CISA’s ‘Cyber Storm’ will help it update National Cyber Incident Response Plan

CISA's "Cyber Storm" event feature more than 2,000 participants across government and industry working together to respond to a major cyber incident.

The Cybersecurity and Infrastructure Security Agency is readying the playing field for its major “Cyber Storm” exercise intended to simulate the response to a large-scale cyber incident on critical infrastructure.

The biannual exercise kicks off this month, as CISA rewrites the National Cyber Incident Response Plan for dealing with such an event. It also takes place as officials warn that real-world hackers are targeting, and sometimes successfully infiltrating, U.S. critical infrastructure networks.

More than 2,000 participants from government and industry will be involved in this year’s iteration of Cyber Storm, the ninth such exercise that’s taken place since it began in 2006.

Lisa Beury-Russo, the associated director for exercises at CISA, said the “players” come from sectors including chemical, communications, critical manufacturing, the defense industrial base, energy, financial services, food and agriculture, healthcare and public health, information technology, transportation systems, and water and wastewater systems.

“It’s a pretty big list, and we are hopeful that we’ll see a lot of really good cross sector interaction there,” Beury-Russo said in an interview.

Over the course of the one-week exercise, participants will receive “exercise injects” that describe how their organization is being affected by the incident. They will then have to respond using whatever policies and procedures are in place, Beury-Russo said.

CISA will also provide a “simulated world view” involving news feeds, videos and other simulations to help mimic the real world.

Beury-Russo declined to name the specific threats, technologies or scenarios the participants will encounter as part of this year’s Cyber Storm, citing operational security reasons, as well as to avoid tipping off the players. Previous exercises have folded in specific technologies, like industrial control systems.

But Beury-Russo said one of the overarching goals is to practice “information sharing” during a major cyber incident affecting multiple critical infrastructure sectors.

“Is information being shared across the player set, among government partners, from government to critical infrastructure owner operators, and within and between sectors,” she said. “Is the information shared actually useful? Are we sharing the right things? Are we sharing quickly enough to enable folks to take effective action?”

“We also look at whether and how plans are implemented,” she added.

The event comes as CISA rewrites the 2016 National Cyber Incident Response Plan at the direction of last year’s National Cyber Strategy. The plan lays out how both government and industry will respond to significant cyber incidents.

CISA plans to publish the updated plan by the end of this year.

Meanwhile, U.S. officials warned earlier this year that a China-linked hacking group, “Volt Typhoon,” has targeted multiple U.S. critical infrastructure networks. Agencies said the group’s activities had been found on some networks for upwards of the last five years.

Beury-Russo acknowledged Cyber Storm is happening “at an important time.” She said the exercise will help inform the rewrite of the National Cyber Incident Response Plan.

“One thing we found in prior exercises, is that often, our industry partners don’t really fully understand the actions and the processes included in the plan,” she said. “One thing we’re looking at is to make some of those things a little more clear in the rewrite. We’re talking very closely and working collaboratively with our team in CISA who is working on that to help share those findings, and see what kind of initial pieces of the update we can look at in this exercise.”

Ultimately, the goal of the exercise is to make sure when the incident response plan is needed in the real world, it won’t be the first time agencies and industry are going through the process.

“We don’t want to wait for a huge cyber incident data breach to happen,” Beury-Russo said. “We want to work in a safe environment in steady state operations to really stress test those plans and procedures and make sure we are ready because in cybersecurity, it’s not ‘if’ but ‘when’ there will be an incident. So we want to make sure we are taking these opportunities where we can to operate in a safe space and really figure out what’s working, what we can do better and tackle these problems as one cohesive community.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCDM

    Effective EDR: Balancing testing rigor and velocity

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    IoT-driven endpoint proliferation requires secure-by-design principles

    Read more