Public Power Cyber Incident Response Playbook | 10
GETTING
STARTED
3
4
5
6
7
2
11
Staffing the Cyber Incident Response Team
Consider the following factors when assessing CIRT
staffing needs:
• 24/7 Availability: Designate and train backup roles for
critical staff, as incidents may occur during off-hours
or vacations for lead staff. Some cyber incidents may
require around-the-clock response, which can quickly
tax incident response employees. Lead and backup
roles may need to work in shifts, or require contract
resources or service providers to supplement staff
roles.
• Cost and Training: Utilities should account for not
only compensation, but also the cost of training and
maintaining cyber incident response skills, when
assessing incident response planning budgets.
• Staff Expertise: Incident handling and mitigation often
requires specialized knowledge and experience. Third-
party experts can provide on-call intrusion detection,
investigation, forensics, and recovery services to
supplement in-house skill sets.
Build from the utility’s natural disaster incident
response plan when identifying the cyber incident
response team. First, several response roles that are
required in any type of incident (e.g., human resources,
logistics, and many liaison roles) may already have clearly
defined responsibilities, authorities, and personnel.
Second, these plans may have accounted for staffing
considerations of large events, including staffing a
24/7 response operation, compartmentalizing roles to
minimize oversight from key staff, assessing response
cost, and maintaining employee morale during taxing,
multi-day incidents.
Ensure CIRT members have the necessary authority
to act. Cyber incidents can be fast moving, requiring
rapid decision-making by a small team of people with
little time to seek authorization for important response
activities. Consider in advance what authorities CIRT team
members will need:
• Who on the CIRT has the authority to make critical
decisions to contain a cyber incident, such as to isolate
or disconnect key business and operational networks?
• Who is authorized to request additional support
from service providers? What resource procurement
processes must be followed?
• Who has the authority to report a cyber incident? Who
will interface with external incident response partners
(e.g., vendors, ISACs, APPA, etc.)?
• Who will ensure compliance with mandatory reporting
requirements and notify government officials and
regulatory bodies?
• Who will report a suspected criminal attack to law
enforcement and submit mandatory paperwork to
regulatory bodies?
2. Develop a 24/7 Contact List for
Response Personnel and Partners
Develop and regularly update contact lists for
incident response team personnel, vendors and
security service providers that may be on call during
an incident, and external partners that can provide
aid or information at crucial junctions during
response. Establishing this contact in advance can help
incident managers, IT personnel, and management
alert and engage resources early, even without a
formal incident response plan in place. This list should
contain the names, roles, contact and backup contact
information, and potential alternate for each role. It
should be maintained online and also in a central, offline
location (e.g., physical binder, offline computer) and
circulated widely among the incident response team.
Contact lists can include:
• Internal stakeholders:
• Departmental leads on the incident response
team (senior management, IT security, operations
personnel, public affairs, legal representatives, etc.)
• CISO and IT security department for state/local
jurisdictions
• Support contacts for all software and equipment
vendors and contracted service providers. Identify
the support contact personnel, the type of support
expected and contractual requirements for:
• Critical system vendors, who can provide information
on the significance of log entries or help identify false
positives for certain intrusion detection signatures
• Internet service provider (ISP), who can provide
requested information about major network-based
attacks, identify potential origins, or potentially block
communication pathways as requested.