Cyber Disruption Plan
Cyber disruptions have the potential to greatly affect Oregon citizens and businesses negatively. The Oregon Cyber Disruption Response and Recovery (OCDR) - Voluntary Resource Guide for Local Government provides a common framework for responding to cyber threats impacting Oregon government and enables all levels of Oregon government to rapidly coordinate a cyber disruption response, minimizing the impact in Oregon.
There is no regulatory obligation to implement the OCDR; implementation is voluntary and intended to support Oregon whole-of-government by identifying resources, providing templates, and building community.
Prepare for a Cyber Disruption
Oregon has established an Oregon “Whole of Government Community" Cyber Disruption Response and Recovery (OCDR) - Voluntary Resource Guide. This plan brings the governing entities within Oregon together for an inclusive cybersecurity ecosystem. The Whole Community collaboration provides the greatest defense, response, and rapid recovery against cyber disruption. The OCDR can be downloaded below.
Step 1: Identify your cyber response team
Clarify who the key players are, outline roles and responsibilities, and clearly identify which individuals have the authority to take critical response actions. Document how to contact team members 24/7, designate an alternate for key roles, and outline a cadence for how and when the team will convene and deliver updates. First Response Team: Includes the Cyber Response Manager and other IT/OT security staff to investigate an incident. Cyber Response Steering Committee: Typically includes business executive leadership, CIO or senior IT management, information security officer, and Legal Counsel (or their designees) to confirm a cyber incident/disruption and oversee response. Full Cyber Response Team: A complete list of individuals and roles that can be engaged as needed to scale-up and support response such as 1) internal: Public Information Officers, Human Resources, Financial Officer, and Emergency Manager and 2) external: other government cyber response organizations, cyber insurance, and law enforcement.
Step 2: Identify contacts and response service contracts for cybersecurity service providers and equipment vendors
Keep an updated list of vendor contacts and the support they can provide if a vulnerability is identified in vendor equipment. Identify a contact person for the Internet Service Provider (ISP). If incident investigation, forensic analysis, or other forms of incident response support, is contracted out to a third party, identify the contact person, determine the process for engaging their support, and identify the person on the Cyber Response Team who is authorized to engage their services. Determine the expected response timelines for each partner.
Step 3: Understand systems and environment
Document where system maps, logs, and inventories are kept and maintained (both online and hard copy), along with the person(s) who has the credentials to access them. Document access credentials and procedures for removing access or providing temporary access to cyber responders.
Step 4: Outline reporting requirements and timelines
Depending on the type or severity of cyber incident/disruption, there may be requirements to report to regulatory agencies and local/state/federal officials, often within the first 24 hours, and sometimes as little as 6 hours. Determine your legal and contractual obligations to report incidents/disruptions to federal/state/local officials, insurance providers, and other third parties.
Step 5: Identify response procedures
Document procedures for investigation and documentation, containment actions for various types of attacks, and procedures for cleaning and restoring systems. Identify and pre-position the resources needed to preserve evidence, make digital images of affected systems, and conduct a forensic analysis, either internally or with the assistance of a third-party expert. Identify the external response organizations—including law enforcement, information sharing organizations, and cyber mutual assistance groups—that might engage during cyber incident response, particularly for when resources and capabilities are exceeded. Identify key contacts within external response organizations and build personal relationships in advance. Determine how much information to share and when. Document who has the authority to engage these organizations and at what point they should be notified.
Step: 6 Develop strategic communication procedures
Identify the key internal and external communications stakeholders, what information to communicate and when, and what situations warrant internal communication with employees and public communication with citizens and the media. Develop key messages and notification templates in advance.
Step 7: Define legal team response
Cyber response should be planned, coordinated, and executed under the guidance of the legal team. Procedures to promptly alert the legal team of a cyber incident/disruption need to be in place. To ensure compliance and preserve the legal posture, the legal team should be directly involved with the investigation, documentation, and reporting.
Step 8: Exercise and train staff
Staff should be trained on cyber response processes and procedures regularly. Cyber response exercises or participation in industry exercises should be conducted frequently to test cyber response preparedness.
Notify EIS Cyber Security Services (CSS) of a Cyber Disruption
When to notify
If you are experiencing a cyber disruption, notifying CSS is recommended, whether you need assistance or not. Notification can occur at various stages, even when complete information is not available. Please see the CSS Security Operations Center (SOC) page for contact and additional information.
Download the Cyber Disruption Plan
The Cyber Disruption Plan covered on this page is available for download in its entirety or in part:
Proactive and Reactive Services
This Service Matrix provides a high-level picture of services and provider of the service available to government organizations. Appendix A provides additional details along with contact information. Oregon government agencies can utilize these resources and services, and many are free of charge.
Service |
State |
Federal |
Dual Role |
Cyber Security Services (CSS) |
Office of Emergency Management (OEM) |
Cybersecurity Infrastructure Security Agency (CISA) |
Multi State- Information Sharing & Analysis Center (MS-ISAC) |
Oregon Titan Fusion Center |
Oregon National Guard |
|
|
|
|
|
|
|
Proactive | | | | | | |
Advisories/Threat Notification | X | X | X | X | X | |
CIS SecureSuite Membership | | | | X | | |
Consulting | | | | X | | |
Continuity Planning | | | | | | X |
Cyber Assessments | | | X | | | X |
Cyber Exercise Planning | | | X | | | X |
Cyber Training/Education Resources | X | | X | X | | |
Cyber Vendor Contracts | X | | | | | |
Malicious Domain Blocking | | | | X | | |
Managed Security Services | | | | X | | |
Network Monitoring | | | | X | | |
Penetration Testing | | | X | | | X |
Phishing Campaign Assessments | | | X | | | |
Risk & Vulnerability Assessment | | | X | | | |
Validated Architecture Design | | | X | | | |
Vulnerability Scanning | | | X | X | | |
Web Application Scanning | | | X | | | |
| | | | | | |
Reactive | | | | | | |
Alerts | X | | X | X | X | |
Emergency Declaration | | X | | | | |
Incident Response Assistance | X | | X | X | | |
Malicious Code Analysis Platform | | | | X | | |
Malware Analysis | | | X | X | | |
Vulnerability Assessment | | | | X | | |
Vulnerability Management Program | | | | X | | |
Templates
Templates are a starting point. Each organization will need to alter to fit its business needs and to meet legal sufficiency.
Partner Organizations
Cyber Threat Intelligence Integration Center (CTIIC)
Operated by the Office of the Director of National Intelligence, the CTIIC is the primary platform for intelligence integration, analysis, and supporting activities for the Federal Government. CTIIC also provides integrated all-source analysis of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests.
Visit the Cyber Threat Intelligence Integration Center (CTIIC) website
National Cybersecurity and Communications Integration Center (NCCIC)
Response activities include furnishing technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents and identifying other entities that may be at risk and assessing their risk to the same or similar vulnerabilities. NCCIC assesses potential risks to the sector or region, including potential cascading effects, and developing courses of action to mitigate these risks and facilitates information sharing and operational coordination with threat response.
Visit the National Cybersecurity and Communications Integration Center (NCCIC) website
U.S. Cyber Command (USCYBERCOM) Joint Operations Center (JOC)
The USCYBERCOM JOC directs the U.S. military’s cyberspace operations and defense of the Department of Defense Information Network (DoDIN). USCYBERCOM manages both the threat and asset responses for the DoDIN during incidents affecting the DoDIN and receives support from the other centers, as needed.
Visit the U.S. Cyber Command (USCYBERCOM) Joint Operations Center (JOC) website
U.S. Secret Service
National network of Electronic Crimes Task Forces, which combine the resources of academia, the private sector, and SLTT law enforcement to prevent, detect, and investigate electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.
Visit the U.S. Secret Service website
United States Computer Emergency Readiness Team
United States Computer Emergency Readiness Team coordinating defense against and response to cyber attacks. US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.
Visit the United States Computer Emergency Readiness Team website
FirstNet
FirstNet mission is to deploy, operate, maintain, and improve the first high-speed, nationwide wireless broadband network dedicated to public safety.
Visit the FirstNet website
References
Oregon's Cyber Disruption Plan
https://www.oregon.gov/eis/cyber-security-services/Documents/eis-css-72509-das-eis-cyber-disruption-response-recovery-plan-2021-20211014.pdf
State of Oregon Incident Response Plan
https://www.oregon.gov/das/oscio/documents/informationsecurityincidentresponseplan.pdf
Oregon Emergency Operations Plan, Annex 10, Cyber Security
https://www.oregon.gov/oem/documents/2015_or_eop_ia_10_cyber.pdf
Oregon Cooperative Procurement Program
https://www.oregon.gov/das/Procurement/Pages/Orcpp.aspx
National Cybersecurity Review (NCSR)
The Nationwide Cybersecurity Review is a no-cost, anonymous, annual self-assessment designed to measure gaps and capabilities of state, local, tribal and territorial governments’ cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), is sponsored by the Department of Homeland Security (DHS) & the Multi-State. Information Sharing and Analysis Center® (MS-ISAC®).
https://www.cisecurity.org/ms-isac/services/ncsr
DotGov Program
Part of the General Services Administration, operates the .gov top-level domain (TLD) and makes it available to US-based government organizations, from federal agencies to local municipalities. Using a .gov domain shows you're an official government organization.
https://home.dotgov.gov
Training
Federal Emergency Management Agency (DHS/FEMA) Emergency Management Institute (EMI) offers a variety of in-residence and online courses in incident management and security and emergency management, including several on continuity and disaster recovery. Visit
https://training.fema.gov/emi.aspx for more information.
The SANS Institute provides specialized information technology training resources delivered in a variety of formats. Visit
https://www.sans.org for more information.
The International Information Systems Security Certification Consortium (ISC2) offers a number of training and certification (with concentrations) options including the industry leading Certified Information Systems Security Professional (CISSP) designation. Visit
https://www.isc2.org for more information.
The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans. Visit
https://fedvte.usalearning.gov/coursecat_external.php to view the course catalog.
Exercise
The National Cybersecurity and Communications Integration Center (NCCIC) develops and supports integrated cyber incident response plans and guidance and cyber-focused exercises for governmental and critical infrastructure partners. Visit
https://www.cisa.gov/resources-tools/resources/connecting-nicc-and-nccic for more information.