This document discusses the need for better coordination between critical infrastructure operators and emergency management entities to improve response to severe cyber incidents. It proposes including metrics in the Cybersecurity Framework to measure communication linkages between these groups. Specifically, it suggests a metric to evaluate whether formal interfaces have been established for conducting cross-organizational incident management activities and information sharing. Improving these linkages could help critical infrastructure organizations better address challenges like cascading failures and fulfill objectives of directives like Presidential Policy Directive 21.

1. 1
Building on incident management metrics
to better prepare for severe cyber incidents
and reduce risks to organizations and communities
Part four of a series
July 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
ABSTRACT
Effective critical infrastructure protection will require the confluence of cyber
incident management (internal) and community-based emergency management
(external to the hardened enterprise) to create effective incident coordination to
support Presidential Policy Directive 21 objectives.
Background
In April 2013 rifle shots damaged a
Pacific Gas & Electric (PG&E)
substation. At approximately the same
time, someone cut nearby fiber optic
cables, disabling the local 911 service.
Investigators think the two acts of
sabotage were linked.
According to the local Sheriff, the
saboteur's objective appears to have
been "shutting down the system."
PG&E officials had told the sheriff that
the substation's security fence had been
breached, and at least five transformers
had been damaged.
***
Unlike the average business concern,
the community as a whole may have a
dependency relationship with the critical
infrastructure and key resources (CI/KR)
provided by private business owners
and operators; such as a gas pipeline or
electrical cooperative.
Increasingly, there have been more calls
for the sharing of information between
the traditional hardened end-point CI/KR
operators and community emergency
management (EM) entities.
Case in point: in California Assembly Bill
(AB) 869 has been introduced to,
quoting in relevant part:
“…develop and publish plans to respond
to emergencies, including natural
disasters, that have the potential to
disrupt natural gas or electric service
and cause damage, as provided…1
”
1
An act to add Sections 8610.7 and 8610.9 to the
Government Code, relating to utilities.

2. 2
And
“…The plan shall be consistent with
emergency response plans developed
by the Office of Emergency Services
and with any plan developed by a local
disaster council…”2
.
At the very least, this indicates a desire
by some in government to see better
coordination and cooperation between
CI-KR private operators and the local
EM and public safety communities.
Protecting national infrastructure
through information sharing
Enter the Cybersecurity Framework
(CSF)), proposed by Executive Order
136363
. Those critical of CSF say it can
easily become a redundant restatement
of existing cybersecurity standards into
a voluntary guideline (similar in nature to
COBIT (Control Objectives for
Information and Related Technology).
Understandably, these private-industry
critics are concerned about yet another
mandatory cybersecurity compliance
scheme.
Accompanying the issuance of EO
13636 was Presidential Policy Directive
(PPD) 21, Critical Infrastructure and
Security Resilience, which directed the
2
AB 869: Disaster Relief Emergency Plans
3
Executive Order -- Improving Critical Infrastructure
Cybersecurity, 2/12/2013. See: Sec. 7. Baseline
Framework to Reduce Cyber Risk to Critical
Infrastructure
Executive Branch to, quoting in relevant
part:
“…
 Understand the cascading
consequences of infrastructure
failures
 Evaluate and mature the public-
private partnership
 Update the National Infrastructure
Protection Plan
…”
By examining apparent gaps in defining
adequate metrics to measure severe
incident response planning in the CSF
draft standards, it may be possible to
more accurately embody the principles
of PPD-21 into the CSF, and make it
more useful to private CI/KR owners.
National Infrastructure Protection
Plan (NIPP)
The NIPP represents the “steady state”
of CI/KR operations, in contrast to the
incident response state articulated in the
National Response Framework (NRF).
NIPP is pre-incident, NRF is incident
response and reaction4
.
The NIPP promotes the use of a threat
assessment risk management criteria
for private CI/KR owner-operators (see
Risk Management Framework (RMF)).
The NIPP promotes the Cyber Security
Vulnerability Assessment (CSVA), a
4 Transitioning From NIPP Steady-State to Incident
Management, NIPP, U.S. Dep’t of Homeland Security
(2010).

3. 3
metric to gauge an organization’s cyber
protection.
Per PPD-21, the NIPP shall be updated.
In this context, it may be wise to update
the CSVA to assess more factors
regarding private-public response
activities, as alluded to in California’s AB
869.
Metrics to measure the transition from
steady-state (NIPP) to response state
(NRF) may be worthwhile to explore.
A communications linkage metric
In a Software Engineering Institute (SEI)
report, entitled Incident Management
Capability Metrics5
, the metric of an
“organizational interface” is defined as:
“..a common function that is focused on
the interfaces between any groups
performing incident management
activities. An interface is any comm-
unication, exchange of information, or
work that occurs between two groups…”
And such a linkage can be measured.
“..Have well-defined, formal interfaces
for conducting organization incident
management activities been established
and maintained ?..”
The measurement and evaluation of this
metric appears worthwhile for the CSF.
5
Software Engineering Institute, CMU/SEI-2007-TR-
008, April 2007
This metric should measure linkages
between Cybersecurity and other
domains, especially in the Disaster
Recovery and Business Continuity
(DR/BC) planning arena. A proposed
metric for the CSF should focus on
enabling better communications in times
of incident management. Quoting SEI:
“..From our research and interactions
with customers, as well as discussions
with teams over the years, the one
interface that continues to be critical is
communications. It can often be traced
to the cause of a delay or failure in
action. It is a key success factor for an
incident management capability to
examine its communications require-
ments and pathways, to ensure they are
clearly defined, and to exercise
diligence in ensuring they are effective,
efficient, and understood by those
involved in those communications…6
”
About the author: Dave Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. A graduate of the
National Fire Academy (NFA) Incident
Management Team (IMT) course, he is
a practitioner of NIPP/NRF in his role of
assisting private organizations in
institutionalizing NIPP/NRF into their
cyber response plans.
6
Incident Management Capability Metrics
Version 0.1, TECHNICAL REPORT
CMU/SEI-2007-TR-008, April 2007