By Michael J. van Zwieten
Florida League of Cities
Imagine turning your computer on, and it takes longer than normal. Eventually, the login prompt comes up, and you type in your password. The computer seems to take forever to get started this morning, so you grab a cup of coffee while waiting.
After you return to your desk, a large error message is displayed on your screen. It reads, “Your files are encrypted. If you are reading this message, your files are no longer accessible. You can recover your files if you send us 3 Bitcoins,” which is worth about $88,000 at press time.
Your co-workers are experiencing the same message on their screens. Citizens are starting to call and want to pay their utility bills. Computers are down. City services are, at this point, completely nonfunctional. The media just called and is asking questions. What do you do?
This situation is hypothetical, but it could very well happen. You hope a well-developed disaster recovery (DR) or business continuity (BC) plan will be able to help mitigate some risks. While best practices call for ensuring you review and test these BC plans regularly, how will you be sure these plans will execute flawlessly? There are ways to test your plan in smaller, more manageable bites through tabletop exercises.
According to the Department of Homeland Security, tabletop exercises are “discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation.” Some last 30 minutes, while others take a few hours or more. Personnel become more familiar with their roles and procedures for handling different, potentially catastrophic events.
Tabletop exercises can be beneficial for other scenarios. For example, IT team members may already hold tabletop exercises regularly to develop cybersecurity scenarios and explore how they might handle a potential attack. After setting up the initial scenario, the team considers more detailed questions to help uncover any potential deficiencies:
- Given the initial path of attack, how would you be able to identify this malware infection?
- What technologies are used to identify malware intrusions of this type?
- Are anti-malware defenses deployed on all network devices? What’s not being defended?
- What can be done further to prevent future malware infections or incidents of this type?
- What further training, policies and procedures would benefit this scenario?
Tabletop exercises can uncover unknown holes or potential vulnerabilities related to a city’s infrastructure, cybersecurity defenses, policies or procedures. Simple “gotchas,” like generators running out of fuel, data centers in a flood-prone area or redundant internet connectivity not available to provide service during major events or outages, come to light.
The Florida Center for Cybersecurity (Cyber Florida), with the Florida League of Cities (FLC), the Florida City and County Management Association (FCCMA) and the Florida Local Government Information Systems Association (FLGISA), holds regional workshops to train cities’ executive staff through a cyber wargame scenario. In wargames, the outcome of each scenario is shaped by the decisions made by the participants.
Tough questions, such as “Who’s in charge of the City’s response right now?” and “What do you tell the Mayor or City Council, citizens and employees, local businesses, the media and the public?” required careful consideration.
Michael J. van Zwieten, CGCIO, MCSE, is the Director of Technology Services at the Florida League of Cities and Executive Director of the Florida Local Government Information Systems Association.