Breach Frequency

Source: Symantec Internet Security Threat Report (ISTR), 2014

Approach

4 month project to collect insights and process information from key stakeholders

Leveraged the experience of a large security company’s incident response personnel to aggregate data and write plan

Individual and joint meetings with stakeholders with iterative feedback points to ensure accuracy and practicality

Based on federal and state best practices and mandates fused with best practices in cybersecurity incident response

Tabletop exercise – simulation exercise to train and rehearse for real life scenarios

Early Detection and Rapid Response

Key Outputs

Comprehensive plan for coordinated response to a cyber incident

Coordination and communication annex for streamlined emergency communication between multiple agencies and public/private partners

Defined roles and responsibilities of entities

Preventative measures

Expedited detection and analysis of issue

“Play by Play” instructions on key tasks and actions required to mitigate damage, spread of incident and expedite remediation

Training plan

Risk assessment

Post-incident analysis

Lessons Learned

Know and understand your cyber security ecosystem

Under-communication and assumptions are your enemy

Know and understand the formal (and informal) roles of those who need to be involved

Facilitate (and insist) on input upfront from stakeholders in the plan-creation process (as opposed to it coming at the 11th hour)

Assume unforeseen impediments and scope creep

Leverage collaborative document sharing tools

Once the tool is created, you have to implement it, practice it, validate it and continually improve it

Response Levels and Anticipated Engagement Activities

Coming soon!

Michigan Cyber Disruption Plan

Chris Christensen, Infrastructure Protection

Questions…