OSCIO

​​​​​​​​​ EIS-Logo.png

Cyber Disruption Plan


State of Oregon Cyber Disruption Response & Recovery Plan

Cyber disruptions have the potential to greatly affect Oregon citizens and businesses negatively. The Oregon Cyber Disruption Response and Recovery (OCDR) - Voluntary Resource Guide for Local Government provides a common framework for responding to cyber threats impacting Oregon government and enables all levels of Oregon government to rapidly coordinate a cyber disruption response, minimizing the impact in Oregon. There is no regulatory obligation to implement the OCDR; implementation is voluntary and intended to support Oregon whole-of-government by identifying resources, providing templates, and building community.​

Download the Cyber Disruption Plan

Oregon has established an Oregon “Whole of Government Community" Cyber Disruption Response and Recovery (OCDR) - Voluntary Resource Guide​. This plan brings the governing entities within Oregon together for an inclusive cybersecurity ecosystem. The Whole Community collaboration provides the greatest defense, response and rapid recovery against cyber disruption.

Cyber Security Services Security Operations Center

Email

eso_soc@oregon.gov

Phone

503-378-5930

Prepare for a Cyber Disruption

Steps to Take

1) Identify your cyber response team.

Clarify who the key players are, outline roles and responsibilities, and clearly identify which individuals have the authority to take critical response actions. Document how to contact team members 24/7, designate an alternate for key roles, and outline a cadence for how and when the team will convene and deliver updates. First Response Team: Includes the Cyber Response Manager and other IT/OT security staff to investigate an incident. Cyber Response Steering Committee: Typically includes business executive leadership, CIO or senior IT management, information security officer, and Legal Counsel (or their designees) to confirm a cyber incident/disruption and oversee response. Full Cyber Response Team: A complete list of individuals and roles that can be engaged as needed to scale-up and support response such as 1) internal: Public Information Officers, Human Resources, Financial Officer, and Emergency Manager and 2) external: other government cyber response organizations, cyber insurance and law enforcement.

2) Identify contacts and response service contracts for cybersecurity service providers and equipment vendors.

Keep an updated list of vendor contacts and the support they can provide if a vulnerability is identified in vendor equipment. Identify a contact person for the Internet Service Provider (ISP). If incident investigation, forensic analysis, or other forms of incident response support, is contracted out to a third party, identify the contact person, determine the process for engaging their support, and identify the person on the Cyber Response Team who is authorized to engage their services. Determine the expected response timelines for each partner.

3) Understand systems and environment.

Document where system maps, logs, and inventories are kept and maintained (both online and hard copy), along with the person(s) who has the credentials to access them. Document access credentials and procedures for removing access or providing temporary access to cyber responders.

4) Outline reporting requirements and timelines.

Depending on the type or severity of cyber incident/disruption, there may be requirements to report to regulatory agencies and local/state/federal officials, often within the first 24 hours, and sometimes as little as 6 hours. Determine your legal and contractual obligations to report incidents/disruptions to federal/state/local officials, insurance providers, and other third parties.

5) Identify response procedures.

Document procedures for investigation and documentation, containment actions for various types of attacks, and procedures for cleaning and restoring systems. Identify and pre-position the resources needed to preserve evidence, make digital images of affected systems, and conduct a forensic analysis, either internally or with the assistance of a third-party expert. Identify the external response organizations—including law enforcement, information sharing organizations, and cyber mutual assistance groups—that might engage during cyber incident response, particularly for when resources and capabilities are exceeded. Identify key contacts within external response organizations and build personal relationships in advance. Determine how much information to share and when. Document who has the authority to engage these organizations and at what point they should be notified.

6) Develop strategic communication procedures.

Identify the key internal and external communications stakeholders, what information to communicate and when, and what situations warrant internal communication with employees and public communication with citizens and the media. Develop key messages and notification templates in advance.

7) Define legal team response.

Cyber response should be planned, coordinated, and executed under the guidance of the legal team. Procedures to promptly alert the legal team of a cyber incident/disr​​​uption need to be in place. To ensure compliance and preserve the legal posture, the legal team should be directly involved with the investigation, documentation, and reporting.

8) Exercise and train staff.

Staff should be trained on cyber response processes and procedures regularly. Cyber response exercises or participation in industry exercises should be conducted frequently to test cyber response preparedness.

Appendix A


Cyber Disruption Notification

When to Notify

If you are experiencing a cyber disruption, notifying CSS is recommended, whether you need assistance or not. Notification can occur at various stages, even when complete information is not available. Notification allows correlations of cyber events across the state to identify coordinated attacks or attack trends, access to mitigation measures and expertise from similar attacks, and cyber response support.

Who to Notify

Cyber Security Services Security Operations Center

Email: eso_soc@oregon.gov

Phone: 503-378-5930

What to Report

Helpful information could incl​ude who you are, who experienced the incident, what sort of incident occurred, how and when the incident was initially detected, what response actions have already been taken, and who has been notified. 

Situational Awareness - CSS will share de-identified information with Trusted Partners for situational awareness. Trusted Partners are OEM, Titan Fusion Center, MS-ISAC, CISA, and National Guard.

Appen​dix B


Proactive and Reactive Services

The Service Matrix provides a high level picture of services and provider of the service available to government organizations. Appendix A provides additional details along with contact information. Oregon governme​nt agencies can utilize these resources and services and many are free of charge.

Cyber-Disruption-Services.jpg

Appendix C


TEMPLATES


Templates are provided as a starting point and each organization will need to alter to fit its business need and to meet legal sufficiency.

Non-Disclosure Agreement (NDA)

Download Template

Cyber Response Plan

Downloa​​d Template

Appendix D


Partner Organizations

Prepare for a Cyber Disruption - Steps to Take

Cyber Threat Intelligence Integration Center (CTIIC)

Operated by the Office of the Director of National Intelligence, the CTIIC is the primary platform for intelligence integration, analysis, and supporting activities for the Federal Government. CTIIC also provides integrated all-source analysis of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests.

www.dni.gov/index.php/ctiic-home

National Cybersecurity and Communications Integration Center (NCCIC)

Response activities include furnishing technical assistance to affected entities to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents and identifying other entities that may be at risk and assessing their risk to the same or similar vulnerabilities. NCCIC assesses potential risks to the sector or region, including potential cascading effects, and developing courses of action to mitigate these risks and facilitates information sharing and operational coordination with threat response.

www.cisa.gov/national-infrastructure-coordinating-center

U.S. Cyber Command (USCYBERCOM) Joint Operations Center (JOC)

The USCYBERCOM JOC directs the U.S. military’s cyberspace operations and defense of the Department of Defense Information Network (DoDIN). USCYBERCOM manages both the threat and asset responses for the DoDIN during incidents affecting the DoDIN and receives support from the other centers, as needed.

www.cybercom.mil

U.S. Secret Service

National network of Electronic Crimes Task Forces, which combine the resources of academia, the private sector, and SLTT law enforcement to prevent, detect, and investigate electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.

www.secretservice.gov

United States Computer Emergency Readiness Team

United States Computer Emergency Readiness Team coordinating defense against and response to cyber attacks. US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.

https://www.us-cert.gov

FirstNet

FirstNet mission is to deploy, operate, maintain, and improve the first high-speed, nationwide wireless broadband network dedicated to public safety.

www.firstnet.com

Appendix E


References

​General

OCDR website: security.oregon.gov/cyberdisruption

State of Oregon Incident Response Plan

www.oregon.gov/das/OSCIO/Documents/InformationSecurityIncidentResponsePlan.pdf

Oregon Emergency Operations Plan, Annex 10, Cyber Security

www.oregon.gov/oem/Documents/2015_OR_eop_ia_10_cyber.pdf

Oregon cooperative procurement program

ORCPP interagency agreement template

National Cybersecurity Review (NCSR) - The Nationwide Cybersecurity Review is a no-cost, anonymous, annual self-assessment designed to measure gaps and capabilities of state, local, tribal and territorial governments’ cybersecurity programs. It is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), is sponsored by the Department of Homeland Security (DHS) & the Multi-State. Information Sharing and Analysis Center® (MS-ISAC®). www.cisecurity.org/ms-isac/services/ncsr/

DotGov Program, part of the General Services Administration, operates the .gov top-level domain (TLD) and makes it available to US-based government organizations, from federal agencies to local municipalities. Using a .gov domain shows you’re an official government organization. https://home.dotgov.gov/

Training

Federal Emergency Management Agency (DHS/FEMA) Emergency Management Institute (EMI) offers a variety of in-residence and online courses in incident management and security and emergency management, including several on continuity and disaster recovery (FEMA.govwww.training.DHS/FEMA.gov).

The SANS Institute provides specialized information technology training resources delivered in a variety of formats (www.sans.org).

The International Information Systems Security Certification Consortium (ISC2) offers a number of training and certification (with concentrations) options including the industry leading Certified Information Systems Security Professional (CISSP) designation (www.isc2.org)

The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans. Click here to view the FedVTE course catalog.

Exercise

The National Cybersecurity and Communications Integration Center (NCCIC) develops and supports integrated cyber incident response plans and guidance and cyber-focused exercises for governmental and critical infrastructure partners.

Appen​dix F