Digital transformation has become synonymous with a government’s ability to meet its obligations to provide the vast array of services to its citizens in the 21st century. This necessary transformation will provide local governments with the tools required to meet the demands of growing populations, a changing workforce, increased urbanization, and unprecedented advancements in technology development. However, such digital reliance also exposes governments to new risks and threats that can and must be proactively addressed. Governments leveraging the opportunities of digitalization and proven technology will eliminate existing local issues, while at the same time introducing new vulnerabilities, but this is not a reason to stop the inevitable progress within local governments. Cities will never be 100 percent “secure,” nor can they avoid danger entirely, but that is not reason or excuse enough to prevent innovation– there are necessary and acceptable risks cities must incur to remain effective in their service delivery to citizens. But they can be resilient in the face of a wide range of stresses and shocks by making the right investments, in both the physical and cyber human domains. If done right, these initial capital investments could yield tremendous returns in a city’s ability to prepare for crises, react faster to restore normalcy, learn from and adapt to the digital challenges and realities of the future while attracting and retaining citizens. The increasing reliance on technology by governments requires a systems approach to resiliency. Such a comprehensive approach should involve three complementary dimensions – people, processes and technology. Collectively, this approach will increase a government’s ability to confidently rely on technology and more readily adopt it to better serve their citizens.
Interdependent digital systems provide the infrastructure to handle major public systems and citizen services. These include water and energy generation and transmission, transportation frameworks, waste disposal mechanisms, street and home lighting systems, connected healthcare, social security, and other public services. However, these interdependent systems also pose operational challenges and security risks. For example, the failure of a smart traffic management’s database server due to resiliency factors like lack of operational maintenance or a cyber attack can disrupt city traffic causing inconvenience to citizens. Another example could be the smart healthcare service, where a breach in the network or health-monitoring device can put the patient’s life at risk. If the smart grid is rendered inoperational by a cyber attack then other dependent services like healthcare can be impacted. Though there is inherent risk in interconnected third party systems that should be addressed by governments, such factors are outside the scope of this particular policy.
Additionally, a connected place’s digital framework deals with huge volumes of data that are generated as a result of communication between various interdependent systems and the interactions between devices and citizens. Protection of such private and sensitive information, especially citizen data, is of utmost importance – any incident of data breach or data loss can damage citizens’ perception of security in a city or town.
This Cyber Resilience Model Policy addresses people, processes and technology, and focuses on both the unique characteristics of each, as well as acknowledging and recommending how they should interact to support and strengthen one another. This policy will be updated regularly to keep pace with the dynamic technology landscape, as well as give decision makers the ability to minimize the risks associated with running a technology driven local government. Useful for planners, IT, city leadership, etc to be more strategic in reducing cyber risk.
How to use this policy
The Cyber Resilience Model Policy is an overarching policy, which will include references to other more detailed policies within a local government body, such as disaster recovery, incident response, and data protection amongst others. In addition, there may be other relevant national level policies or legislation that cover areas of cyber resilience across areas such as telecommunications or energy networks (falling under critical national infrastructure categories) which may supersede this policy. This model policy is intended to give more local level coordination, and identification of key digital infrastructure than may be covered at a national level. In each instance, local government should ensure that all the relevant policies are aligned and complementary.
This policy could also be used in conjunction with resilience assessment tools and frameworks. More useful info can be found in the appendix.
This policy focuses on the digital aspects of local government service provision including ‘connected places / smart city’ products and services, and does not include broader aspects of environmental, economic or social resilience.
One sentence policy definition: “Resilience of the digital infrastructure that supports service delivery for local government.”
More definitions can be found in the appendix.
Connected places cyber resilience
For cities and towns, cyber resilience can be understood through their capacity for readiness, response, and reinvention. Efforts to build cyber resilience are critical to both surviving and even thriving in the face of cyberattacks or physical disasters. The security goals of local government—confidentiality, integrity, availability, safety, and resiliency— should be grounded on both the objectives of traditional Information Security or IT (to secure data) as well as those of Operational Technologies or OT (to ensure safety and resiliency of systems and processes). These combined security objectives can help cities, towns and places maintain a more secure and resilient operating environment both internally and also for external public facing and public realm systems.
Critical national infrastructure
Critical infrastructure definitions vary from country to country. For the purposes of this policy, relevant categories and national level legislation may be around communications, emergency services, energy, government, health, transport and water.
In the UK, there are 13 national infrastructure sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. There are 16 critical infrastructure sectors in the United States: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services,Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.
As summarized by CISA these areas of critical infrastructure are deemed sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Critical local infrastructure
This may include some of the above areas. As it stands not all local governments will have all of those categories, for instance space, defense, civil nuclear etc.
Critical digital infrastructure
Frameworks such as the NCSC’s Cyber Assessment Framework (CAF), help organisations achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions. The focus on cyber resilience of ‘specified essential functions’ distinguishes this from a set of generic good cyber security practices. Users of these types of frameworks will typically be responsible for the correct operation of one or more important organisational functions, the compromise or failure of which would lead to unacceptable consequences. For example, the organisation might be an electricity Distribution Network Operator in which case the essential function would be ‘provision of a reliable electricity supply to consumer premises’. The specified essential functions drive considerations such as which networks and information systems are in scope of CAF cyber resilience requirements.
The CAF collection has been designed to be equally applicable to both Information Technology (IT) and Operational Technology (OT). This is in contrast to generic good cyber security practices which are assumed to be generally applicable across the entirety of an organisation’s IT estate, and are not usually designed to encompass OT.
Connected places cyber infrastructure
In the case of a city, this includes the companies that lay fiber optic cables, IoT devices objects that collect data, or the possibility of completing bureaucratic processes online.
These network and information systems and the essential functions they support play a vital role in society, from ensuring the supply of electricity, water, oil and gas, to the provision of healthcare and the safety of passenger and freight transport. Their reliability and security are essential to everyday activities.
Digital infrastructure in this context includes critical internal IT and Operational Technology systems within a city/town/place and its third party systems. Digital infrastructure components might include things such as: mobile networks/telecommunications infrastructure, IOT networks, sensors, data storage platforms / cloud infrastructure that the city relies on (AWS / Azure etc.), wifi networks, internal local government databases / storage.
Cyber Risk: Dependency, threats and vulnerabilities
City cyber risk is increasing, driven by three factors 1) an increasing dependency on digital/IT systems to deliver government services, which means cyber incidents can have significant impacts; 2) a growing threat landscape, which include an ever expanding and maturing cybercrime industry and; 3) an increasingly connected IT and OT ecosystem, both internally as cities need to manage rapidly expanding vulnerabilities associated with digital infrastructure or upgrade legacy systems; and externally due to supply chains risks and dependency on external partners (third party suppliers and contractors), as well as reliance on critical infrastructure.
Dependency and Impacts
Increased reliance by local governments on digital infrastructure to provide core services to people means that the potential consequences of disruption could be severe. Some of these consequences could result in disruption to local government service provisioning. Examples include:
- Digital identity of citizens and other personal data such as health records, births and deaths, electoral roll information and others could either be unavailable, compromised or corrupted
- Loss of privacy for citizens if data in transit or storage is compromised
- Health data and provision of healthcare could be disrupted with life threatening consequences
- Surveillance cameras such as CCTV may impact emergency service response times if they are compromised and not able to be used for their intended purpose
- Increased crime in case of Access Control system compromise
- Traffic management, traffic lights, traffic cameras etc, public transit operational networks might experience delays or disruptions
- Waste collection and necessary city services disrupted
- Local government reputational and financial risk
These are a few examples to illustrate potential consequences, amongst many others.
Impacts can include:
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary Information.
- Integrity: Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.
- Availability: Ensuring timely and reliable access to and use of information.
Malicious actors can be categorized as state actors, cybercriminals, and insider threats. These malicious actors vary in motive, interest, technical capabilities and modus operandi. Globally, the number and impact of ransomware attacks is rising. Such attacks can significantly limit service delivery for local governments and are therefore a major threat for connected places as are external events such as natural disasters or critical infrastructure disruption.
- Cybercriminals: Criminals, including state-sponsored groups, also carry out cyberattacks. Primarily for their own financial gain. There has been an incredible rise of ransomware attacks in the past year, with very far-reaching consequences for the organizations affected and society in general. These attacks can lead to significant disruption of operations and service delivery.
- Insider threats: An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including data and IT-systems. An insider threat is the threat that an insider will use their access to wittingly or unwittingly do harm to the organization and its interests. For instance by exposing sensitive data, sabotaging systems or aiding in economic espionage.
- Critical infrastructure Disruption: This could be a physical or cyber event that disrupts sectors such as energy, communications, or information technology. These upstream incidents will impact both public and private IT capacity downstream. For example a power outage, internet outage, or even a critical IT contractor, such as a cloud computing service facing a significant disruption could significantly impact a city’s IT capacity. While the most talked-about threat is from hackers and other bad actors, wide networks of sensors and infrastructure areas are also vulnerable to physical damage from inclement weather, natural disasters such as floods or fires, and vandalism. For urban services that rely on digitized systems, a thunderstorm or a flash flood could be just as disruptive as a malicious hacker.
Depending on the nature of the threat and the size of the incident, responses need to be scalable.
A vulnerability is a weakness in an organization’s infrastructure, networks or applications that potentially exposes you to threats. A vulnerability could be technical, such as a misconfigured firewall or unpatched server, but could also be physical, such as having a data center in a building prone to flooding.
The larger the digital infrastructure, the more potential vulnerability, and the more opportunities for malicious actors. More systems creates a large attack surface, and it makes it more challenging for security professionals to identify, track, and remediate vulnerabilities. The emergence of new technologies and an increase in connected devices, systems and services (amongst others OT and IoT) and the COVID-19 pandemic have all accelerated the expansion of digital infrastructure.
Critical Infrastructure/Supply Chain Considerations
Supply chains and third parties (such as energy providers, telecommunications providers and cloud providers) can create other vulnerabilities that malicious actors can capitalize on. Some of the cybersecurity incidents with the highest (potential) impact in the last few years were IT supply chain attacks. Most organizations are outsourcing their IT and migrating to the cloud, which increases the dependency of organizations on third party products and services. Attacks on these third parties therefore could also affect the ability of local governments to deliver services. Third party risk and supply chain management is very important and should be managed at the procurement and contracting stage. There may be other related procurement policies and Service Level Agreements which should be reviewed together. Cities can further supplement the policy recommendations below with others, such as building in cybersecurity and data security components into contractual obligations.
Regional or National Critical Infrastructure Disruption
“Upstream Incident, Downstream Disruption”
Cyber Resilience Plans should prepare for an external disruption to critical infrastructure that will impact internal IT assets, systems, and capacity. This policy focuses on internal resilience. This could be a physical or cyber event that disrupts sectors such as energy, communications, or information technology. These upstream incidents will impact both public and private IT capacity downstream. For example a power outage, internet outage, or even a critical IT contractor, such as a cloud computing service facing a significant disruption could significantly impact a city’s IT capacity. It is not possible for places to protect their entire supply chain, but they should prepare for incidents should they occur.
It is recommended that places prioritize internal incident resilience planning before focusing on external disruption to critical infrastructure that will impact internal IT assets, systems, and capacity.
- This policy may be cited as the “Cyber resilience policy,” and shall come into effect upon publication in the [insert official city document or internal document].
- The Cyber Resilience Policy is a framework that guides local government leaders and responsible departments on how to establish resilient systems that maintain essential functions and services delivery in an increasingly risky digital ecosystem. A resilient system is: reflexive, robust, redundant, flexible, resourceful, inclusive and integrated. Although the policy framework includes incident prevention, it assumes incidents will occur, and puts equal weight on responding and mitigating incident impacts, sustaining service delivery through technical and non-technical means, and a quick recovery. IT systems are only a means to an end, and for local governments to truly be cyber resilient, they must plan to sustain essential services during a partial or complete disruption of IT and OT systems and assets. The policy provides five functions 1) Identify, 2) Protect/Detect, 3) Respond, 4) Sustain, and 5) Recover that can guide a city’s cyber resilience initiative and incident management. These five policy functions together provide a practical umbrella framework for both coordinating stakeholders, integrating existing policies, programs, and plans; and identifying resilience gaps. Good resilient systems evolve after experiencing crises & learn from mistakes to ensure the same threat does not occur in the future.
- Policy Foundation: NIST Cybersecurity Framework
The five policy functions are an adaptation of the five US National Institute of Standards and technology (NIST) Cybersecurity Framework (CSF) functions – Identify, Protect, Detect, Respond, and Recover. The Cyber Resilience Policy for local government adapts this to be relevant for a public sector audience, keeping Identify, Respond, and Recover, combines Protect/Detect into one function, then adds a new function, Sustain. Sustain is focused on maintaining essential service delivery while responding and recovering from an incident. Sustaining essential services under incident conditions is the key to a strong cyber resilient framework. By incorporating the existing NIST CSF functions into the policy, cities can draw on many existing resources to inform plans and policies, lowering total cost of implementation. The NIST CSF further breaks down its five functions into categories and subcategories, each subcategory is mapped to various existing cybersecurity standards and references (NIST, CIS, ISO etc.). Connected places may use some, none, or all of these functions, subcategories, or references to inform planning.
- Holistic Approach
While this policy is built on the NIST CSF, a technically focused framework, it recommends that connected places think holistically about each function by assessing how non-technical stakeholders can support the target outcomes. This is especially important for the added Sustain function, which aims to provide essential services under conditions that may include complete loss of IT infrastructure. Civil servants, city departments, and public agencies will need to plan for delivery services without internet, workstations, or data. For example city service agencies may include cyber contingency annexes into continuity of operations plans (COOP) that set Standard Operating Procedures (SOPs) for an internet outage. Further, disaster, emergency or risk management agencies should play central roles in implementing the policy. These agencies have extensive expertise and experience in incident preparation, response, and recovery outside the scope of IT.
- Risk mitigation for local government digital systems requires a detailed understanding of several factors including design and architecture of smart services, IT infrastructure support capabilities, and the knowledge of probable cyber threats. The knowledge of probable cyber threats helps connected places stakeholders build the correct focus on the parts of the city that require the most level of focus.
- Approaches need to be tailored to the scale of the incident but the overall methodology should be followed whether it is an event, incident or crisis (refer to threat section).
- The objective of this model policy is to encourage cities and places to increase cyber resilience across a place via a twofold approach, by taking proactive measures to protect and defend their digital infrastructure, and also by ensuring that there are reactive measures in place should an incident occur – disaster recovery and continuation of service etc. The policy addresses both of these areas in more detail and covers people, processes and technologies as above. Further, although not in the scope of this policy, local governments should work with and advocate to national stakeholders to ensure that risks to critical digital infrastructure are addressed at the national level. This could include state / country level policies and/or frameworks. Local governments should operate like a modern-day enterprise with specific goals and objectives that include proactive planning and defending against threats and responding to emergencies.
3. Guiding principles
Successful implementation of this policy requires transparency, strong governance, continuous (policy) evaluation, and the education and awareness of city executives, professionals, citizens and stakeholders.
Even with unlimited commitment and resources there is no absolute 100% security. All organisations that rely on IT can fall victim to an attack and cities are no different. It is important to be transparent and open about this towards the city’s citizens and stakeholders. The right expectations pre-incident contribute to the resiliency of these groups in case of an incident. And transparency and openness of cities is also required post-incident. In the form of appropriate disclosure and information sharing (government-to-government, including law enforcement, and to the public) about incidents that have occurred. It is recommended to have communication strategies in place (including target groups, messaging and communication channels) for informing the public in case of an incident. So that they know which alternative routes and services can be used when a specific digital service is down. This should also include fall back solutions for when the city’s own communication channels are out-of-service.
Cities should explicitly communicate about their attention and efforts on increasing their cybersecurity by
- creating a policy and/or local legislation in which the cybersecurity objectives and ambitions are explained,
- formulate a multiyear roadmap to reach the set objective and ambitions,
- allocate an appropriate multi-year budget,
- appoint a role such as a Chief Information Security Officer (CISO) – preferably on executive level – with (budgetary) mandate and personnel, tasked with executing the roadmap and annually reporting to leadership, and
- report to city council or executive body (including budget and spending).
The CISO office is the first point of contact for everything related to cybersecurity and responsible for integral coordination on cybersecurity matters. Although the CISO office (or similar) holds ultimate accountability, successful implementation requires broad embedding and understanding of cybersecurity risk in the full organisation, including emergency management and incident response. This is not only relevant for all departments and professionals involved with the design, development, procurement, implementation and maintenance of digital technology in local government, but also for regular employees because their behaviour can also cause a cybersecurity incident.
- Continuous (policy) evaluation and management
Permanent attention and support from political leadership and executive level are needed. Within the policy and implementation cycle it is of the utmost importance to continuously assess and evaluate the cybersecurity posture and progress of the organisation. This requires a structured approach focused on:
- Testing the overall robustness of the city’s digital infrastructure and the preventive cybersecurity measures in place. For instance with a baseline cybersecurity risk assessment, periodic pentesting, ethical hacking events or coordinated responsible disclosure.
- Exercising the response to cyber incidents and the reactive measures in place, for instance with a tabletop exercise or a full scale, realistic incident simulation.
- Sharing best practices and benchmarking with other organizations. Various cities have developed best practices that can provide other cities guidance. For instance in setting up testing and exercising programs. The NIST CSF also includes target profiles that can be used by cities to self-assess and improve their cybersecurity posture. If cities would like to conduct more in-depth technical benchmarks of commonly used IT solutions, they could make use of configuration guidelines and benchmarks made publicly available by the Centre for Internet Security (CIS) amongst others.
- Conduct an annual cyber resilience policy review with key stakeholders including results of any tests done or incidents experienced.
- Education and awareness
An effective cyber resilience strategy must include education and awareness. This serves multiple objectives. Firstly, education and awareness is needed to drive adoption of an effective cyber resilience strategy and establish strong governance. Secondly, people within an organization are one of the greatest risks and make up a majority of vulnerabilities. Increasing people’s awareness contributes to the preparedness and resilience of the organization as a whole. Finally, cyber risk should not be a barrier to optimising service delivery. Decision makers can define the balance between acceptable risk and opportunity for the development and improvement of services. Education and awareness activities should involve different target audiences:
- City executives should have an understanding of the cyber risk landscape and how their organisations can manage these risks in line with the goals and objectives. Education should emphasize the importance of responsible disclosure and threat intelligence sharing.
- Public safety & security professionals need a basic understanding of the characteristics of cyber resilience, as they are often the first responders to large-scale societal disruption that can be caused by a cybersecurity incident. Currently, too often the knowledge and understanding of cyber risk and resilience is concentrated within ICT departments or the CISO’s office. Organizing interaction and collaboration between those groups is recommended. Technology professionals such as the ICT department and CISO office etc will also benefit from such interaction as it contributes to their understanding of the perspective of public safety & security professionals.
- Citizens and external stakeholders need to be informed in case of an incident (also see: Transparency). This might require pre-incident training and exercise. City government will have to communicate clearly about the incident, the challenges that might arise and possible ways to solve and mitigate these. Out-of-scope for this framework is the education and awareness of citizens about cyber resilience in general. For instance about the do’s and don’ts regarding citizen’s online behaviour or smart home devices. However, cities are recommended to develop initiatives focused on such issues. Ideally, public awareness campaigns are not only focused on informing the public, but also on creating positive behavioural change and engagement in problem solving by citizens, such as safe browsing, password management, and running updates on the devices they use – to name a few examples.
4. Five functions to improve cyber resilience
The five functions below outline the outcomes desired in each phase – identify, protect/detect, respond, recover, sustain. The supplementary policies point towards any additional linked policies which may be relevant. The actions outline specific steps to take in each instance.
Critical or essential services and the required IT systems and assets to deliver these services are identified, categorized and prioritised, while the threat risks associated with each of them are understood.
Outcomes: IT systems and assets that support critical or essential services are identified, risks are understood, assets and systems are prioritized.
Categories: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy
- Identify critical municipal services/functions– What municipal services or functions must remain operational at all times? What IT/OT assets, systems and capacities are required for their continued operation? Who (internal and external) is responsible for the ongoing support and operations of these IT/OT assets and systems? What are the acceptable risks for various services? In addition to identifying these foundational answers, it is important to also define and communicate organisational policies and processes to secure systems and data that support the continued operation of these critical municipal services and functions.
- Define threat scenarios– To effectively and appropriately respond to a threat, distinguish in advance the differences that define a threat scenario as an event, an incident, or a crisis. Additionally, develop a Coordination Matrix identifying the key stakeholders (internal and external) for responding to these different scenarios.
- Understand Risks– It is important to understand all systems and/or services required to maintain and support essential functions. Once the required systems/services are understood, it is essential to assess both cyber and physical risks that could interfere or threaten the continued operations of essential functions. Understanding these risks includes implementing vulnerability management programs, tracking internal and external threats, and assessing potential impacts associated with identified risks. A preliminary system interdependency analysis should be conducted to understand the requirements for information continuity at system interfaces, and to identify the critical components that enable the flow of vital information and function of systems.
- Prioritise– Municipal services and functions must be prioritised as either critical (primary) or secondary and the necessary resources to meet demands during a realized threat should be identified in advance and ready for immediate allocation. The critical (primary) and secondary IT/OT systems and assets required to maintain the provision of these prioritised services and functions must also be cataloged and updated regularly. Additionally, understanding, documenting and controlling access to networks and information systems supporting priority systems/assets must be accomplished. Networks for the most crucial devices should be made to the highest level of resiliency in order to remain operational during an emergency.
Example Policies and Plans:
- Asset Management Plan
- Risk Assessment
- Risk Management Plan
- Interdependency Assessment Model
(2) PROTECT / DETECT
Take proactive and collaborative steps to protect internal/external device assets and data storage, as well as detecting potential anomalies to protect critical network and information systems and technology from cyber threats or other types of disruptions such as environmental incidents.
Outcomes: Assets and systems are protected from malicious, negligent, or other incidents that could impact function. Asset and system compromises and related critical service interruptions are detected and assessed in a timely manner.
Categories: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; Protective Technology; Anomalies and Events Detection; Security Continuous Monitoring; and Detection Processes, Critical service performance monitoring
Actions to Protect:
- Manage access to assets and information appropriately – Establish proper access rights (least privilege access), correct levels of authentication, and restricting physical access to devices. Securely protecting devices – using firewalls and other protections such as endpoint security products as well as physical protections for servers. Applying uniform configurations to devices and control changes to device configurations. Disable features that are not necessary to support mission critical functions. Ensure that there is a policy for disposing of devices. Outside of traditional networks, deploy adaptive IOT devices built to resist interference and be environmentally rugged.
- Manage device vulnerabilities – Regularly update the operating systems and applications used by employees, and if possible, enable automatic updates where appropriate, in cases of OT, validate and ensure to follow a regimented patching process. Consider using software tools to scan devices for additional vulnerabilities and remediate vulnerabilities with high likelihood and/or impact. Employ a zero trust architecture where appropriate.
- Protect sensitive data – Use approved data encryption standards for both at rest and in transit. Consider utilizing integrity checking to ensure only approved changes to the data have been made. Securely delete data when it’s no longer needed or required for compliance purposes. Ensure a strong data governance framework is in place.
- Conduct regular backups – Utilise built-in backup capabilities or software and cloud solutions that can automate the backup process. Good practice is to keep one or more frequently backed up set of data offline to protect it against ransomware. Periodically test the validity of backups by restoring in full and noting any discrepancies in operation (should they arise) – this is particularly important for critical systems.
- Train users – Regularly train all users to be sure that they are aware of local government cybersecurity policies and procedures, their specific roles and responsibilities as a condition of employment, and building threat awareness (e.g. phishing, Internet of Things (IoT) devices, etc.). Appropriately support staff to ensure they make a positive contribution to the cyber security of essential functions and service delivery.
Actions to Detect:
- Perform continuous monitoring and check logs – Log events and identify anomalies, perform continuous network and endpoint monitoring on workstation, servers, and applicable IOT devices. Logs are crucial in order to identify anomalies in your enterprise’s computers and applications. These logs record events such as changes to systems or accounts as well as the initiation of communication channels. Consider using software tools that can aggregate these logs and look for patterns or anomalies from expected network behavior.
- Test and update detection processes – Develop and test processes and procedures for detecting unauthorized entities and actions on networks and in the physical environment, including staff activity. Staff should be aware of their roles and responsibilities for detection and related reporting both within your organization and to external governance and legal authorities.
- Know the expected data flows for your organisation – If you know what and how data is expected to flow for systems, you are much more likely to notice when the unexpected happens such as citizen information being exported from an internal database and exiting the network. If you have contracted work to a cloud or managed service provider, discuss with them how they track data flows and report, including unexpected events.
- Understand the impact of cybersecurity events – If a cybersecurity event is detected, you should work quickly and thoroughly to understand the breadth and depth of the impact. Communicating information on the event with appropriate stakeholders will help keep you in good stead in terms of partners, oversight bodies and the public.
Example Policies and Plans:
- Monitoring Policy
- Backup and Recovery Policy
Develop and implement appropriate activities to take action regarding a detected event.
Outcomes: Cyber Incidents or disruptions are contained and impacts mitigated.
Categories: Response Planning; Communications; Analysis; Mitigation; Investigation; Forensics; and Improvements.
Develop a Standard Operating Procedure (SOP) with the steps necessary for on-time response to detected cybersecurity incidents. Identify stakeholders, build relationships, and establish communications and coordination plans with identified critical infrastructure sectors, critical contracted services, and service providers to understand the scope, roles, and responsibilities of each, including their time to respond. Emergency response platforms and dashboards for digital resilience should have their own resilience policies. Develop a disclosure and data breach communication / notification plan.
Determine the relevant scenario(s) which apply to the situation, referring to the Threat Scenarios developed as part of the Identify function. Using this as an analytical framework, determine how long the disruption/downtime will reasonably last, whether there are cascading effects or if the system is critical for the business, which domains are affected (only OT or also business – IT functions) and who the problem owner is. Additional points to establish are; is there malicious intent involved? Is there a technical solution possible? Which geographical area is affected? How long will the effects last? Which solution providers need to be involved (if any)? Can effects be reduced or is there a chance that it will escalate? What is the societal impact?
Convene an internal crisis management team – the composition & level will depend on the criticality of the event / scenario. An event might only require operational administrators, whereas a full-fledged crisis will likely require involvement from executives and external experts, including incident response & digital forensics. Reaffirm or adjust the scenario with the team and start internal communications. Activate the continuity plan to ensure that SUSTAIN phase can be executed. Disconnect systems or networks, complete network segmentation/asset isolation, safeguard and restore from backups (refer to Incident response policies).
- Test, Analyse, Learn and Institutionalise
Perform periodic incident readiness drills to ensure effectiveness of the Respond function. This will include analysing the evolving threat scenarios to ensure adequate response and updating the response plan. Exercise Joint Regional/National Disruption Response and Recovery plans. These joint plans should include response to all hazards, natural, manmade, or cyber and include any actions the city can take to support the sector’s response. These are living documents that need to be updated and tested regularly. Learn from incidents and implement the lessons learned to institutionalise the improved resilience of essential functions.
Example Policies and Plans:
Incident Response Policy
Create plans, processes, and procedures to sustain critical service delivery during a cyber incident that impacts IT systems. Both technical and non-technical alternatives need to be considered.
Outcomes: Continue to provide essential services using reduced capacity IT/OT systems and assets or via alternative technical or non-technical means.
Categories: Response Planning; Communications; Analysis; Mitigation; Investigation; Forensics; and Improvements.
- Maintain Critical Municipal Services/Functions: Develop contingency plans to continue to provide critical municipal services or functions during an cyber incident for Services/Functions listed in IDENTIFY phase. Continuity of Operations Plans (COOP), alternative service delivery plans, emergency contracts, and mutual aid agreements should consider scenarios with both partial or complete loss of IT/OT systems, and include non tech dependent alternatives. Planning should prioritize critical municipal services/functions that are essential for public safety, public health, and economic stability.
- Communicate Service Impacts to public and key stakeholders: Setup systems that aim to inform the public of service disruptions, provide ongoing updates, and clearly communicate alternative services. Consider that a cyber incident may impact both city or public access to the communications (internet, telecommunications), making communication more difficult.
- Build Redundant Systems: Ensure redundancy is built in IT/OT systems that support critical services, so if primary systems or data is compromised, backup systems and data can seamlessly takeover. Redundancy can be achieved through hot-backup / failover infrastructure, cloud computing contracts, and other methods, including mechanical and/or non-technical policies, processes, and plans to fulfill critical functions.
- Exercise and Evaluate Contingency Plans: Exercise contingency plans to ensure city agencies, departments, and personnel know roles, responsibilities, and alternative processes. Regularly exercising contingency plans can help identify issues and gaps in planning, these contingency plans should be tightly coupled with ‘Test, Analyse and Learn’ from RESPOND phase.
Example Policies and Plans:
- Continuity of Operations Plans (COOP)
- Contingency Plans
- Mutual Aid Agreements
- Emergency/Backup Contracts
- Incident Communications Plans
- Data Backup Plans and Policies
Original systems and services are restored in a secure, transparent and responsible way, which creates a learning loop that increases the cyber resilience of the city and helps prepare for future incidents.
Outcomes: Restore capabilities or services that the cyber incident disrupted, return to normal operations, and implement improvements from lessons learned.
Categories: Recovery Planning; Improvements; and Communications.
- Post-incident communication and information sharing
Communicate with internal and external stakeholders about the incident and its effect on the various stakeholders. A recovery plan must include a communication strategy that provides guidance on what, how and when information will be shared with the stakeholders. Also, a city government needs to consider public relations and the city’s reputation. It is advised to be proactive and transparent by sharing information with the stakeholders (including the public) in an accurate, complete and timely manner. This includes sharing technical threat/incident information, such as Indicators of Compromise, with (a selection of) external partners (e.g. other cities, law enforcement or local critical infrastructure providers) and insurance providers. Collaborate on collective defense initiatives, such as cyber threat information sharing with partners or critical contractors. This post-incident communication should be tightly coupled with ‘Develop’ from RESPOND phase.
- Recovery of systems & services
After completing the digital forensic research started in the RESPOND phase, the organization needs to remove all areas of compromise (malware, virus etc.) and solve any vulnerabilities that were found to be exploited. Subsequently the organization can start with reconnecting and rebooting systems, devices and applications, for instance by restoring back-ups, or in case of a severe attack, by (partially) rebuilding the impacted infrastructure. Depending on the severity, duration and extent of an incident, organizations can choose to start with the most critical services (to minimize the largest disruption) or with the services affected the least (to decrease unnecessary down time).
- Evaluate and transform
When systems and services are restored organizations need to evaluate their response to the incident and – if needed – make adjustments to their recovery plan and recovery timeframes in Service Level Agreements (SLA’s). Sharing lessons learned within the organization and with other cities is highly recommended, as it improves awareness and highlights areas for improvement that other cities can preemptively benefit from. Ideally, this new updated cyber crisis response, sustain & recovery plan is then exercised again to assess whether the updated plan works and to improve the resilience of the organization and decrease the response and recovery time for future incidents. Finally, in case of a significant crisis the CISO should afterwards report to the city leadership about the total cost of the incident (financial and non-financial), which increases awareness and provides a better business case for cybersecurity decisions and investment required in the future.
Example Policies and Plans:
- Incident Communication Policy
The Cyber Resilience Policy is a framework that guides cities on how to maintain essential functions and services delivery in an increasingly risky cyber ecosystem. Cities may also want to evaluate their preparedness in terms of the outcomes resulting from these actions. An example of a framework for identifying good outcomes, has been developed by the National Cyber Security Centre (NCSC), based in the UK. NCSC has developed a Cyber Assessment Framework (CAF) which provides guidance for organisations responsible for vitally important services and activities. The CAF includes 14 principles which are written in terms of outcomes, ie. specification of what needs to be achieved rather than a checklist of what needs to be done. The CAF adds additional levels of detail to the top-level principles, including a collection of structured sets of Indicators of Good Practice (IGPs)
Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network.
Penetration testing is just one tool or process within ethical hacking. It is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.
Hacking is the process of gaining unauthorised access to data that’s held on a computer, system or network. Hackers, or those who practice hacking, will access systems in a way that the creator or holder did not intend. Ethical hacking is the process where a professional hacker legally and deliberately tries to break into the computers and devices of an organisation. In doing so, ethical hackers can test the organisation’s defences, highlighting any vulnerabilities in their systems and networks.
Coordinated responsible (vulnerability) disclosure
The aim of Coordinated Vulnerability Disclosure (CVD) is to contribute to the security of IT systems by sharing knowledge about vulnerabilities. In CVD, knowledge is shared with one or more potentially vulnerable organisations in order to arrive at a joint solution for the vulnerability found in collaboration with the reporting party. It is important that the organisations affected have sufficient time to remedy any vulnerabilities or protect systems in order to limit or prevent loss or damage as much as possible. The cornerstone of the process is disclosure of knowledge about the vulnerabilities after remediation.
Tabletop exercises are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator guides participants through a discussion of one or more scenarios. The duration of a tabletop exercise depends on the audience, the topic being exercised and the exercise objectives. Many tabletop exercises can be conducted in a few hours, so they are cost-effective tools to validate plans and capabilities.
Shadow IoT devices
Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge.
Preliminary interdependency analysis
Is used to provide an initial identification of system interdependencies of the Critical Infrastructures and to scope the options for more detailed studies.
Probabilistic interdependency analysis
Is a method of studying, with an increasing level of detail, the complex regional and nationwide Critical Infrastructures by combining probabilistic and deterministic models of these infrastructures.
Yalena Coleman Applied Data & Technology, Connected Places Catapult
Michael Lake CEO, Leading Cities
Task Force Members:
Abhik Chaudhuri, Chevening Fellow, Tata Consultancy Services
Chris Covino, Policy Director for Cybersecurity, City of Los Angeles
Eleri Jones, Head of PETRAS National Centre of Excellence for IoT Systems Cybersecurity, UCL
Mirel Sehic, Cyber Security Director, Honeywell
Art Thompson, CIO and CISO, City of Detroit
Daan Rijnders, Lead Cyber Secure, The Hague, City of The Hague
Contributors and reviewers:
Luis Bonilla, Global Resilient Cities Network
Aaron Clark-Ginsberg and Jared Mondschein, RAND
Daniel Dobrygowski, World Economic Forum
Dr Brian Gardner, City of Dallas
Tadashi Kaji, World Economic Forum Fellow, Hitachi
Kush Sharma, MISA
Raimond Tamm, City of Tartu
Applied Cybersecurity team, NIST