Incorporating Cybersecurity Into Emergency Preparedness Programs
Introduction
As society’s dependence on technology intensifies, the shadow of cyber threats grows larger and more sinister. Cyber attacks are no longer a matter of "if" but "when," and their sophistication, frequency, and impact are escalating at an alarming rate. From crippling ransomware incidents to data breaches, governments and critical infrastructure owners are increasingly becoming the target of cyber attacks that have debilitating effects on security, economic stability, public health and safety, or any combination thereof. Notable incidents such as the Colonial pipeline cyberattack, which caused widespread fuel shortages, and the surge of ransomware attacks paralyzing city governments across the nation, stand as stark reminders of our vulnerabilities.
Emergency management agencies, which have long been responsible for managing the response to natural and man-made disasters, must now adapt to address cyber threats. These incidents, while not caused by physical damage, have profoundly real impacts on the safety of our communities and are potentially catastrophic. It is imperative that agencies develop cyber readiness strategies that enhance resilience against these emerging digital risks.
Gaps in Cyber Readiness
Despite the escalating cyber threats ourcommunities face, a gap exists between the current state of preparedness and a community readiness level to withstand and recover from cyber incidents.
This difficulty is highlighted in recent government reports which reveal a worrying trend. According to FEMA's 2022 National Preparedness Report, the majority of communities identified cyberattacks as oneof their top concerns.[1] 70% ofthese communities acknowledged that a cyberattack would severely challenge their capabilities, and 62% recognized it as their most stressing threat or hazard type, marking it as the most frequently identified and most concerning threat of the year. Further underscoring this concern, the 2021 National Preparedness Report observed consistent trends over several years (2013–2017) showing that communities consistently report lower capabilities in cybersecurity.[2]
This indicates a persistent gap in cyber preparedness. While there is an increasing awareness of the risks posed by cyber threats, many governments remain under-prepared to effectively address them. Let’s explore the reasons why this gap exists and strategies to enhance the cyber preparedness of government agencies.
Challenges Addressing CyberReadiness Gaps
There are significant hurdles in the path of achieving comprehensive cyber readiness. Here are three reoccurring challenges that make it difficult for emergency management entities to address cybersecurity issues and improve their preparedness:
Challenge 1: Cyber threats are not well understood
Unlike traditional disasters, cyber threats can vary greatly in their nature and impact. One incident might target data integrity, while another aims to disrupt operations. The sheer variety of potential cyberattacks—from phishing scams to large-scale ransomware attacks—makes it difficult for agencies to prepare for every possible scenario. Moreover, the impact of these incidents can range from minor inconveniences to catastrophic failures of critical infrastructure, adding to the complexity of preparedness and response.
Challenge 2: Cyber Readiness requires a deep understanding of a community’s digital landscape
Effective cyber readiness means recognizing the interdependencies between various infrastructure systems a community relies on. For emergency management agencies, this means not only recognizing their own digital assets but also understanding the interconnectedness of community systems. The interdependencies between various infrastructures, such as power grids, transportation networks, and communication systems, mean that a cyberattack on one can have cascading effects on others. Identifying and protecting these interconnected assets is a challenging endeavor, requiring a comprehensive approach that takes into account the multiple layers of potential impact and cascading effects.
Challenge 3: Complexity of the subject makes is a hurdle for non-technical professionals
Many emergency management professionals are skilled in handling traditional disasters but may lack the specific cyber knowledge required to understand and manage cyber incidents. A lack of understanding about how cyber attacks occur and their unique response and recovery challenges can make it difficult to understand what actions to take to meaningfully improve preparedness. There's also a need to communicate these risks and response strategies in a way that is accessible to all stakeholders, including non-technical staff and the wider community.
Strategies to Improve Cyber Readiness
These challenges require a multi-faceted approach to improve cyber readiness, not just the adoption of technological solutions, but also a shift in mindset and strategy. Each of the following elements plays a crucial role in building an effective cyber readiness strategy while taking the above considerations into account.
1. Education & Awareness Building
The foundation of any effective cyber readiness strategy is education and awareness. This involves developing and delivering comprehensive cybersecurity courses aimed at both leadership and staff. These courses should cover a range of topics, including understanding the cyber threat landscape, the mechanics of cyber attacks, preparation strategies for such attacks, and integrating cybersecurity into broader emergency management programs. The goal is to cultivate a baseline understanding of cybersecurity across all levels of the organization, ensuring that everyone recognizes the importance and impact of cyber threats.
2. Embedding Cybersecurity into Planning
Integrating cybersecurity issues into emergency planning is critical to ensure that that the response to a cyber incident is swift and effective. This involves updating existing emergency plans to include cyber-specific considerations, and the creation of new plans that focus solely on cyber incidents. For example, the creation of a Cyber Annex for an Emergency Operations Plan (EOP), a Cyber Incident Response Plan (CIRP), or a Business Continuity Plan can provide structured and coordinated response and recovery efforts in the event of a cyber attack. Such planning ensures that procedures exist to address a cyber incident and that all stakeholders are aware of their roles and responsibilities during a cyberincident.
3. Cybersecurity Exercises
Lastly, conducting cybersecurity exercises and simulations serves to reinforce and build upon the foundations set by the two previous steps. Exercises should simulate various cyber incident scenarios, allowing personnel to practice their response in a controlled environment and test the effectiveness of the cyber-specific plans developed. The benefits of exercises are two fold: firstly, they help identify gaps in response plans and a team's preparedness that would otherwise not be apparent until a real incident occurs. Secondly, exercises provide teams with the opportunity to gain practical experience in handling realistic cyber incidents, ensuring they're not just prepared on paper but also in practice.
Integrated Approach
Each element above acts as a triad that complements and strengthens the other. Initially, an education and awareness program lay the groundwork, equipping personnel with foundational knowledge of the cyber threat landscape and its relevance to emergency management. Embedding cybersecurity elements into existing emergency plans then builds on this foundation, ensuring a structured approach to respond to cyber incidents. Finally, cybersecurity exercises provide practical, hands-on training to identify gaps and hone response capabilities.
A significant challenge integrating these efforts is a lack of background and subject-matter knowledge about cybersecurity among emergency managers. A lack of in-depth cybersecurity expertise may lead to gaps in emergency plans, potentially overlooking critical cyber threat scenarios, or creating exercises that may not accurately replicate the nuances of real-world cyber incidents. For this reason, leveraging expertise can help organizations overcome these hurdles and move towards building a resilient and cyber-ready organization. This integration is not just a recommendation, it is a critical step towards safeguarding our communities in the digital age. TECKpert is here to assist organizations looking to embed cyber readiness into their emergency preparedness programs. Together, we can help you work towards creating a safer, cyber-resilient future for your community.
About the Author
Jean-Pascal Deillon is a TECKpert consultant operating at the nexus of emergency management and cybersecurity to help organizations with their cyber readiness initiatives. With nearly a decade of experience, Mr. Deillon has crafted and implemented training and exercise programs for a diverse range of entities, including local and state governments, DHS CISA, FEMA, and the White House National Security Council (NSC). In his most recent public engagement, Mr. Deillon delivered a presentation titled “From Concept to Reality: Designing Cybersecurity Tabletop Scenarios” at the Vermont Emergency Preparedness Conference to help emergency managers develop realistic and engaging cybersecurity exercises. His expertise extends to his role as an adjunct cybersecurity instructor at the Texas A&M Engineering Extension Service (TEEX).
[1] Federal Emergency Management Agency. (2022). National Preparedness Report 2022.U.S. Department of Homeland Security.
[2] Federal Emergency Management Agency. (2021). National Preparedness Report 2021.U.S. Department of Homeland Security.