Normalizing Cybersecurity: Improving Cyber Incident Response with the Incident Command System

pdf icon - download pdf

Darin HansOn


In February of 2018, the state of Colorado became the first state in the nation to issue an emergency declaration for a cyber attack after its Department of Transportation was struck with ransomware.[1]  After early struggles responding to the incident, the Incident Command System (ICS) was implemented and a Unified Command was established with promising results.[2]  With the expectation that the adversaries of the United States will continue to expand their adoption of cyber attacks “to steal information, to influence our citizens, or to disrupt critical infrastructure,” both Emergency Management/Homeland Security (EM/HS) and Information Technology/Cyber Security (IT/CS) professionals should be preparing for significant cyber incidents.[3]  This thesis investigated the application of ICS in response to significant cyber incidents and how it can be improved.  To accomplish this, a mixed method study consisting of case studies, qualitative senior leader interviews, and a quantitative survey was conducted.  The analysis centered around the eight core concepts of ICS: common terminology, integrated communications, modular organization, recognized command structure, manageable supervisory structure, consolidated action plans, comprehensive resource management, and pre-designated facilities.

The first, and simple, conclusion of this thesis is that ICS is applicable in a significant cyber incident response.  The findings of the case studies and senior leader interviews showed that ICS does indeed have a place when responding to cyber incidents beyond the routine cyber emergencies that IT/CS professionals deal with frequently.  The framework is already standard in EM/HS, providing a large pool of trained personnel and opportunities for free Federal Emergency Management Agency (FEMA) training on the framework.[4]  Conversely, there are still few IT/CS practitioners trained on ICS and some past natural disaster responses where the framework was used with poor results.[5]  There is opportunity for improvement in the implementation of ICS while maintaining the core concepts praised by practitioners. [6]

The research provides important insight into how the eight core concepts of ICS relate to significant cyber incident response.

  • There were strong indications that a lack of common terminology across the professional fields of responders is an issue. While the quantitative survey analysis indicated that IT/CS responders believed their organizations were using common terminology better than their EM/HS counterparts, the qualitative findings suggested that the EM/HS group did not understand the technical terminology, which can be a hindrance during incident response.
  • Integration of communications was another concept with conflicting findings. Quantitative survey results revealed that the IT/CS group rated their organizations highly, but qualitative interview findings indicated that integrated communications were a potential weakness in response efforts due to networks being impacted during a cyber attack.
  • The application of the modular organization concept was rated high by the surveyed EM/HS practitioners and the case studies and interviews suggested that ICS provides a useful structure for the systematic expansion and contraction of response resources.
  • Both the EM/HS and IT/CS groups rated their organizations’ use of the recognized command structure relatively high while the interviews supported a need for a collaborative command structure, which may best be instituted using an ICS framework.
  • The concept of manageable supervisory structure was rated low in application by both groups while the findings suggested that in a cyber incident response the technology used in information systems and integrated technologies resulted in a lower importance of the concept during response activities.
  • The concepts of consolidated action plans and comprehensive resource management revealed an important link in the research due to the limited technical cyber response resources and the need to provide consolidated action plans to prioritize the limited resources usage. The EM/HS group rated their organizations higher in both the comprehensive resource management and consolidated action plans concepts while the findings supported the use of the ICS framework to improve incident response relative to both concepts.
  • Finally, the concept of pre-designated facilities showed the IT/CS group rated their organizations higher for implementation while the interviews suggested a need for multiple pre-designated response locations, an off-site location for coordinating second and third order effects, and one or more locations where the technical cyber response will occur.

Implications and improvements for each area are discussed in the thesis.

This thesis also draws two important conclusions from the results of the quantitative analysis.  First, the survey results showed that prior response experience to significant cyber incidents raised the perceptions of organizations’ application of each of the core concepts.  The research attributes this to experiential learning.  Second, the survey results also indicated that those with less than five-years of experience rated their organizations higher in application of each core concept, which the research attributes to an over-confidence by the less experienced practitioners.  These two findings have important implications for improvement in the implementation of ICS.

This thesis made five recommendations:

  • Implement ICS in Significant Cyber Incidents: Implementing ICS in these events could assist entities to integrate communications across the response body, provide structure to the expansion and contraction of response assets, unify objectives and strategies of response stakeholders, and prioritize and comprehensively manage response resources.
  • Include Cross Training & Collaborative Exercise: Rather than wait for an incident to occur, the implementation of cross-training between EM/HS and IT/CS practitioners with follow-on collaborative response exercises would help to establish common language between the groups to better develop a common operating picture and coordinate response efforts within an ICS framework.  The research also indicated a knowledge gap in practitioners with less than five years of experience, underscoring the need to include these practitioners in the cross training and exercise events.
  • Focus on the Common Operating Picture: One of the biggest challenges identified in the research was the difficulty developing a common operating picture during a significant cyber event. Beyond training to increase the use of common terminology as mentioned above, pre-negotiation should occur between EM/HS and IT/CS leaders regarding platforms, protocols and participants required as part of a communications plan.  Taking it one step further, the leaders should pre-negotiate as much as possible who will assess the technical cyber impacts and who will assess the second and third order effects.  Training on a common terminology and pre-negotiating these tasks will help to more quickly develop a robust common operating picture that can be used to establish unified strategies, priorities and plans of action.
  • Integrate Communications & Pre-Plan for Multiple Response Locations: Cyber incident responders should prepare for two or more response locations, a central command location and the location(s) where information technology infrastructure that may be impacted.  The central command location, such as a State Emergency Operations Center (SEOC), could be used to coordinate response efforts with impacted locations and for second order effects.  The on-site technical response location(s) should pre-plan logistics for an expanding response team.  Both EM/HS and IT/CS responders would benefit from creating communications plans that include secondary and tertiary communications platforms as the primary response location is likely to have their communications systems impacted by the cyber event.
  • Implement Comprehensive IT/CS Human Resource Management: There is a scarcity of technical IT/CS human resource response assets indicated by the research, resulting in the need for efficiency in the resource’s management. To facilitate better resource management, IT/CS and EM/HS leaders should collaborate to create a comprehensive list of potential response assets while ensuring that the EM/HS leaders have a true understanding of each asset’s capabilities.  Additionally, the leadership team should continually evaluate assignments of response assets during an event to ensure that IT/CS technical experts are not tasked with non-technical tasks, thus freeing them to focus on their areas of expertise.

Implementing the Incident Command System is not a guarantee for success in a significant cyber incident response.  History has shown many examples of disaster response failures when ICS was implemented, but the research has shown that its implementation during a cyber disaster can improve the response efforts.  ICS is already the de facto standard for incident response for EM/HS and it is also identified by the National Cyber Incident Response Plan as the framework to be adopted.[7]  Overall, while not perfect, ICS is a useful framework for connecting the technical cyber incident responders to the broader response community.  This thesis can help further improve its implementation.

[1] Colorado Department of Transportation, CDOT Cyber Incident: After-Action Report (Denver: Colorado Department of Transportation, 2018), 3,

[2] Colorado Department of Transportation, 3.

[3] Daniel R. Coats, Worldwide Threat Assessment of the US Intelligence Community (Washington, DC: Office of the Director of National Intelligence, 2019), 5,—SSCI.pdf.

[4] John R. Harrald, “Agility and Discipline: Critical Success Factors for Disaster Response,” Annals of the American Academy of Political and Social Science 604, no. 1 (2006): 263,

[5] Dick A. Buck, Joseph E. Trainor, and Benigno E. Aguirre, “A Critical Evaluation of the Incident Command System and NIMS,” Journal of Homeland Security and Emergency Management 3, no. 3 (2006),

[6] Ronald W. Perry, “Incident Management Systems in Disaster Management,” Disaster Prevention and Management: An International Journal 12, no. 5 (2003): 411,; Hank Christen et al., “An Overview of Incident Management Systems,” Perspectives on Preparedness, no. 4 (2001): 6; Gregory Bigley and Karlene Roberts, “The Incident Command System: High-Reliability Organizing for Complex and Volatile Task Environments,” Academy of Management Journal 44, no. 6 (2001): 1283; and Brian Bennett, “Effective Emergency Management: A Closer Look at the Incident Command System,” Professional Safety 56, no. 11 (November 2011): 31, ProQuest.

[7] Harrald, “Agility and Discipline,” 263; U.S. Department of Homeland Security, National Cyber Incident Response Plan (Washington, DC: Department of Homeland Security, 2016), 8,

No Comments

Post a Comment